Spyware infection - spysherrif? please help!

hex_offender · 08-30-2006, 03:32 PM

Hey,

I'm cleaning out a friends laptop for them. It's full of malware - I've already deleted half a ton of stuff with Adaware and Spybot S&D from safe mode, but there's some very pervasive, nasty stuff left. I think it's spysherrif.

Other symptoms:

Norton antivirus appears to be installed on the machine, but it closes on start up, and also doesn't show up on the add/remove programs dialogue. I'd like to be able to uninstall it so I can install Avast! instead (I hate how Norton embeds itself so deeply in the system).

Certain explorer windows close immediately upon opening. These include the Program Files folder for Norton, and a folder on a flash drive that had a lot of anti-spyware stuff in it.

The internet connection on the laptop seems fairly borked - it works intermittently, I think because some spyware (perhaps spysherrif) is re-downloading itself aggresively whenever a connection is present.

I've also installed the MVPS HOSTS file. [ http://www.mvps.org/winhelp2002/hosts.htm ]

Please take a look at my log, any help very much appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 22:17:47, on 30/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\lssc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\sucker.exe
C:\WINDOWS\System32\sucker.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system32\stonedrv.exe
C:\windows\system32\taskmgn.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\msijavaup32.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe msijavaup32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,msijavaup32.exe
O2 - BHO: (no name) - {5E9755A1-314A-4ae6-99E1-B9F7DC7C7CF0} - C:\WINDOWS\System32\36.tmp
O2 - BHO: (no name) - {73364D99-1240-4dff-B11A-67E448373048} - C:\WINDOWS\System32\ipv6mons.dll
O2 - BHO: (no name) - {79DF81E3-60C0-4043-A574-30DF1E322F9B} - C:\WINDOWS\System32\byxuu.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [chj7ccaf] RUNDLL32.EXE w0082bf4.dll,n 0037ccac0000000a0082bf4
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmgn.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_13.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_13.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows MS Update 32] sucker.exe
O4 - HKLM\..\RunServices: [MS Java for Windows XP & NT] javanet.exe
O4 - HKLM\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe
O4 - HKLM\..\RunServices: [Ms Java for Windows NT] msijavaup32.exe
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\RunServices: [Windows MS Update 32] sucker.exe
O4 - HKLM\..\RunOnce: [Windows MS Update 32] sucker.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [Windows MS Update 32] sucker.exe
O4 - HKCU\..\RunServices: [MS Java for Windows XP & NT] javanet.exe
O4 - HKCU\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe
O4 - HKCU\..\RunServices: [Ms Java for Windows NT] msijavaup32.exe
O4 - HKCU\..\RunOnce: [Windows MS Update 32] sucker.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.co.uk/downlo...1/axofupld.cab
O20 - Winlogon Notify: 36 - C:\WINDOWS\System32\36.tmp
O20 - Winlogon Notify: byxuu - C:\WINDOWS\SYSTEM32\byxuu.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ohfox32.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network Location Manager - Unknown owner - C:\WINDOWS\system32\lssc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

sUBs · 08-30-2006, 09:08 PM

Use this guide to uninstall Norton, : http://basconotw.mvps.org/SymRem.htm

You have a lot of bots in your log. I recommend that you consider this other program. http://www.activevirusshield.com/ant...eeav/index.adp

Install that but take note of this ...

Have it do a round of cleaning from Safe Mode & then post a fresh HJT log

hex_offender · 09-01-2006, 08:30 AM

Hi,

thanks for the reccommendation, that seems a robust and effective program, it deleted a lot of stuff. Since my first post I've ran a few other scans I managed to get working and cleared out a lot of junk. Here's the fresh log

Logfile of HijackThis v1.99.1
Scan saved at 15:26:54, on 01/09/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Active Virus Shield\avp.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Active Virus Shield\avp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,msijavaup32.exe
O2 - BHO: (no name) - {5E9755A1-314A-4ae6-99E1-B9F7DC7C7CF0} - C:\WINDOWS\System32\36.tmp (file missing)
O2 - BHO: (no name) - {79DF81E3-60C0-4043-A574-30DF1E322F9B} - C:\WINDOWS\System32\yabya.dll
O2 - BHO: (no name) - {E047758D-8A8E-4D70-A895-864461244D20} - C:\WINDOWS\System32\sstrs.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [aol] "C:\Program Files\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\RunServices: [MS Java for Windows XP & NT] javanet.exe
O4 - HKLM\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe
O4 - HKLM\..\RunServices: [Ms Java for Windows NT] msijavaup32.exe
O4 - HKCU\..\RunServices: [MS Java for Windows XP & NT] javanet.exe
O4 - HKCU\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe
O4 - HKCU\..\RunServices: [Ms Java for Windows NT] msijavaup32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.co.uk/downlo...1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: 36 - C:\WINDOWS\System32\36.tmp (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ohfox32.dll (file missing)
O20 - Winlogon Notify: sstrs - C:\WINDOWS\System32\sstrs.dll (file missing)
O20 - Winlogon Notify: yabya - C:\WINDOWS\SYSTEM32\yabya.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\Active Virus Shield\avp.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

sUBs · 09-01-2006, 10:55 AM

Do a HijackThis scan & place a check next to these items and select "Fix checked":

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,msijavau p32.exe
O2 - BHO: (no name) - {5E9755A1-314A-4ae6-99E1-B9F7DC7C7CF0} - C:\WINDOWS\System32\36.tmp (file missing)
O2 - BHO: (no name) - {79DF81E3-60C0-4043-A574-30DF1E322F9B} - C:\WINDOWS\System32\yabya.dll
O2 - BHO: (no name) - {E047758D-8A8E-4D70-A895-864461244D20} - C:\WINDOWS\System32\sstrs.dll (file missing)
O4 - HKLM\..\RunServices: [MS Java for Windows XP & NT] javanet.exe
O4 - HKLM\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe
O4 - HKLM\..\RunServices: [Ms Java for Windows NT] msijavaup32.exe
O4 - HKCU\..\RunServices: [MS Java for Windows XP & NT] javanet.exe
O4 - HKCU\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe
O4 - HKCU\..\RunServices: [Ms Java for Windows NT] msijavaup32.exe
O20 - Winlogon Notify: 36 - C:\WINDOWS\System32\36.tmp (file missing)
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ohfox32.dll (file missing)
O20 - Winlogon Notify: sstrs - C:\WINDOWS\System32\sstrs.dll (file missing)
O20 - Winlogon Notify: yabya - C:\WINDOWS\SYSTEM32\yabya.dll

* * * * * *

1. Download this file using either of these links

http://download.bleepingcomputer.com/sUBs/combofix.exe

http://www.techsupportforum.com/sectools/combofix.exe

* IMPORTANT !!! Place combofix.exe on your Desktop

2. Go to Start → Run → paste in the single line command & click OK

"%userprofile%\desktop\combofix.exe" /v yabya

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

sUBs · 09-01-2006, 10:55 AM

Quote:

IMPORTANT!:

Before we can proceed any further, please visit http://v4.windowsupdate.microsoft.com/default.asp and install ALL Critical Updates for your system (except service pack 2) (SP2). SP2 should only be installed on a fully disinfected system. At the minimum install at least SP1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.

Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1 we must stop the cleansing process here.

**Note** If your having trouble locating the service pack SP1a here is a direct link to download it from..

http://download.microsoft.com/downlo...p1a_en_x86.exe

Thank you for your cooperation.

hex_offender · 09-01-2006, 02:45 PM

thanks for your continued help

unfortunately, I had installed SP2 prior to reading your last post without really thinking in the process of installing security updates to windows

I realise my error but hope that is not too serious an issue

here are the logs

Katie - 06-09-01 21:36:49.45
ComboFix 06.08.30BT - Running from: C:\Documents and Settings\Katie\desktop

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\/yabya.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

C:\WINDOWS\system32\/yabya.dll

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Deskbar
C:\Program Files\Common Files\{246A1103-07C9-2057-0109-03060302002c}

((((((((((((((((((((((((((((((( Files Created from 2006-08-01 to 2006-09-01 ))))))))))))))))))))))))))))))))))

