Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 20 of 26 Posts

·
Registered
Joined
·
34 Posts
Discussion Starter · #1 ·
Hey all,

I have a computer that is running windows xp. I have installed all the critical updates and have ran AdAware, Spybot Search and Destroy, and am currently running Kaspersky.

My problem is that each time I boot my computer, Kaspsersky comes up with a message that an active threat has been found:

Virus: Packed.Win32.NSAnti.a
File: C:\WINDOWS\SYSTEM32\HTRAN

It mentions that a special disinfection procedure is required which demands system reboot. It says that the file will be deleted after reboot, but on reboot, I always get the same message.

I have tried booting to safe mode and deleting the temporary internet files from the user account and then rebooting. It seemed to work at first because the message didn't come back. However, upon rescanning, the virus was found again.

I read a tutorial on HiJackThis and removed what I dared to. Here is what is left:

Logfile of HijackThis v1.99.1
Scan saved at 7:20:40 PM, on 12/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\app2srv.exe
C:\WINDOWS\system32\app2srv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MCROSO~1.NET\regsvr32.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\htran.exe
C:\WINDOWS\system32\htran
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [Microsoft System Firewall 2006.2] reg32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\RunServices: [Microsoft System Firewall 2006.2] reg32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\MCROSO~1.NET\regsvr32.exe" -vt wnew
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://yahoo.sbc.com
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{86F49BB5-51A6-481F-A1AE-58E7FCE8AFF8}: NameServer = 192.168.1.1
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Browsers - Unknown owner - C:\WINDOWS\system32\app2srv.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Any assistance in this matter would be greatly appreciated. I have run out of ideas on what I know how to do.

Thanks so much,
:) Leafer
 

·
Registered
Joined
·
4,699 Posts
Hey there, welcome to TSG! :up:

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #3 ·
Hey D_Troganator,

Thanks for the quick response, and thanks for the warm welcome. I downloaded and ran the combo fix. Here is the log file:

Pat and Donna - 06-12-29 12:12:48.53 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Pat and Donna\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\{1C93B300-0958-1033-1202-030512200001}
C:\Program Files\Common Files\{3C93B300-0958-1033-1202-030512200001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Pat and Donna\Application Data\ASKS~1
C:\QooBox\Purity\Documents and Settings\Pat and Donna\Application Data\CROSOF~1
C:\QooBox\Purity\Documents and Settings\Pat and Donna\Application Data\ICROSO~1.NET
C:\QooBox\Purity\Documents and Settings\Pat and Donna\Application Data\MCROSO~1.NET
C:\QooBox\Purity\Documents and Settings\Pat and Donna\Application Data\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\Pat and Donna\Application Data\SSTEM~1
C:\QooBox\Purity\Documents and Settings\Pat and Donna\My Documents\ASEMBL~1
C:\QooBox\Purity\Documents and Settings\Pat and Donna\My Documents\DOBE~1
C:\QooBox\Purity\Documents and Settings\Pat and Donna\My Documents\FNTS~1
C:\QooBox\Purity\Documents and Settings\Pat and Donna\My Documents\ICROSO~1
C:\QooBox\Purity\Documents and Settings\Pat and Donna\My Documents\MBOLS~1
C:\QooBox\Purity\Program Files\FNTS~1
C:\QooBox\Purity\Program Files\MCROSO~1.NET
C:\QooBox\Purity\Program Files\PPPATC~1
C:\QooBox\Purity\Program Files\SMANTE~1
C:\QooBox\Purity\Program Files\STEM32~1
C:\QooBox\Purity\Program Files\YMANTE~1
C:\QooBox\Purity\Program Files\Common Files\ASKS~1
C:\QooBox\Purity\Program Files\Common Files\CURITY~1
C:\QooBox\Purity\Program Files\Common Files\MANTEC~1
C:\QooBox\Purity\Program Files\Common Files\RACLE~1
C:\QooBox\Purity\Program Files\Common Files\WNSXS~1
C:\QooBox\Purity\Program Files\MCROSO~1.NET\MCROSO~1.NET
C:\QooBox\Purity\Program Files\MCROSO~1.NET\regsvr32.exe
C:\QooBox\Purity\WINDOWS\ECURIT~1
C:\QooBox\Purity\WINDOWS\FNTS~1
C:\QooBox\Purity\WINDOWS\MBOLS~1
C:\QooBox\Purity\WINDOWS\WNSXS~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\DOBE~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\ICROSO~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\STEM32~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\WNSXS~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\YMBOLS~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\YSTEM~1

((((((((((((((((((((((((((((((( Files Created from 2006-11-29 to 2006-12-29 ))))))))))))))))))))))))))))))))))

