Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Command Service
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 09-25-2006, 02:36 AM   #1 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 24
OS: XP


Command Service
i made a careless mistake a couple nights ago and installed a bunch of viruses and things on my computer. between running AVGfree, SpybotSD, and Ad-Aware, the only thing i can't seem to shake is Command Services. spybot detects this but cannot remove it, and whenever i restart the computer (even just going back to safe mode from safe mode) i have a bunch of other malware again. here's my log after running everything once or twice, cmdservice is the only thing still detected.

Logfile of HijackThis v1.99.1
Scan saved at 4:23:33 AM, on 9/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ocipkgh.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsr10.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin.dll
O2 - BHO: (no name) - {D3C2D060-60D4-3D26-F5A9-631333DF389F} - C:\WINDOWS\system32\zyqm.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [win32097154372346] C:\WINDOWS\win32097154372346.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [ms052346715437] C:\WINDOWS\ms052346715437.exe
O4 - HKLM\..\Run: [win32074671543723] C:\WINDOWS\win32074671543723.exe
O4 - HKLM\..\Run: [ms047234671543] C:\WINDOWS\ms047234671543.exe
O4 - HKLM\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\AutoStarterR.exe
O4 - HKLM\..\Run: [WinPLOSION] "C:\Program Files\WinPLOSION\winplosion.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [pcucb187] RUNDLL32.EXE w002935c.dll,n 004cb18300000005002935c
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [mpoyay] C:\WINDOWS\system32\nxkhab.exe reg_run
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\mwinspes.exe ELT001
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [BCNT] C:\PROGRA~1\AWS\WEATHE~1\BCNT.EXE
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels8.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00009.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [oqum] C:\PROGRA~1\COMMON~1\oqum\oqumm.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [jluab] C:\WINDOWS\system32\nxkhab.exe reg_run
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TIELT001.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1153239361500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153239726093
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://10.208.1.1/CAT/CNICAT.cab
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
egotrippen is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 09-25-2006, 10:26 AM   #2 (permalink)
Analyst, Security Team
 
Join Date: Mar 2005
Posts: 890
OS: Windows XP Home


1. Download Combofix from one of these two sites -

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply along with a new HJT log.

Note:
Do not mouseclick Combofix's window whilst it's running. That may cause it to stall
__________________
Hustler24 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-25-2006, 07:05 PM   #3 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 24
OS: XP


ok, this is after a reboot, a partial system scan at housecall.trendmicro.com, a crash, rebooting to safe mode, and running AVGfree, Spybot, Ad-Aware, and Combofix, in that order. combofix log:

Owner - 06-09-25 20:56:33.92 Service Pack 2
ComboFix 06.09.25 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-09-24 14:31 279 lsqor.dll.qoo
06-09-24 14:03 53 vlpnqb.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dxclib303562752.dll
C:\Documents and Settings\Owner\Application Data\Dxcknwrd.dll
C:\Program Files\DeluxeCommunications\Dxc.exe
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\dxclib303562752.dll
C:\Program Files\DeluxeCommunications\Dxc.exe
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\Duce6.exe
C:\Documents and Settings\Owner\Application Data\Install.dat
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\WinNB58.dll
C:\WINDOWS\justin.exe
C:\WINDOWS\offun.exe
C:\WINDOWS\Eim03.exe
C:\Program Files\Common Files\misc002
C:\WINDOWS\system32\crunner
C:\Program Files\Common Files\{5C0359CB-0890-1033-1206-021025200001}
C:\Documents and Settings\All Users\Documents\Settings

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Owner\My Documents\SEMBLY~1
C:\QooBox\Purity\Documents and Settings\Owner\My Documents\WNSXS~1
C:\QooBox\Purity\Documents and Settings\Owner\My Documents\SEMBLY~1\msconfig.exe
C:\QooBox\Purity\Documents and Settings\Owner\My Documents\SEMBLY~1\??sembly
C:\QooBox\Purity\Program Files\APPATC~1
C:\QooBox\Purity\Program Files\RACLE~1
C:\QooBox\Purity\Program Files\APPATC~1\m?iexec.exe
C:\QooBox\Purity\Program Files\Common Files\FNTS~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1\m?iexec.exe


((((((((((((((((((((((((((((((( Files Created from 2006-08-25 to 2006-09-25 ))))))))))))))))))))))))))))))))))