2006-09-01 20:21 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-09-01 20:06 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-09-01 18:09 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2006-09-01 17:17 26,112 --a------ C:\WINDOWS\system32\vdmdbg.dll
2006-09-01 17:17 13,312 --a------ C:\WINDOWS\system32\ntvdmd.dll
2006-09-01 17:16 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2006-09-01 17:16 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2006-09-01 17:14 33,792 --a------ C:\WINDOWS\system32\msgsvc.dll
2006-09-01 17:13 831,519 --a------ C:\WINDOWS\system32\mswdat10.dll
2006-09-01 17:13 614,429 --a------ C:\WINDOWS\system32\mswstr10.dll
2006-09-01 17:13 552,989 --a------ C:\WINDOWS\system32\msrepl40.dll
2006-09-01 17:13 53,279 --a------ C:\WINDOWS\system32\msjter40.dll
2006-09-01 17:13 512,029 --a------ C:\WINDOWS\system32\msexch40.dll
2006-09-01 17:13 421,919 --a------ C:\WINDOWS\system32\msrd2x40.dll
2006-09-01 17:13 358,976 --a------ C:\WINDOWS\system32\msjetoledb40.dll
2006-09-01 17:13 348,189 --a------ C:\WINDOWS\system32\msxbde40.dll
2006-09-01 17:13 348,189 --a------ C:\WINDOWS\system32\mspbde40.dll
2006-09-01 17:13 319,517 --a------ C:\WINDOWS\system32\msexcl40.dll
2006-09-01 17:13 315,423 --a------ C:\WINDOWS\system32\msrd3x40.dll
2006-09-01 17:13 30,749 --a------ C:\WINDOWS\system32\vbajet32.dll
2006-09-01 17:13 258,077 --a------ C:\WINDOWS\system32\mstext40.dll
2006-09-01 17:13 241,693 --a------ C:\WINDOWS\system32\msjtes40.dll
2006-09-01 17:13 213,023 --a------ C:\WINDOWS\system32\msltus40.dll
2006-09-01 17:13 151,583 --a------ C:\WINDOWS\system32\msjint40.dll
2006-09-01 17:13 134,144 --a------ C:\WINDOWS\system32\itss.dll
2006-09-01 17:13 1,507,356 --a------ C:\WINDOWS\system32\msjet40.dll
2006-09-01 17:09 337,920 --a------ C:\WINDOWS\system32\zipfldr.dll
2006-09-01 17:08 39,424 --a------ C:\WINDOWS\system32\grpconv.exe
2006-09-01 17:08 30,720 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2006-09-01 17:07 87,552 --a------ C:\WINDOWS\system32\fldrclnr.dll
2006-09-01 17:06 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2006-09-01 17:06 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2006-09-01 17:06 46,352 --a------ C:\WINDOWS\setdebug.exe
2006-09-01 17:06 404,752 --a------ C:\WINDOWS\system32\javart.dll
2006-09-01 17:06 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2006-09-01 17:06 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2006-09-01 17:06 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2006-09-01 17:06 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2006-09-01 17:06 172,304 --a------ C:\WINDOWS\system32\jview.exe
2006-09-01 17:06 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2006-09-01 17:06 171,280 --a------ C:\WINDOWS\system32\jit.dll
2006-09-01 17:06 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2006-09-01 17:06 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2006-09-01 17:06 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2006-09-01 17:06 113 --a------ C:\WINDOWS\system32\zonedon.reg
2006-09-01 17:06 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2006-09-01 17:05 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2006-09-01 16:10 874,023 ---hs---- C:\WINDOWS\system32\nmppo.ini2
2006-09-01 16:01 949,248 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-09-01 16:01 90,112 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-09-01 16:01 66,560 --a------ C:\WINDOWS\system32\mtxclu.dll
2006-09-01 16:01 628,224 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-09-01 16:01 62,464 --a------ C:\WINDOWS\system32\colbact.dll
2006-09-01 16:01 581,120 --a------ C:\WINDOWS\system32\rpcrt4.dll
2006-09-01 16:01 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2006-09-01 16:01 425,472 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-09-01 16:01 395,776 --a------ C:\WINDOWS\system32\rpcss.dll
2006-09-01 16:01 243,200 --a------ C:\WINDOWS\system32\es.dll
2006-09-01 16:01 229,888 --a------ C:\WINDOWS\system32\catsrv.dll
2006-09-01 16:01 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-09-01 16:01 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-09-01 16:01 101,376 --a------ C:\WINDOWS\system32\txflog.dll
2006-09-01 16:01 1,281,536 --a------ C:\WINDOWS\system32\ole32.dll
2006-09-01 16:01 1,251,840 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-09-01 16:00 871,314 ---hs---- C:\WINDOWS\system32\nmppo.bak1
2006-09-01 16:00 77,312 --a------ C:\WINDOWS\system32\browser.dll
2006-09-01 11:15 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2006-08-31 17:53 3,091 ---hs---- C:\WINDOWS\system32\srtss.ini2
2006-08-31 00:37 40,973 --------- C:\WINDOWS\system32\yabya.dll
2006-08-30 22:36 40,973 --a------ C:\WINDOWS\system32\cbaby.dll
2006-08-30 22:11 40,973 --a------ C:\WINDOWS\system32\vturo.dll
2006-08-30 21:02 40,973 --a------ C:\WINDOWS\system32\wvwus.dll
2006-08-30 17:43 91,352 --a------ C:\WINDOWS\system32\wcrt32.exe
2006-08-30 17:43 70,360 --a------ C:\WINDOWS\system32\ipv6mons.dll
2006-08-30 17:42 40,973 --a------ C:\WINDOWS\system32\byxuu.dll
2006-08-24 17:53 61,952 --a------ C:\WINDOWS\system32\chj7ccaf.dll
2006-08-24 17:53 1,233 --a------ C:\WINDOWS\system32\chj7ccaf.sys
2006-08-22 16:49 2,368 --a------ C:\WINDOWS\system32\SVKP.sys
2006-08-17 19:03 58,368 --a------ C:\WINDOWS\hgghge.exe
2006-08-17 10:02 286,060 --a------ C:\WINDOWS\vtrspn.exe
2006-08-16 18:26 311,296 --a------ C:\WINDOWS\ljiiij.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-09-01 16:45 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-01 15:54 -------- d-------- C:\Documents and Settings\Katie\Application Data\vlc
2006-09-01 15:52 -------- d-------- C:\Documents and Settings\Katie\Application Data\dvdcss
2006-09-01 15:45 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-01 15:44 -------- d-------- C:\Documents and Settings\Katie\Application Data\Sun
2006-09-01 15:41 -------- d-------- C:\Program Files\Java
2006-08-31 19:13 -------- d-------- C:\Program Files\Active Virus Shield
2006-08-31 01:28 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-30 23:26 -------- d-------- C:\Program Files\Avast4
2006-08-30 22:38 -------- d-------- C:\Documents and Settings\Katie\Application Data\Mozilla
2006-08-30 16:14 -------- d-------- C:\Program Files\Alwil Software
2006-08-30 16:02 -------- d-------- C:\Program Files\Ad-Aware SE Personal

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe /installquiet"
"00THotkey"="C:\\WINDOWS\\System32\\00THotkey.exe"
"000StTHK"="000StTHK.exe"
"Tpwrtray"="TPWRTRAY.EXE"
"TosHKCW.exe"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\""
"TFNF5"="TFNF5.exe"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"TouchED"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"POINTER"="point32.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon"
"DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"TFncKy"="TFncKy.exe /Type 20"
"aol"="\"C:\\Program Files\\Active Virus Shield\\avp.exe\""
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"1"="C:\\WINDOWS\\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows MS Update 32"="sucker.exe"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Windows MS Update 32"="sucker.exe"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"MS Java for Windows XP & NT"="javanet.exe"
"MS Java for Windows NT, XP & ME"="xpjavams.exe"
"Ms Java for Windows NT"="msijavaup32.exe"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows MS Update 32"="sucker.exe"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Windows MS Update 32"="sucker.exe"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"MS Java for Windows XP & NT"="javanet.exe"
"MS Java for Windows NT, XP & ME"="xpjavams.exe"
"Ms Java for Windows NT"="msijavaup32.exe"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\chj7ccaf]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w0082bf4.dll,n 0037ccac0000000a0082bf4"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"Symantec Core LC"=dword:00000002

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20060901-213345-601
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ohfox32.dll (file missing)
backup-20060901-213343-729
O20 - Winlogon Notify: 36 - C:\WINDOWS\System32\36.tmp (file missing)
backup-20060901-213345-247
O20 - Winlogon Notify: sstrs - C:\WINDOWS\System32\sstrs.dll (file missing)
backup-20060901-213343-975
O4 - HKCU\..\RunServices: [Ms Java for Windows NT] msijavaup32.exe
backup-20060901-213343-513
O4 - HKCU\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe
backup-20060901-213343-844
O4 - HKCU\..\RunServices: [MS Java for Windows XP & NT] javanet.exe
backup-20060901-213343-645
O4 - HKLM\..\RunServices: [Ms Java for Windows NT] msijavaup32.exe
backup-20060901-213343-378
O4 - HKLM\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe
backup-20060901-213343-821
O4 - HKLM\..\RunServices: [MS Java for Windows XP & NT] javanet.exe
backup-20060901-213343-611
O2 - BHO: (no name) - {E047758D-8A8E-4D70-A895-864461244D20} - C:\WINDOWS\System32\sstrs.dll (file missing)
backup-20060901-213343-832
O2 - BHO: (no name) - {24BFE5E7-70F8-4686-86BE-9F48511B2A11} - C:\WINDOWS\System32\oppmn.dll (file missing)
backup-20060901-213343-259
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,msijavaup32.exe
backup-20060901-161911-834
O2 - BHO: (no name) - {24BFE5E7-70F8-4686-86BE-9F48511B2A11} - C:\WINDOWS\System32\oppmn.dll
backup-20060901-161911-285
O2 - BHO: (no name) - {5E9755A1-314A-4ae6-99E1-B9F7DC7C7CF0} - C:\WINDOWS\System32\36.tmp (file missing)
backup-20060830-230701-426
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
backup-20060830-230701-757
O4 - HKCU\..\RunOnce: [Windows MS Update 32] sucker.exe
backup-20060830-230701-558
O4 - HKCU\..\Run: [Windows MS Update 32] sucker.exe
backup-20060830-230701-291
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
backup-20060830-230701-469
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
backup-20060830-230701-654
O4 - HKLM\..\RunOnce: [Windows MS Update 32] sucker.exe
backup-20060830-230701-259
O4 - HKLM\..\RunServices: [Windows MS Update 32] sucker.exe
backup-20060830-230701-479
O4 - HKLM\..\Run: [Windows MS Update 32] sucker.exe
backup-20060830-230701-562
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe

Completion time: 01/09/2006 21:39:27.19
ComboFix.txt

Logfile of HijackThis v1.99.1
Scan saved at 21:41:56, on 01/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Active Virus Shield\avp.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Active Virus Shield\avp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [aol] "C:\Program Files\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.co.uk/downlo...1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\Active Virus Shield\avp.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

sUBs · 09-01-2006, 03:01 PM

Before fixing anything, Please download the Suspicious File Packer → http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.
Paste the following list of bad files into the Suspicious File Packer window:

C:\WINDOWS\system32\drivers\tmcomm.sys

Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site → http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.

=========

Download the file attached - http://www.techsupportforum.com/atta...1&d=1157145816
Doubleclick the file within & it shall produce a log for you to post back here

=========

Download gmer from http://www.gmer.net & extract the contents to desktop
Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe.
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say NO.
To the right of the program you will see a bunch of boxes that have been checked... leave everything checked and uncheck the Registry box. Then click the Scan button. Wait for the scan to finish.
Once done click the Copy button.
Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.

Click the Autostart tab then the scan button. Once its done click the Copy button and paste it into a new notepad document. Save that document to your desktop please.

hex_offender · 09-02-2006, 04:03 AM

That file has been submitted. Here is the first log;

C:\WINDOWS\system32\byxuu.dll .......... present
C:\WINDOWS\system32\byxuu.dll .......... deleted
C:\WINDOWS\system32\chj7ccaf.dll .......... present
C:\WINDOWS\system32\chj7ccaf.dll .......... deleted
C:\WINDOWS\system32\chj7ccaf.sys .......... present
C:\WINDOWS\system32\chj7ccaf.sys .......... deleted
C:\WINDOWS\system32\SVKP.sys .......... present
C:\WINDOWS\system32\SVKP.sys .......... deleted
C:\WINDOWS\hgghge.exe .......... present
C:\WINDOWS\hgghge.exe .......... deleted
C:\WINDOWS\vtrspn.exe .......... present
C:\WINDOWS\vtrspn.exe .......... deleted
C:\WINDOWS\ljiiij.dll .......... present
C:\WINDOWS\ljiiij.dll .......... deleted
C:\WINDOWS\system32\srrstr.dll .......... present
C:\WINDOWS\system32\srrstr.dll .......... deleted
C:\WINDOWS\system32\srtss.ini2 .......... present
C:\WINDOWS\system32\srtss.ini2 .......... deleted
C:\WINDOWS\system32\yabya.dll .......... present
C:\WINDOWS\system32\yabya.dll .......... deleted
C:\WINDOWS\system32\cbaby.dll .......... present
C:\WINDOWS\system32\cbaby.dll .......... deleted
C:\WINDOWS\system32\vturo.dll .......... present
C:\WINDOWS\system32\vturo.dll .......... deleted
C:\WINDOWS\system32\wvwus.dll .......... present
C:\WINDOWS\system32\wvwus.dll .......... deleted
C:\WINDOWS\system32\wcrt32.exe .......... present
C:\WINDOWS\system32\wcrt32.exe .......... deleted
C:\WINDOWS\system32\ipv6mons.dll .......... present
C:\WINDOWS\system32\ipv6mons.dll .......... deleted
C:\WINDOWS\system32\nmppo.bak1 .......... present
C:\WINDOWS\system32\nmppo.bak1 .......... deleted
C:\WINDOWS\system32\nmppo.ini2 .......... present
C:\WINDOWS\system32\nmppo.ini2 .......... deleted

Apologies, I'm not sure if you wanted the two logs from gmer, but I'll post them here just in case.

