Jump to content

HJT: Spyware Guard 2009


Recommended Posts

I'm trying to clean up someone's computer. What I've done up to this point is run Malwarebytes 1 time, then Spybot S&D. Then, I ran Malwarebytes 2 more times to get rid of leftover infections. I then updated Windows XP to SP2 and installed AVG. Here's the before and after HJT logs. Can someone tell me if I got rid of all the baddies?

BEFORE

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:05:27 PM, on 1/13/2009

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Nhksrv.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\devldr32.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\regsvr32.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\WINDOWS\system32\winscenter.exe

C:\WINDOWS\DELLMMKB.EXE

C:\Program Files\Common Files\AOL\1164669651\EE\aolsoftware.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\Program Files\Netropa\OSD.exe

C:\Program Files\Common Files\AOL\Loader\aolload.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

c:\program files\common files\aol\1164669651\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

C:\Program Files\Common Files\AOL\1164669651\EE\aolsoftware.exe

C:\WINDOWS\System32\rundll32.exe

C:\Documents and Settings\SUZ\Application Data\gadcom\gadcom.exe

C:\Program Files\GetModule\GetModule32.exe

C:\Documents and Settings\SUZ\Application Data\Twain\Twain.exe

C:\Program Files\America Online 9.0\waol.exe

C:\Documents and Settings\SUZ\Application Data\SpeedRunner\SpeedRunner.exe

C:\Documents and Settings\SUZ\Application Data\Microsoft\Windows\hvovv.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\America Online 9.0\shellmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: Google plugin - {085E2757-F41D-42d1-B4CC-9DADF7113BBC} - aj32.dll (file missing)

O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\Webtools\webtools.dll

O2 - BHO: (no name) - {58fd9c45-a745-4409-87bc-18b52d0f3fbc} - C:\WINDOWS\System32\lewuseze.dll

O2 - BHO: (no name) - {6393D8C0-5890-4259-99FC-BF2CC0C89CA1} - C:\WINDOWS\System32\awtuVmkh.dll

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\tuvstqnK.dll

O2 - BHO: GrandBar IE Helper - {84BA8988-33E1-4c89-A150-BF428E8D3213} - C:\Program Files\GrandPack\GrandPack2.dll

O2 - BHO: offersfortoday browser enhancer - {964237E8-67D8-F421-0876-ED125EC8146B} - C:\WINDOWS\System32\gihsjbcliwo.dll

O2 - BHO: {7aafa469-e80a-be5b-3514-aa0902241c0a} - {a0c14220-90aa-4153-b5eb-a08e964afaa7} - C:\WINDOWS\System32\zlnwce.dll

O2 - BHO: searchersmart search enhancer - {D2694B1E-8B52-11A7-570E-1AF996222FE2} - C:\WINDOWS\System32\cogpcwokpwia.dll

O2 - BHO: HelloWorldBHO - {D88E1558-7C2D-407A-953A-C044F5607CEA} - C:\Program Files\Mjcore\Mjcore.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1164669651\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [vkuaeqhvosqzm] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\System32\gihsjbcliwo.dll"

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [dunufolawa] Rundll32.exe "C:\WINDOWS\System32\sakabuji.dll",s

O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2009\spywareguard.exe

O4 - HKLM\..\Run: [a01de5fa] rundll32.exe "C:\WINDOWS\System32\ganizoni.dll",b

O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ppclean.exe" "clean" "silent" "virtumonde" "2"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [xrt_Shell] C:\Documents and Settings\SUZ\xrt_bulg.exe

O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\SUZ\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A

O4 - HKCU\..\Run: [GetModule32] C:\Program Files\GetModule\GetModule32.exe

O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\SUZ\Application Data\Twain\Twain.exe

O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b

O4 - HKCU\..\Run: [speedRunner] C:\Documents and Settings\SUZ\Application Data\SpeedRunner\SpeedRunner.exe

O4 - HKCU\..\Run: [QfyPQjDOxvUroB9] C:\Documents and Settings\SUZ\Application Data\Microsoft\Windows\hvovv.exe

O4 - HKUS\S-1-5-19\..\Run: [dunufolawa] Rundll32.exe "C:\WINDOWS\System32\sakabuji.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [dunufolawa] Rundll32.exe "C:\WINDOWS\System32\sakabuji.dll",s (User 'NETWORK SERVICE')

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6BAB93B7-1917-4214-A7D2-874FA6DB4740} (AOL Newport Editor Ctrl) - http://o.aolcdn.com/pictures/ap/Resources/...ns.10.6.0.8.cab

