Jump to content


Photo

Trojan Removal Assistance


  • Please log in to reply
13 replies to this topic

#1 Hawkfan

Hawkfan

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 18 January 2007 - 12:51 AM

Hi,

I have virus/trojans on my pc.

I have used Superantispyware, Ad-Aware SE and Avast to remove most of them.

I will post logs from the programs below.

I have seemed to get most of the infections off my computer.

I still have a virus sending internet mail thru my pc I can see it sending thru avast's On-access scanner.

Please Help Me.

Thanks

Ad-Aware SE Build 1.06r1
Logfile Created on:Wednesday, January 17, 2007 11:50:54 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R145 17.01.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


1-17-2007 11:50:54 AM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 152
ThreadCreationTime : 1-17-2007 6:53:51 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 176
ThreadCreationTime : 1-17-2007 6:54:02 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 196
ThreadCreationTime : 1-17-2007 6:54:04 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 224
ThreadCreationTime : 1-17-2007 6:54:05 PM
BasePriority : Normal
FileVersion : 5.00.2195.7035
ProductVersion : 5.00.2195.7035
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 236
ThreadCreationTime : 1-17-2007 6:54:05 PM
BasePriority : Normal
FileVersion : 5.00.2195.7011
ProductVersion : 5.00.2195.7011
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 396
ThreadCreationTime : 1-17-2007 6:54:08 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 468
ThreadCreationTime : 1-17-2007 6:54:38 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:8 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 476
ThreadCreationTime : 1-17-2007 6:54:38 PM
BasePriority : Normal
FileVersion : 5.00.2195.7059
ProductVersion : 5.00.2195.7059
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : spoolss.exe

#:9 [aswupdsv.exe]
FilePath : C:\Program Files\Alwil Software\Avast4\
ProcessID : 592
ThreadCreationTime : 1-17-2007 6:54:46 PM
BasePriority : Normal


#:10 [ashserv.exe]
FilePath : C:\Program Files\Alwil Software\Avast4\
ProcessID : 608
ThreadCreationTime : 1-17-2007 6:54:46 PM
BasePriority : High
FileVersion : 4, 7, 936, 0
ProductVersion : 4, 7, 0, 0
ProductName : avast! Antivirus
FileDescription : avast! antivirus service
InternalName : aswServ
LegalCopyright : Copyright © 2007 ALWIL Software
OriginalFilename : aswServ.exe

#:11 [cvpnd.exe]
FilePath : C:\Program Files\Cisco Systems\VPN Client\
ProcessID : 628
ThreadCreationTime : 1-17-2007 6:54:48 PM
BasePriority : Normal
FileVersion : 3.6.1 (Rel)
ProductVersion : 3.6.1 (Rel)
ProductName : Cisco Systems VPN Client
CompanyName : Cisco Systems, Inc.
FileDescription : Cisco Systems VPN Client
InternalName : cvpnd
LegalCopyright : Copyright © 1998-2002 Cisco Systems, Inc.
OriginalFilename : CVPND.EXE

#:12 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 652
ThreadCreationTime : 1-17-2007 6:54:57 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:13 [ntrtscan.exe]
FilePath : C:\Program Files\Trend Micro\OfficeScan Client\
ProcessID : 692
ThreadCreationTime : 1-17-2007 6:54:58 PM
BasePriority : Normal
FileVersion : 5.58.0.1063
ProductVersion : 5.58
ProductName : Trend Micro OfficeScan
CompanyName : Trend Micro Inc.
LegalCopyright : Copyright © 1999-2004 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright © Trend Micro, Inc.

#:14 [regsvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 748
ThreadCreationTime : 1-17-2007 6:54:59 PM
BasePriority : Normal
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : REGSVC.EXE

#:15 [mstask.exe]
FilePath : C:\WINNT\system32\
ProcessID : 808
ThreadCreationTime : 1-17-2007 6:54:59 PM
BasePriority : Normal
FileVersion : 4.71.2195.6972
ProductVersion : 4.71.2195.6972
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:16 [tmlisten.exe]
FilePath : C:\Program Files\Trend Micro\OfficeScan Client\
ProcessID : 856
ThreadCreationTime : 1-17-2007 6:55:00 PM
BasePriority : Normal


#:17 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 940
ThreadCreationTime : 1-17-2007 6:55:02 PM
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corp. 1995-1999

#:18 [winvnc4.exe]
FilePath : C:\Program Files\RealVNC\VNC4\
ProcessID : 948
ThreadCreationTime : 1-17-2007 6:55:09 PM
BasePriority : Normal
FileVersion : 4.0
ProductVersion : 4.0
ProductName : VNC Server 4.0
CompanyName : RealVNC Ltd.
FileDescription : VNC Server for Win32
InternalName : WinVNC 4.0
LegalCopyright : Copyright © RealVNC Ltd. 2002-2004
LegalTrademarks : RealVNC
OriginalFilename : winvnc4.exe