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-09-02 10:58:32
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.10 ----

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwClose
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateProcess
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateProcessEx
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateSection
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateSymbolicLinkObject
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateThread
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwDuplicateObject
SSDT kl1.sys ZwOpenFile
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwOpenSection
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwQuerySystemInformation
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwResumeThread
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetContextThread
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetInformationFile
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetInformationProcess
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetSecurityObject
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSuspendThread
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwWriteVirtualMemory
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[284]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[285]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[286]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[287]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[288]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[289]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[290]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[291]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[292]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[293]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[294]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[295]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[296]

---- EOF - GMER 1.0.10 ----

-------------------------------------------------------------------

GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-09-02 10:59:35
Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\SYSTEM32\Userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon@DLLName = C:\WINDOWS\System32\klogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Automatic LiveUpdate Scheduler /*Automatic LiveUpdate Scheduler*/@ = "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" /*file not found*/
AVP /*Active Virus Shield*/@ = C:\Program Files\Active Virus Shield\avp.exe -r /*file not found*/
ewido anti-spyware 4.0 guard /*ewido anti-spyware 4.0 guard*/@ = C:\Program Files\ewido anti-spyware 4.0\guard.exe
LexBceS /*LexBce Server*/@ = C:\WINDOWS\system32\LEXBCES.EXE
NVSvc /*NVIDIA Driver Helper Service*/@ = %SystemRoot%\System32\nvsvc32.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@nwiznwiz.exe /installquiet = nwiz.exe /installquiet
@00THotkeyC:\WINDOWS\System32\00THotkey.exe = C:\WINDOWS\System32\00THotkey.exe
@000StTHK000StTHK.exe = 000StTHK.exe
@TpwrtrayTPWRTRAY.EXE = TPWRTRAY.EXE
@TosHKCW.exe"C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" = "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
@TFNF5TFNF5.exe = TFNF5.exe
@ApointC:\Program Files\Apoint2K\Apoint.exe = C:\Program Files\Apoint2K\Apoint.exe
@TouchEDC:\Program Files\TOSHIBA\TouchED\TouchED.Exe = C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
@POINTERpoint32.exe /*file not found*/ = point32.exe /*file not found*/
@AdaptecDirectCD"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
@DSLSTATEXEC:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon /*file not found*/ = C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon /*file not found*/
@DSLAGENTEXEC:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe = C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
@QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime
@iTunesHelper"C:\Program Files\iTunes\iTunesHelper.exe" = "C:\Program Files\iTunes\iTunesHelper.exe"
@TFncKyTFncKy.exe /Type 20 /*file not found*/ = TFncKy.exe /Type 20 /*file not found*/
@aol"C:\Program Files\Active Virus Shield\avp.exe" = "C:\Program Files\Active Virus Shield\avp.exe"
@NvCplDaemonRUNDLL32.EXE NvQTwk,NvCplDaemon initialize = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
@SunJavaUpdateSchedC:\Program Files\Java\jre1.5.0_06\bin\jusched.exe = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{57B86673-276A-48B2-BAE7-C6DBB3020EB8} = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{C4213067-97B3-4929-9B98-B5600FBBBA13} /*TouchED*/C:\PROGRA~1\TOSHIBA\TouchED\TouchED.dll = C:\PROGRA~1\TOSHIBA\TouchED\TouchED.dll
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL
@{5E44E225-A408-11CF-B581-008029601108} /*Adaptec DirectCD Shell Extension*/C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll = C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll
@{8e9d6600-f84a-11ce-8daa-00aa004a5691} /*Shell extensions for NetWare*/nwprovau.dll = nwprovau.dll
@{e3f2bac0-099f-11cf-8daa-00aa004a5691} /*Shell extensions for NetWare*/nwprovau.dll = nwprovau.dll
@{52c68510-09a0-11cf-8daa-00aa004a5691} /*Shell extensions for NetWare*/nwprovau.dll = nwprovau.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll
@{00D3304F-652F-435A-BF44-97420B3C216D} /**/C:\WINDOWS\system32\ohfox32.dll /*file not found*/ = C:\WINDOWS\system32\ohfox32.dll /*file not found*/
@{AA5815A8-AF7B-43EA-85AB-936F6D623C2C} /**/C:\WINDOWS\system32\wkploc.dll /*file not found*/ = C:\WINDOWS\system32\wkploc.dll /*file not found*/
@{0F1C4F78-F21E-4A40-8D6C-BCDD4044ECEF} /**/C:\WINDOWS\system32\guard.tmp /*file not found*/ = C:\WINDOWS\system32\guard.tmp /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Web Folders*/ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Program Files\Active Virus Shield\shellex.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Program Files\Active Virus Shield\shellex.dll
NetWareUNCMenu@{e3f2bac0-099f-11cf-8daa-00aa004a5691} = nwprovau.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\ssmypics.scr

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local PageC:\windows\system32\blank.htm = C:\windows\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Microsoft Office.lnk = Microsoft Office.lnk
BT Broadband Basic Help.lnk = BT Broadband Basic Help.lnk

---- EOF - GMER 1.0.10 ----

thank you again for helping me

sUBs · 09-02-2006, 04:22 AM

Please show me another combofix log

sUBs · 09-02-2006, 04:24 AM

tmcomm.sys is a legit file from Trend Micro. Do not delete it

hex_offender · 09-02-2006, 04:27 AM

Katie - 06-09-02 11:24:09.74
ComboFix 06.08.30BT - Running from: C:\Documents and Settings\Katie\desktop

((((((((((((((((((((((((((((((( Files Created from 2006-08-02 to 2006-09-02 ))))))))))))))))))))))))))))))))))

2006-09-01 20:21 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-09-01 20:06 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-09-01 18:09 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2006-09-01 17:17 26,112 --a------ C:\WINDOWS\system32\vdmdbg.dll
2006-09-01 17:17 13,312 --a------ C:\WINDOWS\system32\ntvdmd.dll
2006-09-01 17:16 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2006-09-01 17:16 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2006-09-01 17:14 33,792 --a------ C:\WINDOWS\system32\msgsvc.dll
2006-09-01 17:13 831,519 --a------ C:\WINDOWS\system32\mswdat10.dll
2006-09-01 17:13 614,429 --a------ C:\WINDOWS\system32\mswstr10.dll
2006-09-01 17:13 552,989 --a------ C:\WINDOWS\system32\msrepl40.dll
2006-09-01 17:13 53,279 --a------ C:\WINDOWS\system32\msjter40.dll
2006-09-01 17:13 512,029 --a------ C:\WINDOWS\system32\msexch40.dll
2006-09-01 17:13 421,919 --a------ C:\WINDOWS\system32\msrd2x40.dll
2006-09-01 17:13 358,976 --a------ C:\WINDOWS\system32\msjetoledb40.dll
2006-09-01 17:13 348,189 --a------ C:\WINDOWS\system32\msxbde40.dll
2006-09-01 17:13 348,189 --a------ C:\WINDOWS\system32\mspbde40.dll
2006-09-01 17:13 319,517 --a------ C:\WINDOWS\system32\msexcl40.dll
2006-09-01 17:13 315,423 --a------ C:\WINDOWS\system32\msrd3x40.dll
2006-09-01 17:13 30,749 --a------ C:\WINDOWS\system32\vbajet32.dll
2006-09-01 17:13 258,077 --a------ C:\WINDOWS\system32\mstext40.dll
2006-09-01 17:13 241,693 --a------ C:\WINDOWS\system32\msjtes40.dll
2006-09-01 17:13 213,023 --a------ C:\WINDOWS\system32\msltus40.dll
2006-09-01 17:13 151,583 --a------ C:\WINDOWS\system32\msjint40.dll
2006-09-01 17:13 134,144 --a------ C:\WINDOWS\system32\itss.dll
2006-09-01 17:13 1,507,356 --a------ C:\WINDOWS\system32\msjet40.dll
2006-09-01 17:09 337,920 --a------ C:\WINDOWS\system32\zipfldr.dll
2006-09-01 17:08 39,424 --a------ C:\WINDOWS\system32\grpconv.exe
2006-09-01 17:08 30,720 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2006-09-01 17:07 87,552 --a------ C:\WINDOWS\system32\fldrclnr.dll
2006-09-01 17:06 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2006-09-01 17:06 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2006-09-01 17:06 46,352 --a------ C:\WINDOWS\setdebug.exe
2006-09-01 17:06 404,752 --a------ C:\WINDOWS\system32\javart.dll
2006-09-01 17:06 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2006-09-01 17:06 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2006-09-01 17:06 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2006-09-01 17:06 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2006-09-01 17:06 172,304 --a------ C:\WINDOWS\system32\jview.exe
2006-09-01 17:06 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2006-09-01 17:06 171,280 --a------ C:\WINDOWS\system32\jit.dll
2006-09-01 17:06 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2006-09-01 17:06 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2006-09-01 17:06 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2006-09-01 17:06 113 --a------ C:\WINDOWS\system32\zonedon.reg
2006-09-01 17:06 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2006-09-01 17:05 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2006-09-01 16:01 949,248 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-09-01 16:01 90,112 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-09-01 16:01 66,560 --a------ C:\WINDOWS\system32\mtxclu.dll
2006-09-01 16:01 628,224 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-09-01 16:01 62,464 --a------ C:\WINDOWS\system32\colbact.dll
2006-09-01 16:01 581,120 --a------ C:\WINDOWS\system32\rpcrt4.dll
2006-09-01 16:01 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2006-09-01 16:01 425,472 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-09-01 16:01 395,776 --a------ C:\WINDOWS\system32\rpcss.dll
2006-09-01 16:01 243,200 --a------ C:\WINDOWS\system32\es.dll
2006-09-01 16:01 229,888 --a------ C:\WINDOWS\system32\catsrv.dll
2006-09-01 16:01 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-09-01 16:01 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-09-01 16:01 101,376 --a------ C:\WINDOWS\system32\txflog.dll
2006-09-01 16:01 1,281,536 --a------ C:\WINDOWS\system32\ole32.dll
2006-09-01 16:01 1,251,840 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-09-01 16:00 77,312 --a------ C:\WINDOWS\system32\browser.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-09-01 16:45 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-01 15:54 -------- d-------- C:\Documents and Settings\Katie\Application Data\vlc
2006-09-01 15:52 -------- d-------- C:\Documents and Settings\Katie\Application Data\dvdcss
2006-09-01 15:45 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-01 15:44 -------- d-------- C:\Documents and Settings\Katie\Application Data\Sun
2006-09-01 15:41 -------- d-------- C:\Program Files\Java
2006-08-31 19:13 -------- d-------- C:\Program Files\Active Virus Shield
2006-08-31 01:28 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-30 23:26 -------- d-------- C:\Program Files\Avast4
2006-08-30 22:38 -------- d-------- C:\Documents and Settings\Katie\Application Data\Mozilla
2006-08-30 16:14 -------- d-------- C:\Program Files\Alwil Software
2006-08-30 16:02 -------- d-------- C:\Program Files\Ad-Aware SE Personal