O20 - AppInit_DLLs: ,zlnwce.dll,C:\WINDOWS\System32\zotokohu.dll

O20 - Winlogon Notify: tuvstqnK - C:\WINDOWS\SYSTEM32\tuvstqnK.dll

O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll

O20 - Winlogon Notify: __c00C9828 - C:\WINDOWS\System32\__c00C9828.dat

O21 - SSODL: ieModule - {5177B03D-22B9-43CF-9F27-F724AE3375FA} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll

O21 - SSODL: InternetConnection - {55A9938C-EB45-4092-B6BE-70DF49B5871B} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\nhcclkpedb.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe

--

End of file - 9291 bytes

AFTER

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:19:52 PM, on 1/15/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Nhksrv.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\DELLMMKB.EXE

C:\WINDOWS\System32\LXSUPMON.EXE

C:\Program Files\Netropa\OSD.exe

C:\Program Files\Common Files\AOL\1164669651\ee\AOLSoftware.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

c:\program files\common files\aol\1164669651\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

C:\Program Files\Common Files\AOL\1164669651\EE\aolsoftware.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1164669651\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [QfyPQjDOxvUroB9] C:\Documents and Settings\SUZ\Application Data\Microsoft\Windows\hvovv.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6BAB93B7-1917-4214-A7D2-874FA6DB4740} (AOL Newport Editor Ctrl) - http://o.aolcdn.com/pictures/ap/Resources/...ns.10.6.0.8.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: zlnwce.dll,avgrsstx.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe

--

End of file - 6408 bytes

Link to post
Share on other sites

Hi there

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

Thanks for your help. Here's the log...

ComboFix 09-01-17.01 - SUZ 2009-01-17 11:45:48.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.61 [GMT -6:00]

Running from: c:\documents and settings\SUZ\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm

c:\documents and settings\SUZ\Local Settings\Temporary Internet Files\bestwiner.stt

c:\documents and settings\SUZ\Local Settings\Temporary Internet Files\CPV.stt

c:\documents and settings\SUZ\Local Settings\Temporary Internet Files\fbk.sts

c:\windows\system32\azerevik.ini

c:\windows\system32\drivers\npf.sys

c:\windows\system32\packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\tb.dr

c:\windows\system32\usobobas.ini

c:\windows\system32\wpcap.dll

c:\windows\wiaserviv.log

C:\xcrashdump.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TDSSSERV.SYS

-------\Service_seneka

((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))

.

2009-01-17 11:18 . 2009-01-17 11:42 <DIR> d-------- c:\windows\SYSTEM32\CatRoot_bak

2009-01-15 19:04 . 2009-01-17 11:20 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg

2009-01-15 19:04 . 2009-01-15 19:04 <DIR> d-------- c:\program files\AVG

2009-01-15 19:04 . 2009-01-15 19:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

2009-01-15 19:04 . 2009-01-15 19:04 97,928 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys

2009-01-15 19:04 . 2009-01-15 19:04 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll

2009-01-15 18:56 . 2008-06-13 07:10 272,128 --------- c:\windows\SYSTEM32\DLLCACHE\bthport.sys

2009-01-15 18:54 . 2008-09-04 10:42 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll

2009-01-15 18:54 . 2008-04-11 12:50 683,520 --------- c:\windows\SYSTEM32\DLLCACHE\inetcomm.dll

2009-01-15 18:54 . 2008-10-24 05:10 453,632 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys

2009-01-15 18:54 . 2008-12-11 05:57 333,184 --------- c:\windows\SYSTEM32\DLLCACHE\srv.sys

2009-01-15 18:54 . 2008-10-15 10:57 332,800 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll

2009-01-15 18:54 . 2008-05-01 08:30 331,776 --------- c:\windows\SYSTEM32\DLLCACHE\msadce.dll

2009-01-15 18:54 . 2008-10-03 04:15 247,326 --------- c:\windows\SYSTEM32\DLLCACHE\strmdll.dll

2009-01-15 18:54 . 2008-05-08 06:28 202,752 --------- c:\windows\SYSTEM32\DLLCACHE\rmcast.sys