2006-09-25 11:01 126,976 --a------ C:\WINDOWS\system32\lekb.dll
2006-09-25 10:44 163,840 --a------ C:\WINDOWS\win320971543723462006.exe
2006-09-25 10:44 163,840 --a------ C:\WINDOWS\win32086715437234.exe
2006-09-25 10:44 163,840 --a------ C:\WINDOWS\sys1015437234672006.exe
2006-09-24 19:29 215,308 --a------ C:\WINDOWS\srvtcogesu.exe
2006-09-24 19:28 215,308 --a------ C:\WINDOWS\srvczpqlfm.exe
2006-09-24 19:23 215,308 --a------ C:\WINDOWS\srvotfewuo.exe
2006-09-24 14:04 4,096 -rah----- C:\WINDOWS\system32\svch05t.dll
2006-09-24 14:03 95,232 --a------ C:\WINDOWS\system32\ulhakjl.dll
2006-09-24 14:03 72,704 --a------ C:\WINDOWS\system32\nlkkmve.dll
2006-09-24 14:03 33,461 --a------ C:\WINDOWS\system32\hvdi32.dll
2006-09-24 14:03 131,072 --a------ C:\WINDOWS\system32\zyqm.dll
2006-09-24 14:02 32,768 --a------ C:\WINDOWS\1205.exe
2006-09-24 14:02 215,308 --a------ C:\WINDOWS\srvjfwxbdl.exe
2006-09-23 12:58 893 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-09-23 02:31 96,768 --------- C:\WINDOWS\system32\dxclib303562752.dll
2006-09-23 02:31 45,065 --a------ C:\WINDOWS\TIELT001.exe
2006-09-23 02:31 32,768 --a------ C:\WINDOWS\DXCecho.exe
2006-09-23 02:31 268,581 --a------ C:\WINDOWS\popupwithcast.exe
2006-09-23 02:31 139,264 --a------ C:\WINDOWS\MirarSetup_876057.exe
2006-09-23 02:31 1,233 --a------ C:\WINDOWS\system32\pcucb187.sys
2006-09-23 02:25 19,456 --a------ C:\WINDOWS\system32\2000.exe
2006-09-22 15:19 19,456 --a------ C:\WINDOWS\system32\index.exe
2006-09-22 14:24 19,456 --a------ C:\WINDOWS\system32\500.exe
2006-09-22 13:19 19,456 --a------ C:\WINDOWS\system32\100.exe
2006-09-22 12:49 19,456 --a------ C:\WINDOWS\system32\pusk.exe
2006-09-22 10:38 53,248 --a------ C:\WINDOWS\109uninst.exe
2006-09-22 10:36 53,248 --a------ C:\WINDOWS\uni_7eh.exe
2006-09-22 10:34 163,840 --a------ C:\WINDOWS\win32097154372346.exe
2006-09-22 10:34 163,840 --a------ C:\WINDOWS\win32074671543723.exe
2006-09-22 10:34 163,840 --a------ C:\WINDOWS\sys015437234671.exe
2006-09-22 10:34 163,840 --a------ C:\WINDOWS\ms052346715437.exe
2006-09-22 07:33 19,456 --a------ C:\WINDOWS\system32\unload.exe
2006-09-21 13:16 4,096 -rah----- C:\WINDOWS\system32\svch10.dll
2006-09-21 13:16 10,101 -r-h----- C:\WINDOWS\system32\tmp_k.exe
2006-09-21 11:32 8,192 --a------ C:\jswudopx.exe
2006-09-07 20:37 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2006-09-06 15:52 127,208 --a------ C:\WINDOWS\system32\mucltui.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-09-25 20:57 -------- d-------- C:\Program Files\Common Files
2006-09-25 20:36 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-25 12:43 32179 ---hs---- C:\Program Files\Common Files\Yazzle1438OinUninstaller.exe
2006-09-25 12:25 -------- d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2006-09-25 10:52 -------- d--h----- C:\Program Files\BHO Plugin
2006-09-25 10:46 -------- d-------- C:\Program Files\Symantec
2006-09-25 10:46 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-25 02:15 -------- d-------- C:\Program Files\Mozilla Thunderbird
2006-09-24 19:33 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-24 19:19 -------- d-------- C:\Program Files\Trillian
2006-09-24 19:18 -------- d-------- C:\Documents and Settings\Owner\Application Data\foobar2000
2006-09-24 19:09 -------- d-------- C:\Program Files\Common Files\oqum
2006-09-24 14:21 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-24 14:21 4992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-09-24 14:21 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-09-24 14:21 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-09-24 14:21 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-09-24 14:21 -------- d-------- C:\Program Files\Grisoft
2006-09-23 16:47 -------- d-------- C:\Program Files\DeluxeCommunications
2006-09-23 16:35 -------- d-------- C:\Program Files\G6 U-DISK Manager
2006-09-23 14:21 -------- d-------- C:\Program Files\popupwithcast
2006-09-23 02:26 -------- d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2006-09-21 11:30 -------- d-------- C:\Program Files\WinPLOSION
2006-09-18 23:50 -------- d-------- C:\Program Files\Common Files\xing shared
2006-09-18 23:50 -------- d-------- C:\Program Files\Common Files\Real
2006-09-18 23:45 -------- d-------- C:\Documents and Settings\Owner\Application Data\Real
2006-09-18 11:04 -------- d-------- C:\Program Files\WinRAR
2006-09-11 21:22 -------- d-------- C:\Documents and Settings\Owner\Application Data\Azureus
2006-09-07 14:03 157184 ---hs---- C:\Program Files\Common Files\Yazzle1438OinAdmin.exe
2006-09-06 15:44 -------- d-------- C:\Program Files\Network Associates
2006-09-06 15:44 -------- d-------- C:\Program Files\Common Files\Cisco Systems
2006-09-06 15:43 -------- d-------- C:\Program Files\Common Files\Network Associates
2006-09-06 15:32 -------- d-------- C:\Program Files\Internet Explorer
2006-09-06 15:29 -------- d-------- C:\Program Files\Outlook Express
2006-09-06 15:29 -------- d-------- C:\Program Files\Messenger
2006-09-06 15:29 -------- d-------- C:\Program Files\Common Files\System