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe /installquiet"
"00THotkey"="C:\\WINDOWS\\System32\\00THotkey.exe"
"000StTHK"="000StTHK.exe"
"Tpwrtray"="TPWRTRAY.EXE"
"TosHKCW.exe"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\""
"TFNF5"="TFNF5.exe"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"TouchED"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"POINTER"="point32.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon"
"DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"TFncKy"="TFncKy.exe /Type 20"
"aol"="\"C:\\Program Files\\Active Virus Shield\\avp.exe\""
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"Symantec Core LC"=dword:00000002

Completion time: 02/09/2006 11:25:06.19
ComboFix2.txt
ComboFix.txt

sUBs · 09-02-2006, 04:31 AM

Download this file to Desktop - http://www.techsupportforum.com/sectools/AV_Fix.exe

Keep your internet connection active as it may require to download additional files

Doubleclick on Av_Fix.exe & it shall automatically reboot the machine.

A log shall be produced after the reboot. Please post that log & a fresh combofix log

hex_offender · 09-02-2006, 04:48 AM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mjfaouwk

*******************

Script file located at: \??\C:\Program Files\jstjiuvs.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver pe386 unloaded successfully.

Registry key \Registry\Machine\System\CurrentControlSet\Services\msguard not found!
Unload of driver msguard failed!

Could not process line:
msguard
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

--------------------------------------------------------------------

- 06-09-02 11:43:49.31
ComboFix 06.08.30BT - Running from: C:\Documents and Settings\Katie\desktop

((((((((((((((((((((((((((((((( Files Created from 2006-08-02 to 2006-09-02 ))))))))))))))))))))))))))))))))))

2006-09-02 11:00 69,036 --a------ C:\WINDOWS\system32\lzx32.sys
2006-09-01 20:21 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-09-01 20:06 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-09-01 18:09 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2006-09-01 17:17 26,112 --a------ C:\WINDOWS\system32\vdmdbg.dll
2006-09-01 17:17 13,312 --a------ C:\WINDOWS\system32\ntvdmd.dll
2006-09-01 17:16 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2006-09-01 17:16 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2006-09-01 17:14 33,792 --a------ C:\WINDOWS\system32\msgsvc.dll
2006-09-01 17:13 831,519 --a------ C:\WINDOWS\system32\mswdat10.dll
2006-09-01 17:13 614,429 --a------ C:\WINDOWS\system32\mswstr10.dll
2006-09-01 17:13 552,989 --a------ C:\WINDOWS\system32\msrepl40.dll
2006-09-01 17:13 53,279 --a------ C:\WINDOWS\system32\msjter40.dll
2006-09-01 17:13 512,029 --a------ C:\WINDOWS\system32\msexch40.dll
2006-09-01 17:13 421,919 --a------ C:\WINDOWS\system32\msrd2x40.dll
2006-09-01 17:13 358,976 --a------ C:\WINDOWS\system32\msjetoledb40.dll
2006-09-01 17:13 348,189 --a------ C:\WINDOWS\system32\msxbde40.dll
2006-09-01 17:13 348,189 --a------ C:\WINDOWS\system32\mspbde40.dll
2006-09-01 17:13 319,517 --a------ C:\WINDOWS\system32\msexcl40.dll
2006-09-01 17:13 315,423 --a------ C:\WINDOWS\system32\msrd3x40.dll
2006-09-01 17:13 30,749 --a------ C:\WINDOWS\system32\vbajet32.dll
2006-09-01 17:13 258,077 --a------ C:\WINDOWS\system32\mstext40.dll
2006-09-01 17:13 241,693 --a------ C:\WINDOWS\system32\msjtes40.dll
2006-09-01 17:13 213,023 --a------ C:\WINDOWS\system32\msltus40.dll
2006-09-01 17:13 151,583 --a------ C:\WINDOWS\system32\msjint40.dll
2006-09-01 17:13 134,144 --a------ C:\WINDOWS\system32\itss.dll
2006-09-01 17:13 1,507,356 --a------ C:\WINDOWS\system32\msjet40.dll
2006-09-01 17:09 337,920 --a------ C:\WINDOWS\system32\zipfldr.dll
2006-09-01 17:08 39,424 --a------ C:\WINDOWS\system32\grpconv.exe
2006-09-01 17:08 30,720 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2006-09-01 17:07 87,552 --a------ C:\WINDOWS\system32\fldrclnr.dll
2006-09-01 17:06 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2006-09-01 17:06 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2006-09-01 17:06 46,352 --a------ C:\WINDOWS\setdebug.exe
2006-09-01 17:06 404,752 --a------ C:\WINDOWS\system32\javart.dll
2006-09-01 17:06 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2006-09-01 17:06 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2006-09-01 17:06 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2006-09-01 17:06 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2006-09-01 17:06 172,304 --a------ C:\WINDOWS\system32\jview.exe
2006-09-01 17:06 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2006-09-01 17:06 171,280 --a------ C:\WINDOWS\system32\jit.dll
2006-09-01 17:06 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2006-09-01 17:06 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2006-09-01 17:06 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2006-09-01 17:06 113 --a------ C:\WINDOWS\system32\zonedon.reg
2006-09-01 17:06 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2006-09-01 17:05 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2006-09-01 16:01 949,248 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-09-01 16:01 90,112 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-09-01 16:01 66,560 --a------ C:\WINDOWS\system32\mtxclu.dll
2006-09-01 16:01 628,224 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-09-01 16:01 62,464 --a------ C:\WINDOWS\system32\colbact.dll
2006-09-01 16:01 581,120 --a------ C:\WINDOWS\system32\rpcrt4.dll
2006-09-01 16:01 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2006-09-01 16:01 425,472 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-09-01 16:01 395,776 --a------ C:\WINDOWS\system32\rpcss.dll
2006-09-01 16:01 243,200 --a------ C:\WINDOWS\system32\es.dll
2006-09-01 16:01 229,888 --a------ C:\WINDOWS\system32\catsrv.dll
2006-09-01 16:01 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-09-01 16:01 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-09-01 16:01 101,376 --a------ C:\WINDOWS\system32\txflog.dll
2006-09-01 16:01 1,281,536 --a------ C:\WINDOWS\system32\ole32.dll
2006-09-01 16:01 1,251,840 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-09-01 16:00 77,312 --a------ C:\WINDOWS\system32\browser.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-01 16:45 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-01 15:54 -------- d-------- C:\Documents and Settings\Katie\Application Data\vlc
2006-09-01 15:52 -------- d-------- C:\Documents and Settings\Katie\Application Data\dvdcss
2006-09-01 15:45 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-01 15:44 -------- d-------- C:\Documents and Settings\Katie\Application Data\Sun
2006-09-01 15:41 -------- d-------- C:\Program Files\Java
2006-08-31 19:13 -------- d-------- C:\Program Files\Active Virus Shield
2006-08-31 01:28 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-30 23:26 -------- d-------- C:\Program Files\Avast4
2006-08-30 22:38 -------- d-------- C:\Documents and Settings\Katie\Application Data\Mozilla
2006-08-30 16:14 -------- d-------- C:\Program Files\Alwil Software
2006-08-30 16:02 -------- d-------- C:\Program Files\Ad-Aware SE Personal

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe /installquiet"
"00THotkey"="C:\\WINDOWS\\System32\\00THotkey.exe"
"000StTHK"="000StTHK.exe"
"Tpwrtray"="TPWRTRAY.EXE"
"TosHKCW.exe"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\""
"TFNF5"="TFNF5.exe"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"TouchED"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"POINTER"="point32.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon"
"DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"TFncKy"="TFncKy.exe /Type 20"
"aol"="\"C:\\Program Files\\Active Virus Shield\\avp.exe\""
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"Symantec Core LC"=dword:00000002

Completion time: 02/09/2006 11:45:52.21
ComboFix3.txt
ComboFix2.txt
ComboFix.txt

sUBs · 09-02-2006, 04:57 AM

Very good. We have disabled the rootkit.

Now delete the file - C:\WINDOWS\system32\lzx32.sys

When that's done, please visit this website to perform an online scan

http://www.bitdefender.com/scan8/ie.html

hex_offender · 09-02-2006, 07:22 AM

BitDefender Online Scanner

Scan report generated at: Sat, Sep 02, 2006 - 13:33:43

Scan path: A:\;C:\;D:\;

Statistics

Time

01:17:22

Files

303053

Folders

4148

Boot Sectors

2

Archives

7151

Packed Files

30131

Results

Identified Viruses

2

Infected Files

2

Suspect Files

0

Warnings

0

Disinfected

0

Deleted Files

2

Engines Info

Virus Definitions

452116

Engine build

AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

Scan plugins

13

Archive plugins

38

Unpack plugins

6

E-mail plugins

6

System plugins

1

Scan Settings

First Action

Disinfect

Second Action

Delete

Heuristics

Yes

Enable Warnings

Yes

Scanned Extensions

*;

Exclude Extensions

Scan Emails

Yes

Scan Archives

Yes

Scan Packed

Yes

Scan Files

Yes

Scan Boot

Yes

Scanned File

Status

C:\Documents and Settings\All Users\Application Data\AOL\AVP6\Backup\810c271943218768.klq

Infected with: Trojan.Downloader.Small.BCB

C:\Documents and Settings\All Users\Application Data\AOL\AVP6\Backup\810c271943218768.klq

Disinfection failed

C:\Documents and Settings\All Users\Application Data\AOL\AVP6\Backup\810c271943218768.klq