2009-01-15 18:53 . 2009-01-15 19:28 <DIR> d--h----- c:\windows\$hf_mig$

2009-01-15 18:31 . 2009-01-15 18:31 <DIR> d-------- c:\windows\provisioning

2009-01-15 18:31 . 2009-01-15 18:31 <DIR> d-------- c:\windows\peernet

2009-01-15 18:29 . 2009-01-15 18:29 <DIR> d-------- c:\windows\ServicePackFiles

2009-01-15 18:26 . 2005-06-28 10:21 22,752 --a------ c:\windows\SYSTEM32\spupdsvc.exe

2009-01-15 18:23 . 2009-01-15 18:23 <DIR> d-------- c:\windows\EHome

2009-01-14 17:58 . 2009-01-14 18:01 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-01-14 17:58 . 2009-01-14 18:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-14 17:54 . 2009-01-15 19:20 <DIR> d-------- c:\documents and settings\SUZ\Application Data\U3

2009-01-14 17:37 . 2009-01-14 17:37 <DIR> d-------- c:\documents and settings\SUZ\Application Data\Malwarebytes

2009-01-14 17:20 . 2009-01-14 17:20 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-14 17:20 . 2009-01-14 17:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-14 17:20 . 2009-01-14 17:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-01-14 17:20 . 2009-01-04 18:38 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys

2009-01-14 17:20 . 2009-01-04 18:38 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys

2009-01-14 17:18 . 2009-01-14 17:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3

2009-01-13 20:05 . 2009-01-13 20:05 <DIR> d-------- c:\program files\Trend Micro

2009-01-07 16:05 . 2009-01-07 16:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee

2009-01-07 15:56 . 2009-01-07 15:56 <DIR> d-------- c:\program files\Common Files\Scanner

2009-01-07 15:29 . 2009-01-07 15:29 1,264 --a------ c:\windows\SYSTEM32\lp

2009-01-06 16:01 . 2009-01-06 16:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Viewpoint

2009-01-06 16:01 . 2009-01-06 16:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AOL

2009-01-06 15:59 . 2001-11-27 09:26 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS

2009-01-06 15:59 . 2001-11-27 09:38 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec

2009-01-06 15:59 . 2009-01-15 19:05 <DIR> d-------- c:\documents and settings\Administrator

2009-01-05 15:54 . 2009-01-14 17:34 <DIR> d-------- c:\documents and settings\SUZ\Application Data\Twain

2009-01-04 12:23 . 2009-01-04 12:23 238 --a------ c:\documents and settings\SUZ\xrt_log.dat

2009-01-03 08:13 . 2009-01-03 08:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL OCP

2008-12-19 08:13 . 2008-12-19 08:21 56,726 --a------ c:\windows\SYSTEM32\cogpcwokpwia.dll-uninst.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-03 00:20 --------- d-----w c:\program files\Common Files\AOL

2009-01-03 00:20 --------- d-----w c:\documents and settings\All Users\Application Data\AOL

2009-01-03 00:18 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads

2008-12-12 17:33 3,060,224 ------w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll

2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-05 22:15 18,603 ----a-w c:\documents and settings\SUZ\xrt_collect.zip

2008-11-08 00:32 2,109,440 ------w c:\windows\SYSTEM32\DLLCACHE\WMVCore.dll

2008-10-23 13:01 283,648 ----a-w c:\windows\SYSTEM32\gdi32.dll

2008-10-23 13:01 283,648 ------w c:\windows\SYSTEM32\DLLCACHE\gdi32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2000-07-19 176183]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]

"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-06-07 36864]

"LXSUPMON"="c:\windows\System32\LXSUPMON.EXE" [2000-06-07 794112]

"HostManager"="c:\program files\Common Files\AOL\1164669651\ee\AOLSoftware.exe" [2007-04-12 42032]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]

"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 79448]

"WorksFUD"="c:\program files\Microsoft Works\Wkfud.exe" [2000-08-10 24576]

"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-15 1261336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2004-09-16 82026]

Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-08-10 24633]

Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-07-29 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=zlnwce.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.ctmp3"= c:\windows\System32\ctmp3.acm

"aux1"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer 2000.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Camio Viewer 2000.lnk

backup=c:\windows\pss\Camio Viewer 2000.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]

--a------ 2000-08-10 12:00 311350 c:\program files\Microsoft Works\WKSSB.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

--a------ 2000-08-10 12:00 28739 c:\program files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Optimum Online net guide]

--a------ 2007-01-13 12:23 1630208 c:\program files\Optimum Online\Netsurf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2009-01-15 97928]

R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [2000-10-03 6942]

R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-15 231704]

R4 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2001-08-06 28672]

S3 ati2mpaa;ati2mpaa;c:\windows\SYSTEM32\DRIVERS\ati2mpaa.sys [2001-11-27 281856]

S4 mrtRate;mrtRate; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4ecb236-e291-11dd-98b5-00038a000015}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

.