2006-08-25 21:38 -------- d-------- C:\Program Files\Movie Player
2006-08-24 03:07 -------- d-------- C:\Program Files\2BrightSparks
2006-08-23 22:36 -------- d-------- C:\Program Files\Azureus
2006-08-23 19:12 -------- d-------- C:\Documents and Settings\Owner\Application Data\Help
2006-08-23 19:08 -------- d-------- C:\Program Files\PowerQuest
2006-08-22 13:40 -------- d-------- C:\Documents and Settings\Owner\Application Data\Sun
2006-08-21 13:09 873 --a------ C:\Documents and Settings\Owner\Application Data\AdobeDLM.log
2006-08-21 13:09 0 --a------ C:\Documents and Settings\Owner\Application Data\dm.ini
2006-08-21 13:09 -------- d-------- C:\Program Files\Adobe
2006-08-21 13:04 -------- d-------- C:\Program Files\Common Files\Adobe
2006-08-21 13:04 -------- d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2006-08-21 12:28 -------- d-------- C:\Program Files\DivX
2006-08-21 12:26 -------- d-------- C:\Program Files\ffdshow
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-21 02:53 167936 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2006-08-21 02:36 -------- d-------- C:\Program Files\Illustrate
2006-08-19 23:30 -------- d-------- C:\Program Files\illiminable
2006-08-19 20:41 -------- d-------- C:\Program Files\MsnMusic
2006-08-19 20:40 -------- d-------- C:\Program Files\Windows Media Player
2006-08-19 01:11 -------- d-------- C:\Program Files\Java
2006-08-19 01:08 -------- d-------- C:\Program Files\Common Files\Java
2006-08-14 20:52 78848 --a------ C:\WINDOWS\system32\nsr10.dll
2006-08-04 11:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-04 11:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-08-03 22:00 -------- d-a------ C:\Program Files\snes9xw-1.5
2006-08-03 16:53 -------- d-------- C:\Program Files\oggenc
2006-08-03 16:47 -------- d-------- C:\Program Files\Exact Audio Copy
2006-07-30 12:32 -------- d-------- C:\Documents and Settings\Owner\Application Data\ArcSoft
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-26 22:05 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-07-26 19:45 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-07-26 19:44 -------- d-------- C:\Program Files\Lavasoft
2006-07-26 12:16 -------- d-------- C:\Program Files\OpenOffice.org 2.0
2006-07-25 23:52 -------- d-------- C:\Program Files\Common Files\Ahead
2006-07-25 23:50 -------- d-------- C:\Program Files\Nero
2006-07-25 16:11 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-03 17:40 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-07-03 17:40 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-07-03 17:40 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-07-03 17:40 620180 --a------ C:\WINDOWS\system32\DivX.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPlayer"="\"C:\\Program Files\\Real\\RealPlayer\\realplay.exe\" /RunUPGToolCommandReBoot"
"oqum"="C:\\PROGRA~1\\COMMON~1\\oqum\\oqumm.exe"
"NVIEW"="rundll32.exe nview.dll,nViewLoadHook"
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
"Notn"="\"C:\\DOCUME~1\\Owner\\MYDOCU~1\\SEMBLY~1\\msconfig.exe\" -vt yazb"
"Ypq"="C:\\Program Files\\A?pPatch\\m?iexec.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sachost"="C:\\WINDOWS\\sachostx.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"win32097154372346"="C:\\WINDOWS\\win32097154372346.exe"
"ms052346715437"="C:\\WINDOWS\\ms052346715437.exe"
"win32074671543723"="C:\\WINDOWS\\win32074671543723.exe"
"ms047234671543"="C:\\WINDOWS\\ms047234671543.exe"
"Zero Knowledge Freedom"="C:\\Program Files\\Zero Knowledge\\Freedom\\AutoStarterR.exe"
"WinPLOSION"="\"C:\\Program Files\\WinPLOSION\\winplosion.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"stonedrv"="c:\\windows\\system32\\stonedrv.exe"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"pcucb187"="RUNDLL32.EXE w002935c.dll,n 004cb18300000005002935c"
"nwiz"="nwiz.exe /installquiet /keeploaded"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NAV CfgWiz"="C:\\PROGRA~1\\NORTON~1\\Cfgwiz.exe /R"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"EPSON Stylus C62 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S0BIC1.EXE /P23 \"EPSON Stylus C62 Series\" /O6 \"USB001\" /M \"Stylus C62\""
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"BlockTracker"="c:\\hp\\bin\\BlockTracker.exe"
"BCNT"="C:\\PROGRA~1\\AWS\\WEATHE~1\\BCNT.EXE"
"AutoTBar"="C:\\hp\\bin\\autotbar.exe"
"AlcxMonitor"="ALCXMNTR.EXE"
"win32086715437234"="C:\\WINDOWS\\win32086715437234.exe"
"{35-59-9C-CB-ZN}"="C:\\windows\\system32\\ordsregs.exe ELT001"
"sys015437234671"="C:\\WINDOWS\\sys015437234671.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000b5
"NoRecentDocsMenu"=hex:01,00,00,00
"NoActiveDesktop"=hex:01,00,00,00
"NoDrives"=hex:00,00,00,00
"NoDriveAutoRun"=hex:fd,03,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
@=""
"NoDriveTypeAutoRun"=hex:5b,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Mon 09/25/2006 21:02:27.98
ComboFix.txt
egotrippen is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-26-2006, 08:30 AM   #4 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 24
OS: XP