#:19 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1064
ThreadCreationTime : 1-17-2007 6:55:12 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:20 [ofcdog.exe]
FilePath : C:\Program Files\Trend Micro\OfficeScan Client\
ProcessID : 1228
ThreadCreationTime : 1-17-2007 6:55:36 PM
BasePriority : Normal


#:21 [ashmaisv.exe]
FilePath : C:\Program Files\Alwil Software\Avast4\
ProcessID : 1232
ThreadCreationTime : 1-17-2007 6:55:36 PM
BasePriority : Normal


#:22 [ashwebsv.exe]
FilePath : C:\Program Files\Alwil Software\Avast4\
ProcessID : 1252
ThreadCreationTime : 1-17-2007 6:55:43 PM
BasePriority : Normal


#:23 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 1260
ThreadCreationTime : 1-17-2007 6:55:43 PM
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:24 [igfxtray.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1152
ThreadCreationTime : 1-17-2007 6:55:59 PM
BasePriority : Normal
FileVersion : 3,0,0,1918
ProductVersion : 7,0,0,1918
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : igfxTray Module
InternalName : IGFXTRAY
LegalCopyright : Copyright 1999-2002, Intel Corporation
OriginalFilename : IGFXTRAY.EXE

#:25 [hkcmd.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1136
ThreadCreationTime : 1-17-2007 6:55:59 PM
BasePriority : Normal
FileVersion : 3,0,0,1918
ProductVersion : 7,0,0,1918
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2002, Intel Corporation
OriginalFilename : HKCMD.EXE

#:26 [pccntmon.exe]
FilePath : C:\Program Files\Trend Micro\OfficeScan Client\
ProcessID : 1516
ThreadCreationTime : 1-17-2007 6:55:59 PM
BasePriority : Normal
FileVersion : 5.58.0.1063
ProductVersion : 5.58
ProductName : Trend Micro OfficeScan
CompanyName : Trend Micro Inc.
FileDescription : I/O Monitor
InternalName : PCCNTMON
LegalCopyright : Copyright © 1999-2004 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright © Trend Micro, Inc.
OriginalFilename : PCCNTMON.EXE

#:27 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 1524
ThreadCreationTime : 1-17-2007 6:55:59 PM
BasePriority : Normal
FileVersion : 7.1.3
ProductVersion : QuickTime 7.1.3
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
FileDescription : QuickTime Task
InternalName : QuickTime Task
LegalCopyright : Copyright Apple Computer, Inc. 1989-2006
OriginalFilename : QTTask.exe

#:28 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 1556
ThreadCreationTime : 1-17-2007 6:56:01 PM
BasePriority : Normal
FileVersion : 7.0.2.16
ProductVersion : 7.0.2.16
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:29 [ashdisp.exe]
FilePath : C:\PROGRA~1\ALWILS~1\Avast4\
ProcessID : 1564
ThreadCreationTime : 1-17-2007 6:56:01 PM
BasePriority : Normal
FileVersion : 4, 7, 936, 0
ProductVersion : 4, 7, 0, 0
ProductName : avast! Antivirus
FileDescription : avast! service GUI component
InternalName : aswDisp
LegalCopyright : Copyright © 2007 ALWIL Software
OriginalFilename : aswDisp.exe

#:30 [upnp.exe]
FilePath : C:\winnt\system32\
ProcessID : 1572
ThreadCreationTime : 1-17-2007 6:56:01 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180
ProductVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductName : upnp manager Microcoft® Windows®
CompanyName : Microcoft Corporation
FileDescription : upnp manager
InternalName : unker
LegalCopyright : © Microcoft Corporation. All rights reserved
LegalTrademarks : Microsoft ®
OriginalFilename : unker.EXE

#:31 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 1648
ThreadCreationTime : 1-17-2007 6:56:08 PM
BasePriority : Normal
FileVersion : 7.0.2.16
ProductVersion : 7.0.2.16
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe

#:32 [wf_scheduler.exe]
FilePath : C:\Program Files\AceBIT\WISE-FTP\
ProcessID : 1692
ThreadCreationTime : 1-17-2007 6:56:09 PM
BasePriority : Normal
FileVersion : 3.0.0.7
ProductVersion : 3.0.0.7
CompanyName : AceBIT GmbH
LegalCopyright : © 1998-2003 by AceBIT GmbH

#:33 [superantispyware.exe]
FilePath : C:\Program Files\SUPERAntiSpyware\
ProcessID : 1668
ThreadCreationTime : 1-17-2007 6:56:13 PM
BasePriority : Normal
FileVersion : 3, 5, 0, 1016
ProductVersion : 3, 5, 0, 1016
ProductName : SUPERAntiSpyware
CompanyName : SUPERAntiSpyware.com
FileDescription : SUPERAntiSpyware
InternalName : SUPERAntiSpyware
LegalCopyright : Copyright © 2005-2007 by SUPERAntiSpyware.com and SUPERAdBlocker.com
OriginalFilename : SUPERAntiSpyware.exe