Contents of the 'Scheduled Tasks' folder

2001-11-29 c:\windows\Tasks\ISP signup reminder 3.job

- c:\windows\System32\OOBE\OOBEBALN.EXE [2004-08-04 01:56]

2009-01-17 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-01-02 14:20]

2009-01-17 c:\windows\Tasks\tbqzuerv.job

- c:\windows\system32\RUNDLL32.EXE [2004-08-04 01:56]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-QfyPQjDOxvUroB9 - c:\documents and settings\SUZ\Application Data\Microsoft\Windows\hvovv.exe

SafeBoot-Winio73.sys

MSConfigStartUp-a01de5fa - c:\windows\System32\najebofi.dll

MSConfigStartUp-GetModule32 - c:\program files\GetModule\GetModule32.exe

MSConfigStartUp-GetPack26 - c:\program files\GetPack\GetPack26.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.optonline.net/

mStart Page = hxxp://smbusiness.dellnet.com/

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

IE: &Define - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

IE: Look Up in &Encyclopedia - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {6BAB93B7-1917-4214-A7D2-874FA6DB4740} - hxxp://o.aolcdn.com/pictures/ap/Resources/v2.15/cab/aolpPlugins.10.6.0.8.cab

c:\windows\Downloaded Program Files\aolpPlugins.inf

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-17 11:52:08

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\windows\SYSTEM32\LexBceS.exe

c:\windows\SYSTEM32\Lexpps.exe

c:\windows\SYSTEM32\devldr32.exe

c:\program files\Common Files\AOL\ACS\AOLacsd.exe

c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe

c:\windows\SYSTEM32\CTSVCCDA.EXE

c:\windows\SYSTEM32\MsPMSPSv.exe

c:\windows\SYSTEM32\wscntfy.exe

c:\program files\Netropa\OSD.exe

c:\program files\Common Files\AOL\1164669651\EE\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\program files\AVG\AVG8\avgrsx.exe

.

**************************************************************************

.

Completion time: 2009-01-17 11:57:43 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-17 17:57:37

Pre-Run: 11,485,966,336 bytes free

Post-Run: 11,569,467,392 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

204 --- E O F --- 2009-01-16 01:28:43

Link to post
Share on other sites

Hi there

Go to start menu - Select Run and in the command box type in notepad

Next - copy/paste the text in the code box below into it:

File::

c:\windows\System32\zlnwce.dll

c:\windows\Tasks\ISP signup reminder 3.job

c:\windows\Tasks\tbqzuerv.job

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=-

"AppInit_DLLs"="avgrsstx.dll"

- Save this to your desktop as CFScript.txt

- Drag the CFScript.txt over onto Combofix.exe and release.

CFScript.gif

Combofix will then execute the script and produce a fresh log

Post this back in your next reply

Once done....

PLease run a fresh Malwarebytes Antimalware scan

First I want you to update MBAM so we have the latest definitions onboard

Please open Malwarebytes Antimalware

Now click on the update tab

Next - Click on the Check for updates button

  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.

    [*]The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.

    [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

    [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

    [*]Click OK to close the message box and continue with the removal process.

    [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.

    [*]Make sure that everything is checked, and click Remove Selected.

    [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)

    [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

    [*]Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Once done - reboot and generate a fresh HJT log

Please include in your next reply:

The new combofix log

The new MBAM log

A fresh HJT log

Link to post
Share on other sites

After the ComboFix created a log and I closed it, the desktop never came back up. After a few minutes, I got a popup message by the AOL Spyware Protection that it caught a Bifrose. I had to open Task Manager with Ctrl-Alt-Del and Restart. After that, I followed the rest of your steps.

ComboFix Log

ComboFix 09-01-17.01 - SUZ 2009-01-17 13:35:50.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.69 [GMT -6:00]

Running from: c:\documents and settings\SUZ\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\SUZ\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

* Created a new restore point

FILE ::

c:\windows\System32\zlnwce.dll

c:\windows\Tasks\ISP signup reminder 3.job

c:\windows\Tasks\tbqzuerv.job

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Tasks\ISP signup reminder 3.job

c:\windows\Tasks\tbqzuerv.job

.

((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))

.