ok, the last log probably isn't even relevant anymore. after running combofix, i ran everything else again, haoad mycomputer restart a few times, had more bugs, fewer bugs, so forth... so after the last run of AVG, Spybot, and Ad-Aware, i was able to run through trend-micro completely, and i think i might be clear. i'm running trendmicro for a second time, and i'll go through the other three once more, and then post a new HJT log.

thanks for the help
egotrippen is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-26-2006, 08:47 AM   #5 (permalink)
Analyst, Security Team
 
Join Date: Mar 2005
Posts: 890
OS: Windows XP Home


There are multiple problems with your log. Please do not do anything else.

You have an infection that cannot be removed via normal means and need a special tool to remove.

I will post more instructions shortly.
__________________
Hustler24 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-26-2006, 10:52 AM   #6 (permalink)
Analyst, Security Team
 
Join Date: Mar 2005
Posts: 890
OS: Windows XP Home


MULTIPLE ANTIVIRUS PROGRAMS RUNNING


You have McAfee, AVG and Norton installed on your machine.

Norton and AVG are running concurrently.

Please uninstall two of them and use the other.

I recommend uninstalling AVG and Norton and using McAfee on its own - it seems to be the one that was initially used.

Please see here about how to uninstall your Norton product successfully.


----------------


ROOTKIT SCAN


Download GMER from http://www.gmer.net & extract the contents to desktop

Launch gmer.exe by double-clicking it.
Select the Rootkit tab & make sure the 'Show All' button is unticked.

Press scan & when it has finished press copy & paste the log back here
__________________
Hustler24 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-26-2006, 11:15 AM   #7 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 24
OS: XP


i un-installed AVG, but there's no entry in add/remove programs for Norton. running the rootkit scan....
Last edited by egotrippen; 09-26-2006 at 11:21 AM.
egotrippen is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-26-2006, 12:52 PM   #8 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 24
OS: XP


i can't get through GMER without my computer crashing. in normal mode, it gets to a certain point and then shuts down without warning. in safe mode, i get a 'windows will shut down in 30 seconds' warning
egotrippen is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-26-2006, 04:23 PM   #9 (permalink)
Analyst, Security Team
 
Join Date: Mar 2005
Posts: 890
OS: Windows XP Home


Run GMER again.

Select the Rootkit tab & make sure the 'Show All' button AND the 'Devices' button are unticked.

Press scan & when it has finished press copy & paste the log back here.

Thanks.
__________________
Hustler24 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-26-2006, 05:56 PM   #10 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 24
OS: XP


no good, it still crashes in safe and regular mode
egotrippen is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-26-2006, 10:45 PM   #11 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 24
OS: XP


update: things are worse now, i'm not getting any popups but the computer restarts on its own every so often, whether i'm running anything or not
egotrippen is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-27-2006, 12:18 AM   #12 (permalink)
Analyst, Security Team
 
Join Date: Mar 2005
Posts: 890
OS: Windows XP Home


Run GMER again.