#:34 [wzqkpick.exe]
FilePath : C:\Program Files\WinZip\
ProcessID : 1272
ThreadCreationTime : 1-17-2007 6:56:30 PM
BasePriority : Normal
FileVersion : 1.0 (32-bit)
ProductVersion : 8.1 (4319)
ProductName : WinZip
CompanyName : WinZip Computing, Inc.
FileDescription : WinZip Executable
InternalName : WZQKPICK.EXE
LegalCopyright : Copyright © WinZip Computing, Inc. 1991-2001 - All Rights Reserved
LegalTrademarks : WinZip is a registered trademark of WinZip Computing, Inc
OriginalFilename : WZQKPICK.EXE
Comments : StringFileInfo: U.S. English

#:35 [googletoolbarnotifier.exe]
FilePath : C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\
ProcessID : 1144
ThreadCreationTime : 1-17-2007 7:09:00 PM
BasePriority : Normal
FileVersion : 1, 2, 908, 5008
ProductVersion : 1, 2, 908, 5008
ProductName : GoogleToolbarNotifier
CompanyName : Google Inc.
FileDescription : GoogleToolbarNotifier
LegalCopyright : Copyright © 2005-2006
OriginalFilename : GoogleToolbarNotifier.exe

#:36 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 992
ThreadCreationTime : 1-17-2007 7:30:15 PM
BasePriority : Normal
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:37 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ProcessID : 2688
ThreadCreationTime : 1-17-2007 7:50:00 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : kylem@revsci[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:kylem@revsci.net/
Expires : 1-12-2027 11:31:10 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 1




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

11:55:58 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:05:04.547
Objects scanned:88376
Objects identified:1
Objects ignored:0
New critical objects:1



*** Next ***

SUPERAntiSpyware Scan Log
Generated 01/17/2007 at 10:50 AM

Application Version : 3.5.1016

Core Rules Database Version : 3165
Trace Rules Database Version: 1176

Scan type : Complete Scan
Total Scan Time : 00:44:17

Memory items scanned : 347
Memory threats detected : 4
Registry items scanned : 3749
Registry threats detected : 24
File items scanned : 36213
File threats detected : 181

Trojan.Downloader-Gen/Win
C:\WINNT\SYSTEM32\KERNELS88.EXE
C:\WINNT\SYSTEM32\KERNELS88.EXE
[System] C:\WINNT\SYSTEM32\KERNELS88.EXE

Trojan.VXGame-Gen
C:\WINNT\SYSTEM32\DLH9JKD1Q2.EXE
C:\WINNT\SYSTEM32\DLH9JKD1Q2.EXE
C:\WINNT\SYSTEM32\DLH9JKD1Q6.EXE
C:\WINNT\SYSTEM32\DLH9JKD1Q6.EXE
C:\WINNT\SYSTEM32\DLH9JKD1Q7.EXE
C:\WINNT\SYSTEM32\DLH9JKD1Q7.EXE
C:\DOCUMENTS AND SETTINGS\TFRENCH\LOCAL SETTINGS\TEMP\2.DLLB
C:\DOCUMENTS AND SETTINGS\TFRENCH\LOCAL SETTINGS\TEMP\6.DLLB
C:\WINNT\SYSTEM32\VXG6AME4.EXE
C:\WINNT\SYSTEM32\VXGA1ME4T1.EXE
C:\WINNT\SYSTEM32\VXGA4ME1.EXE

Trojan.Downloader-Gen/MultiBot
[WinUpgrade] C:\DOCUME~1\TFRENCH\LOCALS~1\TEMP\130406.EXE
C:\DOCUME~1\TFRENCH\LOCALS~1\TEMP\130406.EXE
[WinUpdate] C:\DOCUME~1\TFRENCH\LOCALS~1\TEMP\131546.EXE
C:\DOCUME~1\TFRENCH\LOCALS~1\TEMP\131546.EXE
C:\DOCUMENTS AND SETTINGS\TFRENCH\LOCAL SETTINGS\TEMP\12038593.EXE
C:\DOCUMENTS AND SETTINGS\TFRENCH\LOCAL SETTINGS\TEMP\12038734.EXE
C:\DOCUMENTS AND SETTINGS\TFRENCH\LOCAL SETTINGS\TEMP\129296.EXE
C:\DOCUMENTS AND SETTINGS\TFRENCH\LOCAL SETTINGS\TEMP\130406.EXE
C:\DOCUMENTS AND SETTINGS\TFRENCH\LOCAL SETTINGS\TEMP\131546.EXE
C:\DOCUMENTS AND SETTINGS\TFRENCH\LOCAL SETTINGS\TEMP\152125.EXE
C:\DOCUMENTS AND SETTINGS\TFRENCH\LOCAL SETTINGS\TEMP\152343.EXE
C:\DOCUMENTS AND SETTINGS\TFRENCH\LOCAL SETTINGS\TEMP\152531.EXE