2009-01-17 11:18 . 2009-01-17 11:42 <DIR> d-------- c:\windows\SYSTEM32\CatRoot_bak

2009-01-15 19:04 . 2009-01-17 11:20 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg

2009-01-15 19:04 . 2009-01-15 19:04 <DIR> d-------- c:\program files\AVG

2009-01-15 19:04 . 2009-01-15 19:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

2009-01-15 19:04 . 2009-01-15 19:04 97,928 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys

2009-01-15 19:04 . 2009-01-15 19:04 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll

2009-01-15 18:56 . 2008-06-13 07:10 272,128 --------- c:\windows\SYSTEM32\DLLCACHE\bthport.sys

2009-01-15 18:54 . 2008-09-04 10:42 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll

2009-01-15 18:54 . 2008-04-11 12:50 683,520 --------- c:\windows\SYSTEM32\DLLCACHE\inetcomm.dll

2009-01-15 18:54 . 2008-10-24 05:10 453,632 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys

2009-01-15 18:54 . 2008-12-11 05:57 333,184 --------- c:\windows\SYSTEM32\DLLCACHE\srv.sys

2009-01-15 18:54 . 2008-10-15 10:57 332,800 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll

2009-01-15 18:54 . 2008-05-01 08:30 331,776 --------- c:\windows\SYSTEM32\DLLCACHE\msadce.dll

2009-01-15 18:54 . 2008-10-03 04:15 247,326 --------- c:\windows\SYSTEM32\DLLCACHE\strmdll.dll

2009-01-15 18:54 . 2008-05-08 06:28 202,752 --------- c:\windows\SYSTEM32\DLLCACHE\rmcast.sys

2009-01-15 18:53 . 2009-01-15 19:28 <DIR> d--h----- c:\windows\$hf_mig$

2009-01-15 18:31 . 2009-01-15 18:31 <DIR> d-------- c:\windows\provisioning

2009-01-15 18:31 . 2009-01-15 18:31 <DIR> d-------- c:\windows\peernet

2009-01-15 18:29 . 2009-01-15 18:29 <DIR> d-------- c:\windows\ServicePackFiles

2009-01-15 18:26 . 2005-06-28 10:21 22,752 --a------ c:\windows\SYSTEM32\spupdsvc.exe

2009-01-15 18:23 . 2009-01-15 18:23 <DIR> d-------- c:\windows\EHome

2009-01-14 17:58 . 2009-01-14 18:01 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-01-14 17:58 . 2009-01-14 18:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-14 17:54 . 2009-01-15 19:20 <DIR> d-------- c:\documents and settings\SUZ\Application Data\U3

2009-01-14 17:37 . 2009-01-14 17:37 <DIR> d-------- c:\documents and settings\SUZ\Application Data\Malwarebytes

2009-01-14 17:20 . 2009-01-14 17:20 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-14 17:20 . 2009-01-14 17:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-14 17:20 . 2009-01-14 17:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-01-14 17:20 . 2009-01-04 18:38 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys

2009-01-14 17:20 . 2009-01-04 18:38 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys

2009-01-14 17:18 . 2009-01-14 17:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3

2009-01-13 20:05 . 2009-01-13 20:05 <DIR> d-------- c:\program files\Trend Micro

2009-01-07 16:05 . 2009-01-07 16:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee

2009-01-07 15:56 . 2009-01-07 15:56 <DIR> d-------- c:\program files\Common Files\Scanner

2009-01-07 15:29 . 2009-01-07 15:29 1,264 --a------ c:\windows\SYSTEM32\lp

2009-01-06 16:01 . 2009-01-06 16:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Viewpoint

2009-01-06 16:01 . 2009-01-06 16:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AOL

2009-01-06 15:59 . 2001-11-27 09:26 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS

2009-01-06 15:59 . 2001-11-27 09:38 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec

2009-01-06 15:59 . 2009-01-15 19:05 <DIR> d-------- c:\documents and settings\Administrator

2009-01-05 15:54 . 2009-01-14 17:34 <DIR> d-------- c:\documents and settings\SUZ\Application Data\Twain

2009-01-04 12:23 . 2009-01-04 12:23 238 --a------ c:\documents and settings\SUZ\xrt_log.dat

2009-01-03 08:13 . 2009-01-03 08:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL OCP

2008-12-19 08:13 . 2008-12-19 08:21 56,726 --a------ c:\windows\SYSTEM32\cogpcwokpwia.dll-uninst.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-03 00:20 --------- d-----w c:\program files\Common Files\AOL