Deleted

C:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP361\A0059916.exe

Infected with: Generic.Malware.dld!!g.1609D9CE

C:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP361\A0059916.exe

Disinfection failed

C:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP361\A0059916.exe

Deleted

sUBs · 09-02-2006, 07:50 AM

Log looks great. Have your friend give you a pat on the back for a job well done. The system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:

CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
Go to Start → Run → type control sysdm.cpl,,4 & press Enter
- Tick on the checkbox - Turn off System Restore on all drives
- Click Apply
Turn it back 'On' by unticking the same checkbox & click OK
DISABLE THE VIEWING OF SYSTEM FILES
From Windows Explorer, go to Tools>Folder Options> View tab.
- Untick - Show hidden files and folder
- Tick - Hide file extensions for known types
- Tick - Hide protected operating system files
Click Yes to confirm & then click OK
SECURING INTERNET EXPLORER
From within Internet Explorer click on the Tools menu and then click on Internet Options.
- Select the Security tab
  - Click once on the Internet icon so it becomes highlighted.
  - Select Custom Level .
    - Change 'Download signed ActiveX controls' to Prompt
    - Change 'Download unsigned ActiveX controls' to Disable
    - Change 'Initialize and script ActiveX controls not marked as safe' to Disable
    - Change 'Installation of desktop items' to Prompt
    - Change 'Launching programs and files in an IFRAME' to Prompt
    - Change 'Navigate sub-frames across different domains' to Prompt
    - When all these changes have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Select OK to exit the Internet Properties page.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources → http://www.bleepingcomputer.com/forums/topict405.html

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
FIREWALL
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html
Microsoft Windows Update → http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial43.html
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial48.html
SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html
IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows.
http://cleanup.stevengould.org/ - CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
http://www.winpatrol.com/ -Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here: http://www.winpatrol.com/features.html

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

hex_offender · 09-02-2006, 10:01 AM

Thank you so much for all your help!

I've taken your advice on board and protected the system so hopefully my friend won't run into the same problems again.

Thank you! This is a very valuable resource.

:)

08-30-2006, 03:32 PM	#1 (permalink)
hex_offender Registered User Join Date: Aug 2006 Posts: 8 OS: Windows XP Pro	Spyware infection - spysherrif? please help! Hey, I'm cleaning out a friends laptop for them. It's full of malware - I've already deleted half a ton of stuff with Adaware and Spybot S&D from safe mode, but there's some very pervasive, nasty stuff left. I think it's spysherrif. Other symptoms: Norton antivirus appears to be installed on the machine, but it closes on start up, and also doesn't show up on the add/remove programs dialogue. I'd like to be able to uninstall it so I can install Avast! instead (I hate how Norton embeds itself so deeply in the system). Certain explorer windows close immediately upon opening. These include the Program Files folder for Norton, and a folder on a flash drive that had a lot of anti-spyware stuff in it. The internet connection on the laptop seems fairly borked - it works intermittently, I think because some spyware (perhaps spysherrif) is re-downloading itself aggresively whenever a connection is present. I've also installed the MVPS HOSTS file. [ http://www.mvps.org/winhelp2002/hosts.htm ] Please take a look at my log, any help very much appreciated! Logfile of HijackThis v1.99.1 Scan saved at 22:17:47, on 30/08/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\lssc.exe C:\WINDOWS\Explorer.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\sucker.exe C:\WINDOWS\System32\sucker.exe C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\System32\TPWRTRAY.EXE C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe C:\WINDOWS\System32\TFNF5.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\windows\system32\stonedrv.exe C:\windows\system32\taskmgn.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\msijavaup32.exe C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe C:\Program Files\Messenger\msmsgs.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 F2 - REG:system.ini: Shell=Explorer.exe msijavaup32.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,msijavaup32.exe O2 - BHO: (no name) - {5E9755A1-314A-4ae6-99E1-B9F7DC7C7CF0} - C:\WINDOWS\System32\36.tmp O2 - BHO: (no name) - {73364D99-1240-4dff-B11A-67E448373048} - C:\WINDOWS\System32\ipv6mons.dll O2 - BHO: (no name) - {79DF81E3-60C0-4043-A574-30DF1E322F9B} - C:\WINDOWS\System32\byxuu.dll O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [chj7ccaf] RUNDLL32.EXE w0082bf4.dll,n 0037ccac0000000a0082bf4 O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmgn.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20 O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_13.exe O4 - HKLM\..\Run: [defender] C:\\dfndrff_13.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Windows MS Update 32] sucker.exe O4 - HKLM\..\RunServices: [MS Java for Windows XP & NT] javanet.exe O4 - HKLM\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe O4 - HKLM\..\RunServices: [Ms Java for Windows NT] msijavaup32.exe O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe O4 - HKLM\..\RunServices: [Windows MS Update 32] sucker.exe O4 - HKLM\..\RunOnce: [Windows MS Update 32] sucker.exe O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe" O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe O4 - HKCU\..\Run: [Windows MS Update 32] sucker.exe O4 - HKCU\..\RunServices: [MS Java for Windows XP & NT] javanet.exe O4 - HKCU\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe O4 - HKCU\..\RunServices: [Ms Java for Windows NT] msijavaup32.exe O4 - HKCU\..\RunOnce: [Windows MS Update 32] sucker.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.co.uk/downlo...1/axofupld.cab O20 - Winlogon Notify: 36 - C:\WINDOWS\System32\36.tmp O20 - Winlogon Notify: byxuu - C:\WINDOWS\SYSTEM32\byxuu.dll O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ohfox32.dll (file missing) O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing) O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Network Location Manager - Unknown owner - C:\WINDOWS\system32\lssc.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

08-30-2006, 09:08 PM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,479 OS: N/A	Use this guide to uninstall Norton, : http://basconotw.mvps.org/SymRem.htm You have a lot of bots in your log. I recommend that you consider this other program. http://www.activevirusshield.com/ant...eeav/index.adp Install that but take note of this ... Have it do a round of cleaning from Safe Mode & then post a fresh HJT log __________________ Question - what have you done for the community today?

09-01-2006, 10:55 AM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,479 OS: N/A	Do a HijackThis scan & place a check next to these items and select "Fix checked": F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,msijavau p32.exe O2 - BHO: (no name) - {5E9755A1-314A-4ae6-99E1-B9F7DC7C7CF0} - C:\WINDOWS\System32\36.tmp (file missing) O2 - BHO: (no name) - {79DF81E3-60C0-4043-A574-30DF1E322F9B} - C:\WINDOWS\System32\yabya.dll O2 - BHO: (no name) - {E047758D-8A8E-4D70-A895-864461244D20} - C:\WINDOWS\System32\sstrs.dll (file missing) O4 - HKLM\..\RunServices: [MS Java for Windows XP & NT] javanet.exe O4 - HKLM\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe O4 - HKLM\..\RunServices: [Ms Java for Windows NT] msijavaup32.exe O4 - HKCU\..\RunServices: [MS Java for Windows XP & NT] javanet.exe O4 - HKCU\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe O4 - HKCU\..\RunServices: [Ms Java for Windows NT] msijavaup32.exe O20 - Winlogon Notify: 36 - C:\WINDOWS\System32\36.tmp (file missing) O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ohfox32.dll (file missing) O20 - Winlogon Notify: sstrs - C:\WINDOWS\System32\sstrs.dll (file missing) O20 - Winlogon Notify: yabya - C:\WINDOWS\SYSTEM32\yabya.dll * * * * * * 1. Download this file using either of these links http://download.bleepingcomputer.com/sUBs/combofix.exe http://www.techsupportforum.com/sectools/combofix.exe * IMPORTANT !!! Place combofix.exe on your Desktop 2. Go to Start → Run → paste in the single line command & click OK "%userprofile%\desktop\combofix.exe" /v yabya 3. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall __________________ Question - what have you done for the community today?

09-01-2006, 03:01 PM	#7 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,479 OS: N/A	Before fixing anything, Please download the Suspicious File Packer → http://www.safer-networking.org/files/sfp.zip Unzip it to the desktop and run it. Paste the following list of bad files into the Suspicious File Packer window: C:\WINDOWS\system32\drivers\tmcomm.sys Allow SFP to pack the files. This will generate a CAB archive on your desktop. Please submit it to this site → http://www.bleepingcomputer.com/subm....php?channel=4 Please include a link to this topic in the message. ========= Download the file attached - http://www.techsupportforum.com/atta...1&d=1157145816 Doubleclick the file within & it shall produce a log for you to post back here ========= Download gmer from http://www.gmer.net & extract the contents to desktop Disconnect from internet and close running programs. There is a small chance this application may crash your computer so save any work you have open. Double click gmer.exe. Let the gmer.sys driver load if asked. If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say NO. To the right of the program you will see a bunch of boxes that have been checked... leave everything checked and uncheck the Registry box. Then click the Scan button. Wait for the scan to finish. Once done click the Copy button. Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please. Click the Autostart tab then the scan button. Once its done click the Copy button and paste it into a new notepad document. Save that document to your desktop please. __________________ Question - what have you done for the community today? Last edited by sUBs; 09-04-2006 at 12:38 AM.

09-02-2006, 04:22 AM	#9 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,479 OS: N/A	Please show me another combofix log __________________ Question - what have you done for the community today?