Trojan.Downloader-WS2F
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg
C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\SETTINGS\WINSYS2F.DLL
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg#DllName
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg#Startup
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg#Impersonate
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg#Asynchronous

Adware.Tracking Cookie
C:\Documents and Settings\Tfrench\Cookies\kylem@25513229[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@bluestreak[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ads.cnn[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@sales.liveperson[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ehg-chartercommunications.hitbox[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@adopt.euroclick[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@t4.trackalyzer[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@onlinerewardcenter[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@adserver.pollstar[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@mediaplex[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@tacoda[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@adbrite[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@adknowledge[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@azoogleads[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@overture[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@77090012[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@buycom.122.2o7[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@perf.overture[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@statse.webtrendslive[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@anad.tacoda[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@tripod[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@adrevolver[3].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@serving-sys[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ehg-dig.hitbox[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@cgi-bin[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@adrevolver[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@fastclick[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@atdmt[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@edge.ru4[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@casalemedia[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@2o7[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@advertising[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ad[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@as-us.falkag[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@1069551092[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@44153975[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ehg-accuweather.hitbox[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@1072696478[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@azjmp[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@adlegend[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ehg-esignal.hitbox[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@www.upspiral[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@stats1.reliablestats[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ads.belointeractive[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@revenue[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@tribalfusion[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@adinterax[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@86845467[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@a.websponsors[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@phg.hitbox[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@gmgmacfs.112.2o7[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@dowjones.122.2o7[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@interclick[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ehg-bizjournals.hitbox[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@vhost.oddcast[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ehg.hitbox[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ehg-tigerdirect2.hitbox[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@cbs.112.2o7[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@host.oddcast[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@tracking.foxnews[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ehg-aig.hitbox[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@rrpartners.122.2o7[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@1072707690[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@www.serials[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ehg-inforspaceinc.hitbox[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@nasdaq.122.2o7[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@mb[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@riskwaters[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@realmedia[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@c.goclick[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@statcounter[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@e-2dj6wjnyogazcdp.stats.esomniture[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@rambler[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@msnportal.112.2o7[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@dealtime[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@doubleclick[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@login.tracking101[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@stats4u.traffic4u[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ads.pointroll[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ehg-verizon.hitbox[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@hitbox[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@atwola[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@www.windowsmedia[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ad.yieldmanager[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@oddcast[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@zedo[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@e-2dj6wjlyclcjiap.stats.esomniture[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@nextag[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@adopt.specificclick[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@wrigley.122.2o7[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@maxserving[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@offers.intermediainteractive[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@stat.dealtime[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@belnk[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ads.monster[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@pt.crossmediaservices[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ehg-traderpublishing.hitbox[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ads.addynamix[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ford.112.2o7[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@kanoodle[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@revsci[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@server.iad.liveperson[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@anheuserbusch.122.2o7[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@qnsr[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@cnn.122.2o7[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@questionmarket[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@e-2dj6wjkyknajahp.stats.esomniture[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@trafficmp[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@counter.surfcounters[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@e-2dj6wjl4knajgco.stats.esomniture[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@gostats[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ehg-salomon.hitbox[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@e-2dj6wjlooodjehp.stats.esomniture[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@e-2dj6wjkochc5ago.stats.esomniture[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@yadro[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@c2.zedo[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@1070041844[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@clickauditor[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@toplist[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@anat.tacoda[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@76226072[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ehg-verizonwireless.hitbox[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@p[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@risk[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@usenext[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@counter.hitslink[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@www.dealtime[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@z1.adserver[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@ehg-newegg.hitbox[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@tradedoubler[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@paypal.112.2o7[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@e-2dj6wfkygkczglp.stats.esomniture[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@adtech[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@stat.onestat[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@58154541[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@1072704879[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@e-2dj6wjkoaidjsgp.stats.esomniture[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@roiservice[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@40715998[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@coolsavings[1].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@mb[2].txt
C:\Documents and Settings\Tfrench\Cookies\kylem@partner2profit[1].txt
C:\Documents and Settings\Administrator.WENATCHEE\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\kylem@2o7[1].txt
C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\kylem@ads.pointroll[2].txt
C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\kylem@advertising[1].txt
C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\kylem@atdmt[2].txt
C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\kylem@atwola[1].txt
C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\kylem@doubleclick[1].txt
C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\kylem@kanoodle[2].txt
C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\kylem@mediaplex[1].txt
C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\kylem@msnportal.112.2o7[1].txt
C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\kylem@perf.overture[1].txt
C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\kylem@questionmarket[1].txt
C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\kylem@zedo[2].txt