2009-01-03 00:20 --------- d-----w c:\documents and settings\All Users\Application Data\AOL

2009-01-03 00:18 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads

2008-12-12 17:33 3,060,224 ------w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll

2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-05 22:15 18,603 ----a-w c:\documents and settings\SUZ\xrt_collect.zip

2008-11-08 00:32 2,109,440 ------w c:\windows\SYSTEM32\DLLCACHE\WMVCore.dll

2008-10-23 13:01 283,648 ----a-w c:\windows\SYSTEM32\gdi32.dll

2008-10-23 13:01 283,648 ------w c:\windows\SYSTEM32\DLLCACHE\gdi32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2000-07-19 176183]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]

"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-06-07 36864]

"LXSUPMON"="c:\windows\System32\LXSUPMON.EXE" [2000-06-07 794112]

"HostManager"="c:\program files\Common Files\AOL\1164669651\ee\AOLSoftware.exe" [2007-04-12 42032]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]

"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 79448]

"WorksFUD"="c:\program files\Microsoft Works\Wkfud.exe" [2000-08-10 24576]

"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-15 1261336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2004-09-16 82026]

Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-08-10 24633]

Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-07-29 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.ctmp3"= c:\windows\System32\ctmp3.acm

"aux1"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer 2000.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Camio Viewer 2000.lnk

backup=c:\windows\pss\Camio Viewer 2000.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]

--a------ 2000-08-10 12:00 311350 c:\program files\Microsoft Works\WKSSB.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

--a------ 2000-08-10 12:00 28739 c:\program files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Optimum Online net guide]

--a------ 2007-01-13 12:23 1630208 c:\program files\Optimum Online\Netsurf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2009-01-15 97928]

R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [2000-10-03 6942]

R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-15 231704]

R4 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2001-08-06 28672]

S3 ati2mpaa;ati2mpaa;c:\windows\SYSTEM32\DRIVERS\ati2mpaa.sys [2001-11-27 281856]

S4 mrtRate;mrtRate; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4ecb236-e291-11dd-98b5-00038a000015}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

.

Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-01-02 14:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.optonline.net/

mStart Page = hxxp://smbusiness.dellnet.com/

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

IE: &Define - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

IE: Look Up in &Encyclopedia - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {6BAB93B7-1917-4214-A7D2-874FA6DB4740} - hxxp://o.aolcdn.com/pictures/ap/Resources/v2.15/cab/aolpPlugins.10.6.0.8.cab

c:\windows\Downloaded Program Files\aolpPlugins.inf

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-17 13:38:33

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)

c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(560)

c:\windows\system32\avgrsstx.dll

.

Completion time: 2009-01-17 13:41:23

ComboFix-quarantined-files.txt 2009-01-17 19:41:19

ComboFix2.txt 2009-01-17 17:57:46

Pre-Run: 12,275,789,824 bytes free

Post-Run: 12,260,397,056 bytes free

165 --- E O F --- 2009-01-16 01:28:43

MBAM Log

Malwarebytes' Anti-Malware 1.33

Database version: 1663

Windows 5.1.2600 Service Pack 2

1/17/2009 1:59:03 PM

mbam-log-2009-01-17 (13-59-03).txt

Scan type: Quick Scan

Objects scanned: 55631

Time elapsed: 4 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:05:45 PM, on 1/17/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\Nhksrv.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\WINDOWS\DELLMMKB.EXE

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\Program Files\Common Files\AOL\1164669651\ee\AOLSoftware.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\Netropa\OSD.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

c:\program files\common files\aol\1164669651\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Common Files\AOL\1164669651\EE\aolsoftware.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\SoftwareDistribution\Download\2bc0b3c55e0c166e04844934d1c7c342\update\update.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1164669651\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6BAB93B7-1917-4214-A7D2-874FA6DB4740} (AOL Newport Editor Ctrl) - http://o.aolcdn.com/pictures/ap/Resources/...ns.10.6.0.8.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe

--

End of file - 6643 bytes

Link to post
Share on other sites

Hi beasting

Please go to: VirusTotal

  • In the middle of the page you'll find a "Browse" button.
    virustotal2.jpg
    Click the "Browse" button and browse to this file in RED:
    c:\documents and settings\SUZ\xrt_collect.zip
  • Click "Open".
  • Then click the "Send File" button at the bottom of the VirusTotal page.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analysed: click Reanalyse file now
  • Once scanned, copy and paste the results in your next reply.