09-01-2006, 08:30 AM	#3 (permalink)
hex_offender Registered User Join Date: Aug 2006 Posts: 8 OS: Windows XP Pro	Hi, thanks for the reccommendation, that seems a robust and effective program, it deleted a lot of stuff. Since my first post I've ran a few other scans I managed to get working and cleared out a lot of junk. Here's the fresh log Logfile of HijackThis v1.99.1 Scan saved at 15:26:54, on 01/09/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Active Virus Shield\avp.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\System32\TPWRTRAY.EXE C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe C:\WINDOWS\System32\TFNF5.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\Active Virus Shield\avp.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,msijavaup32.exe O2 - BHO: (no name) - {5E9755A1-314A-4ae6-99E1-B9F7DC7C7CF0} - C:\WINDOWS\System32\36.tmp (file missing) O2 - BHO: (no name) - {79DF81E3-60C0-4043-A574-30DF1E322F9B} - C:\WINDOWS\System32\yabya.dll O2 - BHO: (no name) - {E047758D-8A8E-4D70-A895-864461244D20} - C:\WINDOWS\System32\sstrs.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20 O4 - HKLM\..\Run: [aol] "C:\Program Files\Active Virus Shield\avp.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\RunServices: [MS Java for Windows XP & NT] javanet.exe O4 - HKLM\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe O4 - HKLM\..\RunServices: [Ms Java for Windows NT] msijavaup32.exe O4 - HKCU\..\RunServices: [MS Java for Windows XP & NT] javanet.exe O4 - HKCU\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe O4 - HKCU\..\RunServices: [Ms Java for Windows NT] msijavaup32.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.co.uk/downlo...1/axofupld.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: 36 - C:\WINDOWS\System32\36.tmp (file missing) O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ohfox32.dll (file missing) O20 - Winlogon Notify: sstrs - C:\WINDOWS\System32\sstrs.dll (file missing) O20 - Winlogon Notify: yabya - C:\WINDOWS\SYSTEM32\yabya.dll O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing) O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\Active Virus Shield\avp.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

09-02-2006, 04:03 AM	#8 (permalink)
hex_offender Registered User Join Date: Aug 2006 Posts: 8 OS: Windows XP Pro	That file has been submitted. Here is the first log; C:\WINDOWS\system32\byxuu.dll .......... present C:\WINDOWS\system32\byxuu.dll .......... deleted C:\WINDOWS\system32\chj7ccaf.dll .......... present C:\WINDOWS\system32\chj7ccaf.dll .......... deleted C:\WINDOWS\system32\chj7ccaf.sys .......... present C:\WINDOWS\system32\chj7ccaf.sys .......... deleted C:\WINDOWS\system32\SVKP.sys .......... present C:\WINDOWS\system32\SVKP.sys .......... deleted C:\WINDOWS\hgghge.exe .......... present C:\WINDOWS\hgghge.exe .......... deleted C:\WINDOWS\vtrspn.exe .......... present C:\WINDOWS\vtrspn.exe .......... deleted C:\WINDOWS\ljiiij.dll .......... present C:\WINDOWS\ljiiij.dll .......... deleted C:\WINDOWS\system32\srrstr.dll .......... present C:\WINDOWS\system32\srrstr.dll .......... deleted C:\WINDOWS\system32\srtss.ini2 .......... present C:\WINDOWS\system32\srtss.ini2 .......... deleted C:\WINDOWS\system32\yabya.dll .......... present C:\WINDOWS\system32\yabya.dll .......... deleted C:\WINDOWS\system32\cbaby.dll .......... present C:\WINDOWS\system32\cbaby.dll .......... deleted C:\WINDOWS\system32\vturo.dll .......... present C:\WINDOWS\system32\vturo.dll .......... deleted C:\WINDOWS\system32\wvwus.dll .......... present C:\WINDOWS\system32\wvwus.dll .......... deleted C:\WINDOWS\system32\wcrt32.exe .......... present C:\WINDOWS\system32\wcrt32.exe .......... deleted C:\WINDOWS\system32\ipv6mons.dll .......... present C:\WINDOWS\system32\ipv6mons.dll .......... deleted C:\WINDOWS\system32\nmppo.bak1 .......... present C:\WINDOWS\system32\nmppo.bak1 .......... deleted C:\WINDOWS\system32\nmppo.ini2 .......... present C:\WINDOWS\system32\nmppo.ini2 .......... deleted Apologies, I'm not sure if you wanted the two logs from gmer, but I'll post them here just in case. GMER 1.0.10.10122 - http://www.gmer.net Rootkit 2006-09-02 10:58:32 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.10 ---- SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwClose SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateProcess SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateProcessEx SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateSection SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateSymbolicLinkObject SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateThread SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwDuplicateObject SSDT kl1.sys ZwOpenFile SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwOpenSection SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwQuerySystemInformation SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwResumeThread SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetContextThread SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetInformationFile SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetInformationProcess SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetSecurityObject SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSuspendThread SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwWriteVirtualMemory SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[284] SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[285] SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[286] SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[287] SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[288] SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[289] SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[290] SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[291] SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[292] SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[293] SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[294] SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[295] SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[296] ---- EOF - GMER 1.0.10 ---- ------------------------------------------------------------------- GMER 1.0.10.10122 - http://www.gmer.net Autostart 2006-09-02 10:59:35 Windows 5.1.2600 Service Pack 2 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\SYSTEM32\Userinit.exe, HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon@DLLName = C:\WINDOWS\System32\klogon.dll HKLM\SYSTEM\CurrentControlSet\Services\ >>> Automatic LiveUpdate Scheduler /Automatic LiveUpdate Scheduler/@ = "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" /file not found/ AVP /Active Virus Shield/@ = C:\Program Files\Active Virus Shield\avp.exe -r /file not found/ ewido anti-spyware 4.0 guard /ewido anti-spyware 4.0 guard/@ = C:\Program Files\ewido anti-spyware 4.0\guard.exe LexBceS /LexBce Server/@ = C:\WINDOWS\system32\LEXBCES.EXE NVSvc /NVIDIA Driver Helper Service/@ = %SystemRoot%\System32\nvsvc32.exe ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys Spooler /Print Spooler/@ = %SystemRoot%\system32\spoolsv.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>> @nwiznwiz.exe /installquiet = nwiz.exe /installquiet @00THotkeyC:\WINDOWS\System32\00THotkey.exe = C:\WINDOWS\System32\00THotkey.exe @000StTHK000StTHK.exe = 000StTHK.exe @TpwrtrayTPWRTRAY.EXE = TPWRTRAY.EXE @TosHKCW.exe"C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" = "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" @TFNF5TFNF5.exe = TFNF5.exe @ApointC:\Program Files\Apoint2K\Apoint.exe = C:\Program Files\Apoint2K\Apoint.exe @TouchEDC:\Program Files\TOSHIBA\TouchED\TouchED.Exe = C:\Program Files\TOSHIBA\TouchED\TouchED.Exe @POINTERpoint32.exe /file not found/ = point32.exe /file not found/ @AdaptecDirectCD"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" @DSLSTATEXEC:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon /file not found/ = C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon /file not found/ @DSLAGENTEXEC:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe = C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe @QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime @iTunesHelper"C:\Program Files\iTunes\iTunesHelper.exe" = "C:\Program Files\iTunes\iTunesHelper.exe" @TFncKyTFncKy.exe /Type 20 /file not found/ = TFncKy.exe /Type 20 /file not found/ @aol"C:\Program Files\Active Virus Shield\avp.exe" = "C:\Program Files\Active Virus Shield\avp.exe" @NvCplDaemonRUNDLL32.EXE NvQTwk,NvCplDaemon initialize = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize @SunJavaUpdateSchedC:\Program Files\Java\jre1.5.0_06\bin\jusched.exe = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{57B86673-276A-48B2-BAE7-C6DBB3020EB8} = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>> @{42071714-76d4-11d1-8b24-00a0c9068ff3} /Display Panning CPL Extension/deskpan.dll /file not found/ = deskpan.dll /file not found/ @{32683183-48a0-441b-a342-7c2a440a9478} /Media Band/(null) = @{1CDB2949-8F65-4355-8456-263E7C208A5D} /Desktop Explorer/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll @{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /Desktop Explorer Menu/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll @{C4213067-97B3-4929-9B98-B5600FBBBA13} /TouchED/C:\PROGRA~1\TOSHIBA\TouchED\TouchED.dll = C:\PROGRA~1\TOSHIBA\TouchED\TouchED.dll @{0006F045-0000-0000-C000-000000000046} /Microsoft Outlook Custom Icon Handler/C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL @{5E44E225-A408-11CF-B581-008029601108} /Adaptec DirectCD Shell Extension/C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll = C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll @{8e9d6600-f84a-11ce-8daa-00aa004a5691} /Shell extensions for NetWare/nwprovau.dll = nwprovau.dll @{e3f2bac0-099f-11cf-8daa-00aa004a5691} /Shell extensions for NetWare/nwprovau.dll = nwprovau.dll @{52c68510-09a0-11cf-8daa-00aa004a5691} /Shell extensions for NetWare/nwprovau.dll = nwprovau.dll @{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /iTunes/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll @{00D3304F-652F-435A-BF44-97420B3C216D} /*/C:\WINDOWS\system32\ohfox32.dll /file not found/ = C:\WINDOWS\system32\ohfox32.dll /file not found/ @{AA5815A8-AF7B-43EA-85AB-936F6D623C2C} //C:\WINDOWS\system32\wkploc.dll /file not found/ = C:\WINDOWS\system32\wkploc.dll /file not found/ @{0F1C4F78-F21E-4A40-8D6C-BCDD4044ECEF} //C:\WINDOWS\system32\guard.tmp /file not found/ = C:\WINDOWS\system32\guard.tmp /file not found/ @{596AB062-B4D2-4215-9F74-E9109B0A8153} /Previous Versions Property Page/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll @{9DB7A13C-F208-4981-8353-73CC61AE2783} /Previous Versions/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll @{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /Extensions Manager Folder/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /Web Folders/ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL HKLM\Software\Classes\\shellex\ContextMenuHandlers\ >>> ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Program Files\Active Virus Shield\shellex.dll HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>> Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Program Files\Active Virus Shield\shellex.dll NetWareUNCMenu@{e3f2bac0-099f-11cf-8daa-00aa004a5691} = nwprovau.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\ssmypics.scr HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll HKLM\Software\Microsoft\Internet Explorer\Main >>> @Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome @Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home @Local PageC:\windows\system32\blank.htm = C:\windows\system32\blank.htm HKCU\Software\Microsoft\Internet Explorer\Main >>> @Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome @Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm HKLM\Software\Classes\PROTOCOLS\Handler\ >>> dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll its@CLSID = C:\WINDOWS\System32\itss.dll lid@CLSID = C:\WINDOWS\System32\msvidctl.dll mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll ms-its@CLSID = C:\WINDOWS\System32\itss.dll tv@CLSID = C:\WINDOWS\system32\msvidctl.dll HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>> Microsoft Office.lnk = Microsoft Office.lnk BT Broadband Basic Help.lnk = BT Broadband Basic Help.lnk ---- EOF - GMER 1.0.10 ---- thank you again for helping me

09-02-2006, 04:24 AM	#10 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,479 OS: N/A	tmcomm.sys is a legit file from Trend Micro. Do not delete it __________________ Question - what have you done for the community today?