Adware.SideStep Toolbar
HKCR\CLSID\{D714A94F-123A-45CC-8F03-040BCAF82AD6}
HKCR\CLSID\{D714A94F-123A-45CC-8F03-040BCAF82AD6}\InprocServer32
HKCR\CLSID\{D714A94F-123A-45CC-8F03-040BCAF82AD6}\InprocServer32#ThreadingModel
HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}
HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}\Implemented Categories
HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}\InprocServer32
HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}\InprocServer32#ThreadingModel

Trojan.BraveSentry
C:\Program Files\BraveSentry\BraveSentry.exe
C:\Program Files\BraveSentry\BraveSentry.lic
C:\Program Files\BraveSentry\Uninstall.exe
C:\Program Files\BraveSentry

Trojan.Haxdoor-P79
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pasksa
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pasksa#DllName
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pasksa#Startup
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pasksa#Impersonate
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pasksa#Asynchronous
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pasksa#MaxWait
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pasksa#2sksid

Trojan.Downloader/SmitF
C:\WINNT\DESKTOP.HTML

Trojan.Unknown Origin
C:\WINNT\SYSTEM32\VX.TLL

#2 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 18 January 2007 - 09:12 AM

Hello,Hawkfan & Welcome

Nice work


Please download HijackThis v1.99.1 from the following link:
http://www.merijn.or.../hijackthis.zip

Then, create a folder like: C:\Program Files\HijackThis, or, if you want to keep it on the Desktop, right click an empty area, select New>Folder, name the folder HijackThis, and place the program in it.

Run the program, and click on the Scan button

When the Scan finishes click: Save Log
The log opens in Notepad
Click on: Edit>Select All
Click on: Edit>Copy, and the Paste the log in your reply

Please do not fix anything showing up on the log. Just have the program create it, and copy/paste it to this thread.


Gogo ;)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#3 Hawkfan

Hawkfan

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 18 January 2007 - 05:10 PM

Hi

Ok here it is.

Logfile of HijackThis v1.99.1
Scan saved at 08:51, on 07-01-18
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\winnt\system32\upnp.exe
C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\services.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Tfrench\Desktop\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [] -HideWindow
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [upp] c:\winnt\system32\upnp.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Wise-FTP Scheduler] C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Tfrench\LOCALS~1\Temp\12038156.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ADVFN 4v4 - http://www.advfn.com...p?pid=loadercab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.side...00719/sb028.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/...tall/AxCtp2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BABBEB24-52A8-4782-A0E2-DCC7864D85B2}: NameServer = 66.45.212.21,64.146.171.130
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Edited by Hawkfan, 18 January 2007 - 05:27 PM.


#4 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 18 January 2007 - 09:22 PM

Hi,Hawkfan

Please print out or copy these instructions to Notepad as the internet will not be available to you at certain points of the removal process (whilst in Safe Mode). If there's anything that you don't understand, ask your question(s) before moving on with the fix.

============

View hidden files and folders:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

============

Restart your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe Mode.
  • Login on your usual account.
If you need further assistance with Safe Mode, see Symantec

============

Run HijackThis
Scan and when it finishes, put a check mark only next to these following items : (if present)

O4 - HKLM\..\Run: [upp] c:\winnt\system32\upnp.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Tfrench\LOCALS~1\Temp\12038156.exe
O4 - HKLM\..\Run: [] -HideWindow

Close all browsers and any open Windows, making sure that only HijackThis is open
Click Fix Checked
Close HijackThis

============

Next, please find and delete the following files/folders (if present):
c:\winnt\system32\upnp.exe<---This file
C:\DOCUME~1\Tfrench\LOCALS~1\Temp\<---Clean out this folder don't delete the folder it's self

============

Clean out your Temporary Internet files.
Internet Explorer
Close Internet Explorer and close any instances of Windows Explorer.
Click Start -> Control Panel and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.

Firefox (In case you also have Firefox installed)
Open Firefox and go to Tools -> Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to close the Options window.
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.


Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
a. Change the Download signed ActiveX controls to Prompt
b. Change the Download unsigned ActiveX controls to Disable
c . Change the Initialize and script ActiveX controls not marked as safe to Disable
d. Change the Installation of desktop items to Prompt
e. Change the Launching programs and files in an IFRAME to Prompt
f. Change the Navigate sub-frames across different domains to Prompt
g. When all these settings have been made, click on the OK button.
h. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.


===========

Then do a reboot and do this for me and show me a new HijackThis logfile.

Please download Rootkit Revealer
http://www.sysintern...itrevealer.html

(link is at the very bottom of the page)
Unzip it to your desktop.
Open the rootkitrevealer folder and double-click rootkitrevealer.exe
Click the Scan button (bottom right)
It may take a while to scan (don't do anything else while it's running - leave the PC idle during the scan)
When it's done, go up to File > Save. Choose to save it to your desktop.
Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here


Gogo :P
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#5 Hawkfan

Hawkfan

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 18 January 2007 - 10:43 PM

Hi,

OK I Followed your instructions to a T.