Once done

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:

KAS.gif

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs

Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Link to post
Share on other sites

Sorry it took so long. The Kaspersky scan stopped after awhile so I had to restart it.

Virus Total Log

File xrt_collect.zip received on 01.17.2009 21:51:34 (CET)Antivirus Version Last Update Result

a-squared 4.0.0.73 2009.01.17 -

AhnLab-V3 2009.1.15.0 2009.01.17 -

AntiVir 7.9.0.57 2009.01.17 -

Authentium 5.1.0.4 2009.01.17 -

Avast 4.8.1281.0 2009.01.16 -

AVG 8.0.0.229 2009.01.17 -

BitDefender 7.2 2009.01.17 -

CAT-QuickHeal 10.00 2009.01.17 -

ClamAV 0.94.1 2009.01.17 -

Comodo 934 2009.01.17 -

DrWeb 4.44.0.09170 2009.01.17 -

eSafe 7.0.17.0 2009.01.15 -

eTrust-Vet 31.6.6312 2009.01.17 -

F-Prot 4.4.4.56 2009.01.17 -

Fortinet 3.117.0.0 2009.01.15 -

GData 19 2009.01.17 -

Ikarus T3.1.1.45.0 2009.01.17 -

K7AntiVirus 7.10.594 2009.01.17 -

Kaspersky 7.0.0.125 2009.01.17 -

McAfee 5498 2009.01.17 -

McAfee+Artemis 5498 2009.01.17 -

Microsoft 1.4205 2009.01.17 -

NOD32 3773 2009.01.17 -

Norman 5.93.01 2009.01.16 -

nProtect 2009.1.8.0 2009.01.16 -

Panda 9.5.1.2 2009.01.17 -

PCTools 4.4.2.0 2009.01.17 -

Rising 21.12.52.00 2009.01.17 -

SecureWeb-Gateway 6.7.6 2009.01.17 -

Sophos 4.37.0 2009.01.17 -

Sunbelt 3.2.1835.2 2009.01.16 -

TheHacker 6.3.1.5.221 2009.01.17 -

TrendMicro 8.700.0.1004 2009.01.16 -

VBA32 3.12.8.10 2009.01.17 -

ViRobot 2009.1.17.1563 2009.01.17 -

VirusBuster 4.5.11.0 2009.01.17 -

Additional information

File size: 18603 bytes

MD5...: 4bff0f83a9b417199638cd4127982c61

SHA1..: dca810d194db1637f59472b4118b9b7e0267dec9

SHA256: f0311c44ae1610a6d7b1cf23d666ecfe451c81c7f93624263feece0d53d38c48

SHA512: 99441744f2fe8be202bccb9242ca96e5654c784853df2bfa56f89ae741159413<BR>13bc80c0d1b47c23c868f9985b9da573aa081c27590cb5bffb8f6828f398f95b<BR>

ssdeep: 96:/SbnRhfqLSWSq83+OVtg7d3TGiYQ1XCH0HnOmd+UN9EpqcXrVtiyct3SSS/tG<BR>w1O:/EJqLjkRM9itQ9cDq8VEyct37yThdaXL<BR>

PEiD..: -

TrID..: File type identification<BR>ZIP compressed archive (99.8%)<BR>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)

PEInfo: -

Kaspersky Log

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Saturday, January 17, 2009

Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Saturday, January 17, 2009 21:33:49

Records in database: 1638606

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

Scan statistics:

Files scanned: 47035

Threat name: 15

Infected objects: 17

Suspicious objects: 0

Duration of the scan: 01:43:35

File name / Threat name / Threats count

C:\Program Files\AOL Toolbar\AOLToolbarSetup.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

C:\Program Files\AOL Toolbar\toolbar.dll Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

C:\Program Files\Common Files\aolback\Comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP103\A0038932.dll Infected: Trojan.Win32.Monder.agwe 1

C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP103\A0038935.dll Infected: Trojan.Win32.Agent.aykk 1

C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP103\A0038936.dll Infected: Trojan.Win32.Small.brl 1

C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP103\A0038938.dll Infected: Packed.Win32.PolyCrypt.d 1

C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP103\A0038939.dll Infected: Trojan-Downloader.Win32.Mutant.bqt 1

C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP103\A0038940.sys Infected: Trojan-Downloader.Win32.Mutant.aim 1

C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP103\A0038941.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ftx 1

C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP115\A0041081.exe Infected: Hoax.Win32.SpywareGuard2008.c 1