Select the Rootkit tab & make sure the following buttons on the right-hand side are ALL unticked:

'Show All'
'Devices'
'Registry'

Press scan & when it has finished press copy & paste the log back here.

Also, try to stay off the Internet until you are clean. You are seriously infected and this will take time.
__________________
Hustler24 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-27-2006, 01:01 AM   #13 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 24
OS: XP


ok, that scan was able to complete in safe mode, but i don't see the log. the log tab is empty, abd if i'm supposed to hit the 'copy' button in the rootkit tab, i can't because my screen resolution is too low in safe mode. if it's good enough, here's the text from the rootkit scan. 5 spaces is a new column

SYSENTER ? F73A1E91
Module (noname)(***hidden***) F739D000
Thread 4:1076 F739FF6C
[in red] Service C:\WINDOWS\system32\lzx32.sys (***hidden***) [SYSTEM} pe386
ADS C:\WINDOWS\system32:lzzx32.sys
[in red] File C:\WINDOWS\system32\lzx32.sys
ADS ...
egotrippen is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-27-2006, 08:53 AM   #14 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 24
OS: XP


i tried again this morning, and it was able to scan in regular mode. here's the exact log:

GMER 1.0.11.11384 - http://www.gmer.net
Rootkit 2006-09-27 10:50:35
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.11 ----

SYSENTER ? EEC53E91

---- Modules - GMER 1.0.11 ----

Module (noname) (*** hidden *** ) EEC4F000

---- Threads - GMER 1.0.11 ----

Thread 4:1096 EEC51F6C

---- Services - GMER 1.0.11 ----

Service C:\WINDOWS\system32\lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!

---- Files - GMER 1.0.11 ----

ADS C:\WINDOWS\system32:lzx32.sys
File C:\WINDOWS\system32\lzx32.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.11 ----
egotrippen is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-27-2006, 10:23 AM   #15 (permalink)
Analyst, Security Team
 
Join Date: Mar 2005
Posts: 890
OS: Windows XP Home


Run GMER again and select C:\WINDOWS\system32\lzx32.sys (*** hidden *** )

Right-click once you have selected the file and choose delete the service


----------------


Then select GMER's 'Process' tab & click the 'Restart' button. The system will reboot into normal mode.


----------------


Run Combofix once more and post a Combofix log and a new HJT log.
__________________
Last edited by Hustler24; 09-27-2006 at 10:25 AM.
Hustler24 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-27-2006, 10:33 AM   #16 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 24
OS: XP


combofix log:
Owner - 06-09-27 12:28:48.18 Service Pack 2
ComboFix 06.09.25 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Owner\Application Data\Dxcknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((( Files Created from 2006-08-27 to 2006-09-27 ))))))))))))))))))))))))))))))))))