I rebooted and ran the Hijackthis and Root Kit Revealer.

here are the logs

***Root Kit Revealer***

HKU\.DEFAULT\Control Panel\International 1/17/2007 2:33 PM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 4/1/2004 9:30 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 4/1/2004 9:30 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\XATM:da7bd468-d998-4c51-a7e0-f6d21b3c7898* 4/1/2004 9:13 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Command Processor 1/17/2007 2:33 PM 0 bytes Security mismatch.

***HIJACKTHIS***
Logfile of HijackThis v1.99.1
Scan saved at 13:49, on 07-01-18
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Documents and Settings\Tfrench\Desktop\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [] -HideWindow
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [upp] c:\winnt\system32\upnp.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Wise-FTP Scheduler] C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Tfrench\LOCALS~1\Temp\12038156.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ADVFN 4v4 - http://www.advfn.com...p?pid=loadercab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.side...00719/sb028.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/...tall/AxCtp2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BABBEB24-52A8-4782-A0E2-DCC7864D85B2}: NameServer = 66.45.212.21,64.146.171.130
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

#6 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 18 January 2007 - 11:09 PM

Hi,Hawkfan


Download The Avenger Copyright © Swandog46
You must extract avenger.exe to your desktop, before you run it.

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!


Copy all the text contained in the code box below to your Clipboard.
NOTE: don't copy the word quote

Files to delete:
c:\winnt\system32\upnp.exe
C:\DOCUME~1\Tfrench\LOCALS~1\Temp\12038156.exe


The above script is for this user only, if you need help please start your own thread.

Start the Avenger.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a new window titled "View/edit script".
Paste the entire text in into this window.
Click done, now click on the Green Light
Answer "Yes" twice when prompted.
Your computer shoud reboot, and briefly open a black command window on your desktop, this is normal.

After the restart, it will create a log file that should open.
This log file will be located at C:\avenger.txt

Paste the contents of C:\avenger.txt into your reply along with a fresh HijackThis! log.

Also: Avenger has made backups of all the files, etc., that you asked it to delete, located at C:\avenger\backup.zip.

=============

Please download ComboFix and save it to your desktop.

Double click combofix.exe and follow the prompts.

When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


Gogo :P
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#7 Hawkfan

Hawkfan

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 19 January 2007 - 12:45 AM

Hi,

Ok I have the logs from Avenger, Highjackthis, and combofix below.


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\cvcktvos

*******************

Script file located at: \??\C:\WINNT\hlmutjux.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File c:\winnt\system32\upnp.exe not found!
Deletion of file c:\winnt\system32\upnp.exe failed!

Could not process line:
c:\winnt\system32\upnp.exe
Status: 0xc0000034



File C:\DOCUME~1\Tfrench\LOCALS~1\Temp\12038156.exe not found!
Deletion of file C:\DOCUME~1\Tfrench\LOCALS~1\Temp\12038156.exe failed!

Could not process line:
C:\DOCUME~1\Tfrench\LOCALS~1\Temp\12038156.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.



Logfile of HijackThis v1.99.1
Scan saved at 16:01, on 07-01-18
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Documents and Settings\Tfrench\Desktop\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [] -HideWindow
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [upp] c:\winnt\system32\upnp.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Wise-FTP Scheduler] C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Tfrench\LOCALS~1\Temp\12038156.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ADVFN 4v4 - http://www.advfn.com...p?pid=loadercab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.side...00719/sb028.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/...tall/AxCtp2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BABBEB24-52A8-4782-A0E2-DCC7864D85B2}: NameServer = 66.45.212.21,64.146.171.130
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)




"kylem" - Thu 2007-01-18 16:04:43 Service Pack 4
ComboFix 07-01-16.2 - Running from: "C:\Documents and Settings\Tfrench\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-18 to 2007-01-18 ))))))))))))))))))))))))))))))))))