09-02-2006, 04:27 AM	#11 (permalink)
hex_offender Registered User Join Date: Aug 2006 Posts: 8 OS: Windows XP Pro	Katie - 06-09-02 11:24:09.74 ComboFix 06.08.30BT - Running from: C:\Documents and Settings\Katie\desktop ((((((((((((((((((((((((((((((( Files Created from 2006-08-02 to 2006-09-02 )))))))))))))))))))))))))))))))))) 2006-09-01 20:21 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2006-09-01 20:06 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2006-09-01 18:09 11,776 --------- C:\WINDOWS\system32\spnpinst.exe 2006-09-01 17:17 26,112 --a------ C:\WINDOWS\system32\vdmdbg.dll 2006-09-01 17:17 13,312 --a------ C:\WINDOWS\system32\ntvdmd.dll 2006-09-01 17:16 274,944 --a------ C:\WINDOWS\system32\mstask.dll 2006-09-01 17:16 12,288 --a------ C:\WINDOWS\system32\mstinit.exe 2006-09-01 17:14 33,792 --a------ C:\WINDOWS\system32\msgsvc.dll 2006-09-01 17:13 831,519 --a------ C:\WINDOWS\system32\mswdat10.dll 2006-09-01 17:13 614,429 --a------ C:\WINDOWS\system32\mswstr10.dll 2006-09-01 17:13 552,989 --a------ C:\WINDOWS\system32\msrepl40.dll 2006-09-01 17:13 53,279 --a------ C:\WINDOWS\system32\msjter40.dll 2006-09-01 17:13 512,029 --a------ C:\WINDOWS\system32\msexch40.dll 2006-09-01 17:13 421,919 --a------ C:\WINDOWS\system32\msrd2x40.dll 2006-09-01 17:13 358,976 --a------ C:\WINDOWS\system32\msjetoledb40.dll 2006-09-01 17:13 348,189 --a------ C:\WINDOWS\system32\msxbde40.dll 2006-09-01 17:13 348,189 --a------ C:\WINDOWS\system32\mspbde40.dll 2006-09-01 17:13 319,517 --a------ C:\WINDOWS\system32\msexcl40.dll 2006-09-01 17:13 315,423 --a------ C:\WINDOWS\system32\msrd3x40.dll 2006-09-01 17:13 30,749 --a------ C:\WINDOWS\system32\vbajet32.dll 2006-09-01 17:13 258,077 --a------ C:\WINDOWS\system32\mstext40.dll 2006-09-01 17:13 241,693 --a------ C:\WINDOWS\system32\msjtes40.dll 2006-09-01 17:13 213,023 --a------ C:\WINDOWS\system32\msltus40.dll 2006-09-01 17:13 151,583 --a------ C:\WINDOWS\system32\msjint40.dll 2006-09-01 17:13 134,144 --a------ C:\WINDOWS\system32\itss.dll 2006-09-01 17:13 1,507,356 --a------ C:\WINDOWS\system32\msjet40.dll 2006-09-01 17:09 337,920 --a------ C:\WINDOWS\system32\zipfldr.dll 2006-09-01 17:08 39,424 --a------ C:\WINDOWS\system32\grpconv.exe 2006-09-01 17:08 30,720 --a------ C:\WINDOWS\system32\xpsp1hfm.exe 2006-09-01 17:07 87,552 --a------ C:\WINDOWS\system32\fldrclnr.dll 2006-09-01 17:06 947,472 --a------ C:\WINDOWS\system32\msjava.dll 2006-09-01 17:06 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll 2006-09-01 17:06 46,352 --a------ C:\WINDOWS\setdebug.exe 2006-09-01 17:06 404,752 --a------ C:\WINDOWS\system32\javart.dll 2006-09-01 17:06 313,856 --a------ C:\WINDOWS\system32\dx3j.dll 2006-09-01 17:06 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll 2006-09-01 17:06 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll 2006-09-01 17:06 187,152 --a------ C:\WINDOWS\system32\javacypt.dll 2006-09-01 17:06 172,304 --a------ C:\WINDOWS\system32\jview.exe 2006-09-01 17:06 171,792 --a------ C:\WINDOWS\system32\wjview.exe 2006-09-01 17:06 171,280 --a------ C:\WINDOWS\system32\jit.dll 2006-09-01 17:06 154,384 --a------ C:\WINDOWS\system32\msawt.dll 2006-09-01 17:06 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe 2006-09-01 17:06 139,536 --a------ C:\WINDOWS\system32\javaee.dll 2006-09-01 17:06 113 --a------ C:\WINDOWS\system32\zonedon.reg 2006-09-01 17:06 113 --a------ C:\WINDOWS\system32\zonedoff.reg 2006-09-01 17:05 49,424 --a------ C:\WINDOWS\system32\clspack.exe 2006-09-01 16:01 949,248 --a------ C:\WINDOWS\system32\msdtctm.dll 2006-09-01 16:01 90,112 --a------ C:\WINDOWS\system32\mtxoci.dll 2006-09-01 16:01 66,560 --a------ C:\WINDOWS\system32\mtxclu.dll 2006-09-01 16:01 628,224 --a------ C:\WINDOWS\system32\catsrvut.dll 2006-09-01 16:01 62,464 --a------ C:\WINDOWS\system32\colbact.dll 2006-09-01 16:01 581,120 --a------ C:\WINDOWS\system32\rpcrt4.dll 2006-09-01 16:01 540,160 --a------ C:\WINDOWS\system32\comuid.dll 2006-09-01 16:01 425,472 --a------ C:\WINDOWS\system32\msdtcprx.dll 2006-09-01 16:01 395,776 --a------ C:\WINDOWS\system32\rpcss.dll 2006-09-01 16:01 243,200 --a------ C:\WINDOWS\system32\es.dll 2006-09-01 16:01 229,888 --a------ C:\WINDOWS\system32\catsrv.dll 2006-09-01 16:01 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll 2006-09-01 16:01 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll 2006-09-01 16:01 101,376 --a------ C:\WINDOWS\system32\txflog.dll 2006-09-01 16:01 1,281,536 --a------ C:\WINDOWS\system32\ole32.dll 2006-09-01 16:01 1,251,840 --a------ C:\WINDOWS\system32\comsvcs.dll 2006-09-01 16:00 77,312 --a------ C:\WINDOWS\system32\browser.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) Rootkit driver pe386 is present. A rootkit scan is required 2006-09-01 16:45 -------- d-------- C:\Program Files\Mozilla Firefox 2006-09-01 15:54 -------- d-------- C:\Documents and Settings\Katie\Application Data\vlc 2006-09-01 15:52 -------- d-------- C:\Documents and Settings\Katie\Application Data\dvdcss 2006-09-01 15:45 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2006-09-01 15:44 -------- d-------- C:\Documents and Settings\Katie\Application Data\Sun 2006-09-01 15:41 -------- d-------- C:\Program Files\Java 2006-08-31 19:13 -------- d-------- C:\Program Files\Active Virus Shield 2006-08-31 01:28 -------- d-------- C:\Program Files\ewido anti-spyware 4.0 2006-08-30 23:26 -------- d-------- C:\Program Files\Avast4 2006-08-30 22:38 -------- d-------- C:\Documents and Settings\Katie\Application Data\Mozilla 2006-08-30 16:14 -------- d-------- C:\Program Files\Alwil Software 2006-08-30 16:02 -------- d-------- C:\Program Files\Ad-Aware SE Personal (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nwiz"="nwiz.exe /installquiet" "00THotkey"="C:\\WINDOWS\\System32\\00THotkey.exe" "000StTHK"="000StTHK.exe" "Tpwrtray"="TPWRTRAY.EXE" "TosHKCW.exe"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\"" "TFNF5"="TFNF5.exe" "Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe" "TouchED"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe" "POINTER"="point32.exe" "AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\"" "DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon" "DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "TFncKy"="TFncKy.exe /Type 20" "aol"="\"C:\\Program Files\\Active Virus Shield\\avp.exe\"" "NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoActiveDesktopChanges"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 "DisableTaskMgr"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "NoActiveDesktop"=dword:00000000 "NoSaveSettings"=dword:00000000 "ClassicShell"=dword:00000000 "NoThemesTab"=dword:00000000 "ForceActiveDesktopOn"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "NoDispAppearancePage"=dword:00000000 "NoColorChoice"=dword:00000000 "NoSizeChoice"=dword:00000000 "NoDispBackgroundPage"=dword:00000000 "NoDispScrSavPage"=dword:00000000 "NoDispCPL"=dword:00000000 "NoVisualStyleChoice"=dword:00000000 "NoDispSettingsPage"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000000 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "CDRAutoRun"=dword:00000000 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "CDRAutoRun"=dword:00000000 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services] "Symantec Core LC"=dword:00000002 Completion time: 02/09/2006 11:25:06.19 ComboFix2.txt ComboFix.txt

09-02-2006, 04:31 AM	#12 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,479 OS: N/A	Download this file to Desktop - http://www.techsupportforum.com/sectools/AV_Fix.exe Keep your internet connection active as it may require to download additional files Doubleclick on Av_Fix.exe & it shall automatically reboot the machine. A log shall be produced after the reboot. Please post that log & a fresh combofix log __________________ Question - what have you done for the community today?