2006-09-24 19:29 215,308 --a------ C:\WINDOWS\srvtcogesu.exe
2006-09-24 19:28 215,308 --a------ C:\WINDOWS\srvczpqlfm.exe
2006-09-24 19:23 215,308 --a------ C:\WINDOWS\srvotfewuo.exe
2006-09-24 14:04 4,096 -rah----- C:\WINDOWS\system32\svch05t.dll
2006-09-24 14:03 95,232 --a------ C:\WINDOWS\system32\ulhakjl.dll
2006-09-24 14:03 72,704 --a------ C:\WINDOWS\system32\nlkkmve.dll
2006-09-24 14:02 32,768 --a------ C:\WINDOWS\1205.exe
2006-09-24 14:02 215,308 --a------ C:\WINDOWS\srvjfwxbdl.exe
2006-09-23 12:58 893 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-09-23 02:31 45,065 --a------ C:\WINDOWS\TIELT001.exe
2006-09-23 02:31 32,768 --a------ C:\WINDOWS\DXCecho.exe
2006-09-23 02:31 268,581 --a------ C:\WINDOWS\popupwithcast.exe
2006-09-23 02:31 139,264 --a------ C:\WINDOWS\MirarSetup_876057.exe
2006-09-23 02:31 1,233 --a------ C:\WINDOWS\system32\pcucb187.sys
2006-09-23 02:25 19,456 --a------ C:\WINDOWS\system32\2000.exe
2006-09-22 15:19 19,456 --a------ C:\WINDOWS\system32\index.exe
2006-09-22 14:24 19,456 --a------ C:\WINDOWS\system32\500.exe
2006-09-22 13:19 19,456 --a------ C:\WINDOWS\system32\100.exe
2006-09-22 12:49 19,456 --a------ C:\WINDOWS\system32\pusk.exe
2006-09-22 10:36 53,248 --a------ C:\WINDOWS\uni_7eh.exe
2006-09-22 07:33 19,456 --a------ C:\WINDOWS\system32\unload.exe
2006-09-21 13:16 4,096 -rah----- C:\WINDOWS\system32\svch10.dll
2006-09-07 20:37 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2006-09-06 15:52 127,208 --a------ C:\WINDOWS\system32\mucltui.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-27 12:25 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-27 02:29 -------- d-------- C:\Program Files\Mozilla Thunderbird
2006-09-26 21:31 -------- d-------- C:\Program Files\Trillian
2006-09-26 13:14 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-09-26 03:06 -------- d-------- C:\Program Files\Common Files
2006-09-25 10:46 -------- d-------- C:\Program Files\Symantec
2006-09-25 10:46 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-24 19:33 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-24 19:18 -------- d-------- C:\Documents and Settings\Owner\Application Data\foobar2000
2006-09-24 19:09 -------- d-------- C:\Program Files\Common Files\oqum
2006-09-23 16:35 -------- d-------- C:\Program Files\G6 U-DISK Manager
2006-09-23 02:26 -------- d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2006-09-21 11:30 -------- d-------- C:\Program Files\WinPLOSION
2006-09-18 23:50 -------- d-------- C:\Program Files\Common Files\xing shared
2006-09-18 23:50 -------- d-------- C:\Program Files\Common Files\Real
2006-09-18 23:45 -------- d-------- C:\Documents and Settings\Owner\Application Data\Real
2006-09-18 11:04 -------- d-------- C:\Program Files\WinRAR
2006-09-11 21:22 -------- d-------- C:\Documents and Settings\Owner\Application Data\Azureus
2006-09-06 15:44 -------- d-------- C:\Program Files\Network Associates
2006-09-06 15:44 -------- d-------- C:\Program Files\Common Files\Cisco Systems
2006-09-06 15:43 -------- d-------- C:\Program Files\Common Files\Network Associates
2006-09-06 15:32 -------- d-------- C:\Program Files\Internet Explorer
2006-09-06 15:29 -------- d-------- C:\Program Files\Outlook Express
2006-09-06 15:29 -------- d-------- C:\Program Files\Messenger
2006-09-06 15:29 -------- d-------- C:\Program Files\Common Files\System
2006-08-25 21:38 -------- d-------- C:\Program Files\Movie Player
2006-08-24 03:07 -------- d-------- C:\Program Files\2BrightSparks
2006-08-23 22:36 -------- d-------- C:\Program Files\Azureus
2006-08-23 19:12 -------- d-------- C:\Documents and Settings\Owner\Application Data\Help
2006-08-23 19:08 -------- d-------- C:\Program Files\PowerQuest
2006-08-22 13:40 -------- d-------- C:\Documents and Settings\Owner\Application Data\Sun
2006-08-21 13:09 873 --a------ C:\Documents and Settings\Owner\Application Data\AdobeDLM.log
2006-08-21 13:09 0 --a------ C:\Documents and Settings\Owner\Application Data\dm.ini
2006-08-21 13:09 -------- d-------- C:\Program Files\Adobe
2006-08-21 13:04 -------- d-------- C:\Program Files\Common Files\Adobe
2006-08-21 13:04 -------- d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2006-08-21 12:28 -------- d-------- C:\Program Files\DivX
2006-08-21 12:26 -------- d-------- C:\Program Files\ffdshow
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-21 02:53 167936 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2006-08-21 02:36 -------- d-------- C:\Program Files\Illustrate
2006-08-19 23:30 -------- d-------- C:\Program Files\illiminable
2006-08-19 20:41 -------- d-------- C:\Program Files\MsnMusic
2006-08-19 20:40 -------- d-------- C:\Program Files\Windows Media Player
2006-08-19 01:11 -------- d-------- C:\Program Files\Java
2006-08-19 01:08 -------- d-------- C:\Program Files\Common Files\Java
2006-08-14 20:52 78848 --a------ C:\WINDOWS\system32\nsr10.dll
2006-08-04 11:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-04 11:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-08-03 22:00 -------- d-a------ C:\Program Files\snes9xw-1.5
2006-08-03 16:53 -------- d-------- C:\Program Files\oggenc
2006-08-03 16:47 -------- d-------- C:\Program Files\Exact Audio Copy
2006-07-30 12:32 -------- d-------- C:\Documents and Settings\Owner\Application Data\ArcSoft
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-26 22:05 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-03 17:40 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-07-03 17:40 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-07-03 17:40 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-07-03 17:40 620180 --a------ C:\WINDOWS\system32\DivX.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPlayer"="\"C:\\Program Files\\Real\\RealPlayer\\realplay.exe\" /RunUPGToolCommandReBoot"
"oqum"="C:\\PROGRA~1\\COMMON~1\\oqum\\oqumm.exe"
"NVIEW"="rundll32.exe nview.dll,nViewLoadHook"
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sachost"="C:\\WINDOWS\\sachostx.exe"
"ms052346715437"="C:\\WINDOWS\\ms052346715437.exe"
"win32074671543723"="C:\\WINDOWS\\win32074671543723.exe"
"ms047234671543"="C:\\WINDOWS\\ms047234671543.exe"
"Zero Knowledge Freedom"="C:\\Program Files\\Zero Knowledge\\Freedom\\AutoStarterR.exe"
"WinPLOSION"="\"C:\\Program Files\\WinPLOSION\\winplosion.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"stonedrv"="c:\\windows\\system32\\stonedrv.exe"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"pcucb187"="RUNDLL32.EXE w002935c.dll,n 004cb18300000005002935c"
"nwiz"="nwiz.exe /installquiet /keeploaded"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NAV CfgWiz"="C:\\PROGRA~1\\NORTON~1\\Cfgwiz.exe /R"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"EPSON Stylus C62 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S0BIC1.EXE /P23 \"EPSON Stylus C62 Series\" /O6 \"USB001\" /M \"Stylus C62\""
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"BlockTracker"="c:\\hp\\bin\\BlockTracker.exe"
"BCNT"="C:\\PROGRA~1\\AWS\\WEATHE~1\\BCNT.EXE"
"AutoTBar"="C:\\hp\\bin\\autotbar.exe"
"AlcxMonitor"="ALCXMNTR.EXE"
"win32086715437234"="C:\\WINDOWS\\win32086715437234.exe"
"{35-59-9C-CB-ZN}"="C:\\windows\\system32\\ordsregs.exe ELT001"
"sys015437234671"="C:\\WINDOWS\\sys015437234671.exe"
"ms063467154372"="C:\\WINDOWS\\ms063467154372.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000b5
"NoRecentDocsMenu"=hex:01,00,00,00
"NoActiveDesktop"=hex:01,00,00,00
"NoDrives"=hex:00,00,00,00
"NoDriveAutoRun"=hex:fd,03,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
@=""
"NoDriveTypeAutoRun"=hex:5b,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Wed 09/27/2006 12:32:03.03
ComboFix.txt
ComboFix2.txt
egotrippen is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-27-2006, 10:36 AM   #17 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 24
OS: XP