2007-01-18 15:58 0 --a------ C:\backup.reg
2007-01-18 15:58 <DIR> d-------- C:\avenger
2007-01-18 15:54 126,976 --a------ C:\zip.exe
2007-01-17 14:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-01-17 13:35 <DIR> d-------- C:\Program Files\SpywareBot
2007-01-17 11:49 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-17 11:26 0 --a------ C:\WINNT\STANDARD_MONITOR_DRIVER_UNSIGNED.EXE
2007-01-17 11:26 0 --a------ C:\WINNT\STANDARD_MONITOR_DRIVER_SIGNED_W2K.EXE
2007-01-17 10:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-01-17 10:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-01-17 10:01 <DIR> d-------- C:\DOCUME~1\Tfrench\Application Data\SUPERAntiSpyware.com
2007-01-17 10:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SUPERAntiSpyware.com
2007-01-16 19:50 <DIR> d--h----- C:\WINNT\PIF
2007-01-16 18:51 91,110 --a------ C:\WINNT\u2.exe
2007-01-16 18:51 3,072 --a------ C:\WINNT\system32\p81eskse.sys
2007-01-16 18:51 10,789 --a------ C:\WINNT\system32\pasksa.dll
2007-01-16 18:51 10,137 --a------ C:\WINNT\i2.exe
2007-01-16 18:22 94,424 --a------ C:\WINNT\system32\drivers\aswmon2.sys
2007-01-16 18:22 85,952 --a------ C:\WINNT\system32\drivers\aswmon.sys
2007-01-16 18:22 43,176 --a------ C:\WINNT\system32\drivers\aswTdi.sys
2007-01-16 18:22 31,560 --a------ C:\WINNT\system32\drivers\aavmker4.sys
2007-01-16 18:22 23,352 --a------ C:\WINNT\system32\drivers\aswRdr.sys
2007-01-16 18:21 90,112 --a------ C:\WINNT\system32\AVASTSS.scr
2007-01-16 18:21 689,280 --a------ C:\WINNT\system32\aswBoot.exe
2007-01-16 18:21 1,060,864 --a------ C:\WINNT\system32\MFC71.dll
2007-01-16 18:21 <DIR> d-------- C:\Program Files\Alwil Software
2007-01-16 17:41 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Application Data\Help
2007-01-16 13:51 425,984 --a------ C:\WINNT\system32\wodKeys.dll
2007-01-16 13:51 385,024 --a------ C:\WINNT\system32\wodSFTP.dll
2007-01-16 13:51 1,079,808 --a------ C:\WINNT\system32\we.dll
2007-01-16 13:51 <DIR> d-------- C:\Program Files\AceBIT
2007-01-15 13:24 <DIR> d-------- C:\DOCUME~1\Kallie\Application Data\U3
2007-01-10 10:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\AOL OCP
2007-01-10 09:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\AOL
2007-01-10 09:57 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-01-10 09:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\AOL Downloads


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-18 15:58 -------- d-------- C:\Program Files\steam
2007-01-18 13:14 -------- d-------- C:\DOCUME~1\Tfrench\Application Data\event
2007-01-17 11:50 -------- d-------- C:\DOCUME~1\Tfrench\Application Data\lavasoft
2007-01-17 11:36 -------- d-------- C:\Program Files\aim
2007-01-17 11:36 -------- d-------- C:\DOCUME~1\Tfrench\Application Data\aim
2007-01-17 10:57 -------- d-------- C:\DOCUME~1\Tfrench\Application Data\skype
2007-01-16 17:41 7952 --a------ C:\WINNT\system32\svchost.exe
2007-01-16 13:51 -------- d--h----- C:\Program Files\installshield installation information
2007-01-10 13:31 -------- d-------- C:\DOCUME~1\Tfrench\Application Data\apple computer
2007-01-02 15:31 -------- d-------- C:\DOCUME~1\Tfrench\Application Data\adobeum
2006-12-07 17:02 2174976 --a------ C:\WINNT\system32\wmvcore.dll
2006-11-06 12:47 596480 --a------ C:\WINNT\system32\inetcomm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"Steam"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
"Wise-FTP Scheduler"="C:\\Program Files\\AceBIT\\WISE-FTP\\WF_Scheduler.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"IgfxTray"="C:\\WINNT\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINNT\\System32\\hkcmd.exe"
"OfficeScanNT Monitor"="\"C:\\Program Files\\Trend Micro\\OfficeScan Client\\pccntmon.exe\" -HideWindow"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"realsched.exe\" -osboot"
@=" -HideWindow"
"ICQ Lite"="\"C:\\Program Files\\ICQLite\\ICQLite.exe\" -minimize"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Wise-FTP Scheduler"=""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"upp"="c:\\winnt\\system32\\upnp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"WinMedia"="C:\\WINNT\\TEMP\\9571812.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
WmdmPmSN


Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\AppleSoftwareUpdate.job

Completion time: Thu 2007-01-18 16:06:47
C:\ComboFix2.txt ... 07-01-17 14:33

#8 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 19 January 2007 - 02:41 AM

Hey,Hawkfan


The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Backup the Registry:

Navigate to Start | Run and paste the following:

regedit /e c:\registrybackup.reg

Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

============


Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!) don't copy the word quote

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"upp"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"WinMedia"=-


Save this as fix.reg Choose to save as *all files and place it on your Desktop.
It should look like this:reg.gif
Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.


============

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


Gogo :)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#9 Hawkfan

Hawkfan

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 19 January 2007 - 03:03 AM

Hi,

Ok here is the SDFix report and the new Hijackthis log.