09-02-2006, 04:48 AM	#13 (permalink)
hex_offender Registered User Join Date: Aug 2006 Posts: 8 OS: Windows XP Pro	Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\mjfaouwk ***************** Script file located at: \??\C:\Program Files\jstjiuvs.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: Driver pe386 unloaded successfully. Registry key \Registry\Machine\System\CurrentControlSet\Services\msguard not found! Unload of driver msguard failed! Could not process line: msguard Status: 0xc0000034 Completed script processing. ***************** Finished! Terminate. -------------------------------------------------------------------- - 06-09-02 11:43:49.31 ComboFix 06.08.30BT - Running from: C:\Documents and Settings\Katie\desktop ((((((((((((((((((((((((((((((( Files Created from 2006-08-02 to 2006-09-02 )))))))))))))))))))))))))))))))))) 2006-09-02 11:00 69,036 --a------ C:\WINDOWS\system32\lzx32.sys 2006-09-01 20:21 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2006-09-01 20:06 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2006-09-01 18:09 11,776 --------- C:\WINDOWS\system32\spnpinst.exe 2006-09-01 17:17 26,112 --a------ C:\WINDOWS\system32\vdmdbg.dll 2006-09-01 17:17 13,312 --a------ C:\WINDOWS\system32\ntvdmd.dll 2006-09-01 17:16 274,944 --a------ C:\WINDOWS\system32\mstask.dll 2006-09-01 17:16 12,288 --a------ C:\WINDOWS\system32\mstinit.exe 2006-09-01 17:14 33,792 --a------ C:\WINDOWS\system32\msgsvc.dll 2006-09-01 17:13 831,519 --a------ C:\WINDOWS\system32\mswdat10.dll 2006-09-01 17:13 614,429 --a------ C:\WINDOWS\system32\mswstr10.dll 2006-09-01 17:13 552,989 --a------ C:\WINDOWS\system32\msrepl40.dll 2006-09-01 17:13 53,279 --a------ C:\WINDOWS\system32\msjter40.dll 2006-09-01 17:13 512,029 --a------ C:\WINDOWS\system32\msexch40.dll 2006-09-01 17:13 421,919 --a------ C:\WINDOWS\system32\msrd2x40.dll 2006-09-01 17:13 358,976 --a------ C:\WINDOWS\system32\msjetoledb40.dll 2006-09-01 17:13 348,189 --a------ C:\WINDOWS\system32\msxbde40.dll 2006-09-01 17:13 348,189 --a------ C:\WINDOWS\system32\mspbde40.dll 2006-09-01 17:13 319,517 --a------ C:\WINDOWS\system32\msexcl40.dll 2006-09-01 17:13 315,423 --a------ C:\WINDOWS\system32\msrd3x40.dll 2006-09-01 17:13 30,749 --a------ C:\WINDOWS\system32\vbajet32.dll 2006-09-01 17:13 258,077 --a------ C:\WINDOWS\system32\mstext40.dll 2006-09-01 17:13 241,693 --a------ C:\WINDOWS\system32\msjtes40.dll 2006-09-01 17:13 213,023 --a------ C:\WINDOWS\system32\msltus40.dll 2006-09-01 17:13 151,583 --a------ C:\WINDOWS\system32\msjint40.dll 2006-09-01 17:13 134,144 --a------ C:\WINDOWS\system32\itss.dll 2006-09-01 17:13 1,507,356 --a------ C:\WINDOWS\system32\msjet40.dll 2006-09-01 17:09 337,920 --a------ C:\WINDOWS\system32\zipfldr.dll 2006-09-01 17:08 39,424 --a------ C:\WINDOWS\system32\grpconv.exe 2006-09-01 17:08 30,720 --a------ C:\WINDOWS\system32\xpsp1hfm.exe 2006-09-01 17:07 87,552 --a------ C:\WINDOWS\system32\fldrclnr.dll 2006-09-01 17:06 947,472 --a------ C:\WINDOWS\system32\msjava.dll 2006-09-01 17:06 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll 2006-09-01 17:06 46,352 --a------ C:\WINDOWS\setdebug.exe 2006-09-01 17:06 404,752 --a------ C:\WINDOWS\system32\javart.dll 2006-09-01 17:06 313,856 --a------ C:\WINDOWS\system32\dx3j.dll 2006-09-01 17:06 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll 2006-09-01 17:06 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll 2006-09-01 17:06 187,152 --a------ C:\WINDOWS\system32\javacypt.dll 2006-09-01 17:06 172,304 --a------ C:\WINDOWS\system32\jview.exe 2006-09-01 17:06 171,792 --a------ C:\WINDOWS\system32\wjview.exe 2006-09-01 17:06 171,280 --a------ C:\WINDOWS\system32\jit.dll 2006-09-01 17:06 154,384 --a------ C:\WINDOWS\system32\msawt.dll 2006-09-01 17:06 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe 2006-09-01 17:06 139,536 --a------ C:\WINDOWS\system32\javaee.dll 2006-09-01 17:06 113 --a------ C:\WINDOWS\system32\zonedon.reg 2006-09-01 17:06 113 --a------ C:\WINDOWS\system32\zonedoff.reg 2006-09-01 17:05 49,424 --a------ C:\WINDOWS\system32\clspack.exe 2006-09-01 16:01 949,248 --a------ C:\WINDOWS\system32\msdtctm.dll 2006-09-01 16:01 90,112 --a------ C:\WINDOWS\system32\mtxoci.dll 2006-09-01 16:01 66,560 --a------ C:\WINDOWS\system32\mtxclu.dll 2006-09-01 16:01 628,224 --a------ C:\WINDOWS\system32\catsrvut.dll 2006-09-01 16:01 62,464 --a------ C:\WINDOWS\system32\colbact.dll 2006-09-01 16:01 581,120 --a------ C:\WINDOWS\system32\rpcrt4.dll 2006-09-01 16:01 540,160 --a------ C:\WINDOWS\system32\comuid.dll 2006-09-01 16:01 425,472 --a------ C:\WINDOWS\system32\msdtcprx.dll 2006-09-01 16:01 395,776 --a------ C:\WINDOWS\system32\rpcss.dll 2006-09-01 16:01 243,200 --a------ C:\WINDOWS\system32\es.dll 2006-09-01 16:01 229,888 --a------ C:\WINDOWS\system32\catsrv.dll 2006-09-01 16:01 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll 2006-09-01 16:01 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll 2006-09-01 16:01 101,376 --a------ C:\WINDOWS\system32\txflog.dll 2006-09-01 16:01 1,281,536 --a------ C:\WINDOWS\system32\ole32.dll 2006-09-01 16:01 1,251,840 --a------ C:\WINDOWS\system32\comsvcs.dll 2006-09-01 16:00 77,312 --a------ C:\WINDOWS\system32\browser.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-09-01 16:45 -------- d-------- C:\Program Files\Mozilla Firefox 2006-09-01 15:54 -------- d-------- C:\Documents and Settings\Katie\Application Data\vlc 2006-09-01 15:52 -------- d-------- C:\Documents and Settings\Katie\Application Data\dvdcss 2006-09-01 15:45 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2006-09-01 15:44 -------- d-------- C:\Documents and Settings\Katie\Application Data\Sun 2006-09-01 15:41 -------- d-------- C:\Program Files\Java 2006-08-31 19:13 -------- d-------- C:\Program Files\Active Virus Shield 2006-08-31 01:28 -------- d-------- C:\Program Files\ewido anti-spyware 4.0 2006-08-30 23:26 -------- d-------- C:\Program Files\Avast4 2006-08-30 22:38 -------- d-------- C:\Documents and Settings\Katie\Application Data\Mozilla 2006-08-30 16:14 -------- d-------- C:\Program Files\Alwil Software 2006-08-30 16:02 -------- d-------- C:\Program Files\Ad-Aware SE Personal (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nwiz"="nwiz.exe /installquiet" "00THotkey"="C:\\WINDOWS\\System32\\00THotkey.exe" "000StTHK"="000StTHK.exe" "Tpwrtray"="TPWRTRAY.EXE" "TosHKCW.exe"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\"" "TFNF5"="TFNF5.exe" "Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe" "TouchED"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe" "POINTER"="point32.exe" "AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\"" "DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon" "DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "TFncKy"="TFncKy.exe /Type 20" "aol"="\"C:\\Program Files\\Active Virus Shield\\avp.exe\"" "NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoActiveDesktopChanges"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 "DisableTaskMgr"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "NoActiveDesktop"=dword:00000000 "NoSaveSettings"=dword:00000000 "ClassicShell"=dword:00000000 "NoThemesTab"=dword:00000000 "ForceActiveDesktopOn"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "NoDispAppearancePage"=dword:00000000 "NoColorChoice"=dword:00000000 "NoSizeChoice"=dword:00000000 "NoDispBackgroundPage"=dword:00000000 "NoDispScrSavPage"=dword:00000000 "NoDispCPL"=dword:00000000 "NoVisualStyleChoice"=dword:00000000 "NoDispSettingsPage"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000000 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "CDRAutoRun"=dword:00000000 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "CDRAutoRun"=dword:00000000 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services] "Symantec Core LC"=dword:00000002 Completion time: 02/09/2006 11:45:52.21 ComboFix3.txt ComboFix2.txt ComboFix.txt

09-02-2006, 04:57 AM	#14 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,479 OS: N/A	Very good. We have disabled the rootkit. Now delete the file - C:\WINDOWS\system32\lzx32.sys When that's done, please visit this website to perform an online scan http://www.bitdefender.com/scan8/ie.html __________________ Question - what have you done for the community today?

09-02-2006, 07:22 AM	#15 (permalink)
hex_offender Registered User Join Date: Aug 2006 Posts: 8 OS: Windows XP Pro	BitDefender Online Scanner Scan report generated at: Sat, Sep 02, 2006 - 13:33:43 Scan path: A:\;C:\;D:\; Statistics Time 01:17:22 Files 303053 Folders 4148 Boot Sectors 2 Archives 7151 Packed Files 30131 Results Identified Viruses 2 Infected Files 2 Suspect Files 0 Warnings 0 Disinfected 0 Deleted Files 2 Engines Info Virus Definitions 452116 Engine build AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38) Scan plugins 13 Archive plugins 38 Unpack plugins 6 E-mail plugins 6 System plugins 1 Scan Settings First Action Disinfect Second Action Delete Heuristics Yes Enable Warnings Yes Scanned Extensions *; Exclude Extensions Scan Emails Yes Scan Archives Yes Scan Packed Yes Scan Files Yes Scan Boot Yes Scanned File Status C:\Documents and Settings\All Users\Application Data\AOL\AVP6\Backup\810c271943218768.klq Infected with: Trojan.Downloader.Small.BCB C:\Documents and Settings\All Users\Application Data\AOL\AVP6\Backup\810c271943218768.klq Disinfection failed C:\Documents and Settings\All Users\Application Data\AOL\AVP6\Backup\810c271943218768.klq Deleted C:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP361\A0059916.exe Infected with: Generic.Malware.dld!!g.1609D9CE C:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP361\A0059916.exe Disinfection failed C:\System Volume Information\_restore{D31C8A4A-A60E-4289-93EB-43E77D1210E8}\RP361\A0059916.exe Deleted

09-02-2006, 07:50 AM	#16 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,479 OS: N/A	Log looks great. Have your friend give you a pat on the back for a job well done. The system is clean. Kindly follow these simple steps in order to keep your computer clean and secure: CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder) Go to Start → Run → type control sysdm.cpl,,4 & press Enter Tick on the checkbox - Turn off System Restore on all drives Click Apply Turn it back 'On' by unticking the same checkbox & click OK DISABLE THE VIEWING OF SYSTEM FILES From Windows Explorer, go to Tools>Folder Options> View tab. Untick - Show hidden files and folder Tick - Hide file extensions for known types Tick - Hide protected operating system files Click Yes to confirm & then click OK SECURING INTERNET EXPLORER From within Internet Explorer click on the Tools menu and then click on Internet Options. Select the Security tab Click once on the Internet icon so it becomes highlighted. Select Custom Level . Change 'Download signed ActiveX controls' to Prompt Change 'Download unsigned ActiveX controls' to Disable Change 'Initialize and script ActiveX controls not marked as safe' to Disable Change 'Installation of desktop items' to Prompt Change 'Launching programs and files in an IFRAME' to Prompt Change 'Navigate sub-frames across different domains' to Prompt When all these changes have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Select OK to exit the Internet Properties page. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources → http://www.bleepingcomputer.com/forums/topict405.html It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. FIREWALL Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html Microsoft Windows Update → http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial43.html AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial48.html SPYWAREBLASTER SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites. Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html IE-SPYAD IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety. http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows. http://cleanup.stevengould.org/ - CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. http://www.winpatrol.com/ -Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: http://www.winpatrol.com/features.html To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Question - what have you done for the community today?

09-02-2006, 10:01 AM	#17 (permalink)
hex_offender Registered User Join Date: Aug 2006 Posts: 8 OS: Windows XP Pro	Thank you so much for all your help! I've taken your advice on board and protected the system so hopefully my friend won't run into the same problems again. Thank you! This is a very valuable resource. :)