htj log:
Logfile of HijackThis v1.99.1
Scan saved at 12:34:35 PM, on 9/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\ps2.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dwwin.exe
C:\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll (file missing)
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsr10.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll (file missing)
O2 - BHO: (no name) - {D3C2D060-60D4-3D26-F5A9-631333DF389F} - C:\WINDOWS\system32\zyqm.dll (file missing)
O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [ms052346715437] C:\WINDOWS\ms052346715437.exe
O4 - HKLM\..\Run: [win32074671543723] C:\WINDOWS\win32074671543723.exe
O4 - HKLM\..\Run: [ms047234671543] C:\WINDOWS\ms047234671543.exe
O4 - HKLM\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\AutoStarterR.exe
O4 - HKLM\..\Run: [WinPLOSION] "C:\Program Files\WinPLOSION\winplosion.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [pcucb187] RUNDLL32.EXE w002935c.dll,n 004cb18300000005002935c
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [BCNT] C:\PROGRA~1\AWS\WEATHE~1\BCNT.EXE
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [win32086715437234] C:\WINDOWS\win32086715437234.exe
O4 - HKLM\..\Run: [{35-59-9C-CB-ZN}] C:\windows\system32\ordsregs.exe ELT001
O4 - HKLM\..\Run: [sys015437234671] C:\WINDOWS\sys015437234671.exe
O4 - HKLM\..\Run: [ms063467154372] C:\WINDOWS\ms063467154372.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [oqum] C:\PROGRA~1\COMMON~1\oqum\oqumm.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1153239361500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153239726093
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://10.208.1.1/CAT/CNICAT.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
egotrippen is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-27-2006, 11:28 AM   #18 (permalink)
Analyst, Security Team
 
Join Date: Mar 2005
Posts: 890
OS: Windows XP Home


We've got rid of the major infection, but there's loads more. Take your time in completing the next steps andif you have any problems, please let me know.


Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.


---------------


DOWNLOADS

Download and install CleanUp! but do not run it yet.

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.



---------------------


Download and run the Norton uninstall tool to remove the version of Norton that you do not need anymore.


-----------------


You are running Zero Knowledge Freedom which is a security suite. This means that you no longer need McAfee VirusScan.

Please visit this site for details of how to uninstall it.


------------------


Download Ewido Anti-Malware
  • Install Ewido Anti-Malware
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT Ewido anti-spyware. Do Not run a scan just yet, we will shortly.


-------------------


SAFE MODE

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.