Rebooting

Normal Mode:

Checking Files:


No Files Found..




Alternate Stream Check:


Final Check:

Remaining Services:
------------------

Rootkit PE386 Found!
Rootkit lzx32 Found!
Rootkit msguard Found!

Remaining Files:
---------------

Backups Folder: - i:\\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\NTDETECT.COM
C:\Documents and Settings\Tfrench\Favorites\Business\The Quicken.com Channel\desktop.ini
C:\arcldr.exe
C:\arcsetup.exe
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\CONFIG.SYS
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\Tfrench\Application Data\Microsoft\Office\Shortcut Bar\Off182.tmp
C:\Documents and Settings\Tfrench\Application Data\Microsoft\Office\Shortcut Bar\Off182h.tmp
C:\Documents and Settings\Tfrench\Application Data\Microsoft\Office\Shortcut Bar\Off182s.tmp
C:\Documents and Settings\Tfrench\Application Data\Microsoft\Word\~WRL2118.tmp
C:\Documents and Settings\Tfrench\My Documents\~WRL3174.tmp

Finished

Logfile of HijackThis v1.99.1
Scan saved at 18:28, on 07-01-18
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Documents and Settings\Tfrench\Desktop\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Wise-FTP Scheduler] C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ADVFN 4v4 - http://www.advfn.com...p?pid=loadercab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.side...00719/sb028.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/...tall/AxCtp2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BABBEB24-52A8-4782-A0E2-DCC7864D85B2}: NameServer = 66.45.212.21,64.146.171.130
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

#10 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 19 January 2007 - 04:29 AM

Hi,Hawkfan

Please run this tool for me.


Download - rustbfix.exe ...and save it to your desktop.
Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.
After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). If needed (still infected), post the content of these logfiles along with a new HijackThis log.


Gogo :)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#11 Hawkfan

Hawkfan

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 19 January 2007 - 05:05 AM

Hi,

I ran the rustbfix.exe and here is the log

************************* Rustock.b-fix -- By ejvindh *************************
Thu 2007-01-18 8:06:57.59

No Rustock.b-rootkits found

******************************* End of Logfile ********************************



Looks like most everything is running correctly. Thank You Very Much!!!

Only having problems with my Date & Time stuck on military time and wont change to standard time which started when I received the viruses.

#12 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 19 January 2007 - 03:01 PM

Hey,Hawkfan

Yes i don't see them files anymore if all is good i will now have you
do my last steps here.but first see if this helps with the time.


Have you gone into the control panel, clicked on regional options and then the time tab and changed the time format to h:mm:ss tt or hh:mm:ss if you don't want AM or PM to be displayed.


=============

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.


Next, let's clean your restore points and set a new one


Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.
* On the Desktop, right-click My Computer.
* Click Properties.
* Click the System Restore tab.
* CHECK Turn off System Restore.
* Click Apply, and then click OK.
2. Restart your computer.
3. Turn ON System Restore.
* On the Desktop, right-click My Computer.
* Click Properties.
* Click the System Restore tab.
* UN-Check Turn off System Restore.
* Click Apply, and then click OK.

System Restore will now be active again.


Then create a new restore point once you have System Restore back on.
To create a new System Restore Point, click Start -> All Programs -> Accessories -> System Tools -> System Restore.
When the System Restore Utility opens, click "Create a Restore Point" then click Next.
Enter a name for this Restore Point, and click Create.



Clean out your Temporary Internet files.
Internet Explorer
Close Internet Explorer and close any instances of Windows Explorer.
Click Start -> Control Panel and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.

Firefox (In case you also have Firefox installed)
Open Firefox and go to Tools -> Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to close the Options window.
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.


Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
a. Change the Download signed ActiveX controls to Prompt
b. Change the Download unsigned ActiveX controls to Disable
c . Change the Initialize and script ActiveX controls not marked as safe to Disable
d. Change the Installation of desktop items to Prompt
e. Change the Launching programs and files in an IFRAME to Prompt
f. Change the Navigate sub-frames across different domains to Prompt
g. When all these settings have been made, click on the OK button.
h. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.

And please have a look at the great info by Mr,TK
So how did I get infected in the first place


Gogo ;)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#13 Hawkfan

Hawkfan

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 19 January 2007 - 06:35 PM

Hi Gogo,

Ok I am trying to get administrator account on my windows2000pro os.

The Regional Date and Time Adjustment did work... Thanks again for all your time, Assistance and Knowledge. I will follow your instructions as soon as I get admin account on my workstation.

KC

#14 Hawkfan

Hawkfan

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 24 January 2007 - 01:58 AM

Hi Gogo,

Ok I have administrator access, but I do not think windows2000 has any kind of system restore built into it.

let me know if you have any info on that.

Other than that everything is working great... Thanks for your help and time... Very Much Appreciated!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users