C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP115\A0041085.exe Infected: not-a-virus:Porn-Dialer.Win32.Generic 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\33YNIKHV\refresh[1].exe Infected: Trojan-Dropper.Win32.Small.cim 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\44YC7OL5\patch[1].exe Infected: Trojan-Dropper.Win32.Small.cjl 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G75JRLLX\patch2[1].exe Infected: Trojan-Dropper.Win32.Small.cji 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G75JRLLX\patch[1].exe Infected: Trojan-Dropper.Win32.Small.ckk 1

C:\WINDOWS\SYSTEM32\nsupdate.dll.virus Infected: Trojan-Downloader.Win32.Dyfuca.bn 1

The selected area was scanned.

Link to post
Share on other sites

Hi there

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please download OTMoveIt3 by OldTimer.

Save it to your desktop.

Double-click on OTMoveIt3.exe

Using notepad copy the lines in the codebox below:

:Processes

explorer.exe

:Services

:Reg

:Files

C:\WINDOWS\SYSTEM32\nsupdate.dll

c:\windows\System32\zlnwce.dll

c:\windows\SYSTEM32\cogpcwokpwia.dll-uninst.exe

C:\Program Files\Common Files\aolback\Comps\toolbar\toolbr.exe

C:\Program Files\AOL Toolbar\toolbar.dll

C:\Program Files\AOL Toolbar\AOLToolbarSetup.exe

:Commands

[purity]

[emptytemp]

[start explorer]

[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar), and paste it in your next reply.

Close OTMoveIt3

Update me on how things are running now

Link to post
Share on other sites

Good morning sjb007

It looks like Windows loads up a little fast. I see a few problems with OTMoveIt in the log. I'm going to install some windows updates while I wait for your next reply.

OTMoveIt Log

========== PROCESSES ==========

Process explorer.exe killed successfully.

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

========== FILES ==========

File/Folder C:\WINDOWS\SYSTEM32\nsupdate.dll not found.

File/Folder c:\windows\System32\zlnwce.dll not found.

c:\windows\SYSTEM32\cogpcwokpwia.dll-uninst.exe moved successfully.

C:\Program Files\Common Files\aolback\Comps\toolbar\toolbr.exe moved successfully.

C:\Program Files\AOL Toolbar\toolbar.dll unregistered successfully.

C:\Program Files\AOL Toolbar\toolbar.dll moved successfully.

C:\Program Files\AOL Toolbar\AOLToolbarSetup.exe moved successfully.

========== COMMANDS ==========

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

Local Service Temp folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be deleted on reboot.

Local Service Temporary Internet Files folder emptied.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_678.dat scheduled to be deleted on reboot.

Windows Temp folder emptied.

Java cache emptied.

Temp folders emptied.

Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01182009_091558

Files moved on Reboot...

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be moved on reboot.

File C:\WINDOWS\temp\Perflib_Perfdata_678.dat not found!

Link to post
Share on other sites

Hi there beasting

I see a few problems with OTMoveIt in the log

Looks good to me, the items which it could not delete will be deleted on reboot. From what I see your logs appear free from malware.

Lets tidy up after ourselves

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Now that you appear to be free from malware lets help you stay that way!

Update windows on a regular basis - If you do not have automatic updates enabled then

Visit Microsoft's Update Page and update your computer from there

Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.

Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here

Make your Internet Explorer more secure - This can be done by following these simple instructions:

Open Internet Explorer, click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialise and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Safer Browsing

Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes.

Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser

Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

Computer Maintenance

Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware

Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These products are scan on demand and do not have active back ground scanning. These two products can be installed together without any complications.

Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) - Please note that this product can also be run as free without a licience but the background protection will not be active.

Secure your router

Change your routers default username and password, do not leave it at factory preset, doing so makes it easy for unauthorised access.

Encrypt your network. Set your wireless network encryption to a minimum level of WPA-PSK [TKIP]. This will help prevent any unauthorised users "piggybacking" onto your network and stealing your bandwidth which you have rightly paid for.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein

-> How to prevent Malware - By miekiemoes

-> I'm not pulling your leg, honest - By Sandi Hardmeie

**Kindly respond one more time and let me know if we may consider this thread resolved.

Link to post
Share on other sites

Hi there

ATF is a handy tool to keep to clear out unwanted garbage from your system, it is up to you whether you keep it or not. Regarding OTMoveIt3 - Open the program and click on the CleanUp! button then reboot your computer when requested, that should take care of the remainder of the things that are left.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.