--------------------


ADD/REMOVE PROGRAMS

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

BHOPlugin



-----------------------


FIXES WITH HIJACK THIS

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (make sure you do not miss any)


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsr10.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll (file missing)
O2 - BHO: (no name) - {D3C2D060-60D4-3D26-F5A9-631333DF389F} - C:\WINDOWS\system32\zyqm.dll (file missing)
O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [ms052346715437] C:\WINDOWS\ms052346715437.exe
O4 - HKLM\..\Run: [win32074671543723] C:\WINDOWS\win32074671543723.exe
O4 - HKLM\..\Run: [ms047234671543] C:\WINDOWS\ms047234671543.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [pcucb187] RUNDLL32.EXE w002935c.dll,n 004cb18300000005002935c
O4 - HKLM\..\Run: [win32086715437234] C:\WINDOWS\win32086715437234.exe
O4 - HKLM\..\Run: [{35-59-9C-CB-ZN}] C:\windows\system32\ordsregs.exe ELT001
O4 - HKLM\..\Run: [sys015437234671] C:\WINDOWS\sys015437234671.exe
O4 - HKLM\..\Run: [ms063467154372] C:\WINDOWS\ms063467154372.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [oqum] C:\PROGRA~1\COMMON~1\oqum\oqumm.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://10.208.1.1/CAT/CNICAT.cab
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)


Please remember to close all other windows, including browsers then click Fix checked.


------------------------


FILE DELETIONS

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.


C:\WINDOWS\system32\ nsr10.dll
C:\Program Files\ BHO Plugin
C:\WINDOWS\system32\ zyqm.dll
C:\WINDOWS\ sachostx.exe
C:\WINDOWS\ ms052346715437.exe
C:\WINDOWS\ win32074671543723.exe
C:\WINDOWS\ ms047234671543.exe
c:\windows\system32\ stonedrv.exe
w002935c.dll < Find via Start > Search > All Files and Folders
C:\WINDOWS\ win32086715437234.exe
C:\windows\system32\ ordsregs.exe
C:\WINDOWS\ sys015437234671.exe
C:\WINDOWS\ ms063467154372.exe
C:\PROGRAM FILES\COMMON FILES\ oqum
C:\WINDOWS\system32\ dwdsregt.exe
C:\Documents and Settings\All Users\Documents\Settings\ winsys2f.dll
C:\WINDOWS\ srvtcogesu.exe
C:\WINDOWS\ srvczpqlfm.exe
C:\WINDOWS\ srvotfewuo.exe
C:\WINDOWS\system32\ svch05t.dll < Not the legitimate svchost.exe
C:\WINDOWS\system32\ ulhakjl.dll
C:\WINDOWS\system32\ nlkkmve.dll
C:\WINDOWS\ 1205.exe
C:\WINDOWS\ srvjfwxbdl.exe
C:\WINDOWS\system32\ winpfg32.sys
C:\WINDOWS\ TIELT001.exe
C:\WINDOWS\ DXCecho.exe
C:\WINDOWS\ popupwithcast.exe
C:\WINDOWS\ MirarSetup_876057.exe
C:\WINDOWS\system32\ pcucb187.sys
C:\WINDOWS\system32\ 2000.exe
C:\WINDOWS\system32\ index.exe
C:\WINDOWS\system32\ 500.exe
C:\WINDOWS\system32\ 100.exe
C:\WINDOWS\system32\ pusk.exe
C:\WINDOWS\ uni_7eh.exe
C:\WINDOWS\system32\ unload.exe
C:\WINDOWS\system32\ svch10.dll



------------------------



CLEANUP!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
  • Click on the “Temporary Files” and uncheck the box for “Scan drives for file matching” if it’s checked.
Click OK
Press the CleanUp! button to start the program. DO NOT reboot/logoff when prompted.



-------------------------



EWIDO

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).
Restart in normal mode.



--------------------------



ONLINE SCAN

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner
  1. Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on See report then click Save report
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Paste the Panda Scan report here together with a new HiJackThis log, Ewido's log and a new Combofix log.
__________________
Hustler24 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-27-2006, 11:35 AM   #19 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 24
OS: XP


ok, thanks for your help. one thing, i can't uninstall McAfee, because the network i'm on requires it. can i un-install zero knowledge instead?

also, checking off things in HTJ, this entry wasn't on th list:

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
Last edited by egotrippen; 09-27-2006 at 11:52 AM.
egotrippen is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-27-2006, 11:55 AM   #20 (permalink)
Analyst, Security Team
 
Join Date: Mar 2005
Posts: 890
OS: Windows XP Home


Yes, uninstall Zero Knowledge Freedom but after completing the above steps, immediately install a firewall.

Using a firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice: .
__________________
Hustler24 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 11:17 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85