2006-12-28 22:27 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2006-12-28 18:55 d-------- C:\Program Files\SpywareBlaster
2006-12-28 17:19 d-------- C:\HJT
2006-12-28 15:21 d-------- C:\Program Files\iPod
2006-12-28 15:21 d-------- C:\Documents and Settings\Pat and Donna\Application Data\Apple Computer
2006-12-28 15:20 d-------- C:\Program Files\iTunes
2006-12-28 15:19 d-------- C:\Program Files\QuickTime
2006-12-28 15:18 d-------- C:\Program Files\Apple Software Update
2006-12-28 15:18 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2006-12-28 14:20 d-------- C:\WINDOWS\WBEM
2006-12-28 14:20 d-------- C:\WINDOWS\SYSTEM32\en-US
2006-12-28 14:19 d--h-c--- C:\WINDOWS\ie7
2006-12-28 14:17 121,856 --------- C:\WINDOWS\SYSTEM32\xmllite.dll
2006-12-28 14:17 d-------- C:\WINDOWS\network diagnostic
2006-12-28 14:14 d-------- C:\Program Files\MSXML 4.0
2006-12-28 14:13 d-------- C:\de982a8dc354d7f396d80541d3b86e
2006-12-28 11:42 d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-28 11:42 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-27 16:41 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2006-12-26 14:04 d-------- C:\Program Files\Kaspersky Lab
2006-12-26 14:04 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2006-12-26 13:46 d-------- C:\Program Files\Sling Media
2006-12-26 13:39 d-------- C:\Program Files\Outerinfo
2006-12-26 13:38 d-------- C:\Program Files\Lavasoft
2006-12-20 15:27 655,360 --a------ C:\WINDOWS\SYSTEM32\app2srv.exe
2006-12-20 15:27 268,058 --a------ C:\WINDOWS\SYSTEM32\htran.exe
2006-12-20 15:21 983,040 --a------ C:\WINDOWS\SYSTEM32\svchost .exe
2006-12-19 21:41 d-------- C:\Documents and Settings\Pat and Donna\Application Data\àdobe
2006-12-17 02:50 92 --a------ C:\WINDOWS\SYSTEM\rundll.exe
2006-12-17 02:50 86,016 --------- C:\WINDOWS\SYSTEM\reg.dll
2006-12-17 02:50 85 --a------ C:\WINDOWS\SYSTEM\win.com
2006-12-17 02:50 15,167 --a------ C:\WINDOWS\SYSTEM\vir.exe
2006-12-17 02:50 10,983 --a------ C:\WINDOWS\SYSTEM\win.exe
2006-12-17 02:50 1,254 --a------ C:\WINDOWS\SYSTEM\id.exe
2006-12-02 18:53 d-------- C:\WINDOWS\SYSTEM32\àdobe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-12-29 12:14 -------- d-------- C:\Program Files\Common Files
2006-12-28 22:37 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-28 14:29 -------- d-------- C:\Program Files\Internet Explorer
2006-12-28 14:12 -------- d-------- C:\Program Files\Outlook Express
2006-12-28 14:12 -------- d-------- C:\Program Files\Common Files\System
2006-12-26 14:24 -------- d-------- C:\Program Files\ATI Multimedia
2006-12-26 14:14 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-26 14:11 61584 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.sys
2006-12-26 14:11 59536 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.sys
2006-12-26 13:38 -------- d-------- C:\Documents and Settings\Pat and Donna\Application Data\Lavasoft
2006-12-24 15:10 -------- d-------- C:\Documents and Settings\Pat and Donna\Application Data\AdobeUM
2006-12-21 17:20 -------- d-------- C:\Program Files\Web Publish
2006-12-18 14:48 -------- d-------- C:\Program Files\Viewpoint
2006-12-07 00:40 2362184 --a------ C:\WINDOWS\SYSTEM32\wmvcore.dll
2006-11-26 11:12 -------- d-------- C:\Program Files\ATI Technologies
2006-11-25 14:07 -------- d-------- C:\Program Files\HP
2006-11-25 14:07 -------- d-------- C:\Program Files\Common Files\Hewlett-Packard
2006-11-24 21:05 -------- d-------- C:\Documents and Settings\Pat and Donna\Application Data\CyberLink
2006-11-23 15:58 -------- d-------- C:\Program Files\Team MediaPortal
2006-11-23 15:53 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-23 15:12 -------- d-------- C:\Program Files\Gemstar
2006-11-07 23:06 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\SYSTEM32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\SYSTEM32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\SYSTEM32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\SYSTEM32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\SYSTEM32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\SYSTEM32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\SYSTEM32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\SYSTEM32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\SYSTEM32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\SYSTEM32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\SYSTEM32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\SYSTEM32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\SYSTEM32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\SYSTEM32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\SYSTEM32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\SYSTEM32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\SYSTEM32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\SYSTEM32\msxml4.dll
2006-10-19 07:56 713216 --a------ C:\WINDOWS\SYSTEM32\sxs.dll
2006-10-17 12:06 78336 --a------ C:\WINDOWS\SYSTEM32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\SYSTEM32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\SYSTEM32\WinFXDocObj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\SYSTEM32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\SYSTEM32\occache.dll
2006-10-17 11:58 61952 --------- C:\WINDOWS\SYSTEM32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\SYSTEM32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\SYSTEM32\imgutil.dll
2006-10-17 11:57 266752 --------- C:\WINDOWS\SYSTEM32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\SYSTEM32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\SYSTEM32\mshtmler.dll
2006-10-17 11:27 380928 --------- C:\WINDOWS\SYSTEM32\ieapfltr.dll
2006-10-13 06:35 142336 --a------ C:\WINDOWS\SYSTEM32\nwprovau.dll
2006-10-07 22:15 124 --a------ C:\Documents and Settings\Pat and Donna\Application Data\patriot_theme_pack.txt
2006-10-07 22:09 124 --a------ C:\Documents and Settings\Pat and Donna\Application Data\quotes_theme_pack.txt
2006-10-07 22:09 124 --a------ C:\Documents and Settings\Pat and Donna\Application Data\kids_theme_pack.txt
2006-09-25 19:04 67 --a------ C:\Documents and Settings\Pat and Donna\Application Data\photoshowhomedeluxe-win-us[1].txt

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Aida"="\"C:\\PROGRA~1\\MCROSO~1.NET\\regsvr32.exe\" -vt wnew"
"EPSON Stylus CX6600 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9EA.EXE /P26 \"EPSON Stylus CX6600 Series\" /M \"Stylus CX6600\" /EF \"HKCU\""
"Simple Star PhotoShow Media Manager"="C:\\PROGRA~1\\SIMPLE~1\\PHOTOS~1\\data\\xtras\\mssysmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"EPSON Stylus CX6600 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9EA.EXE /P26 \"EPSON Stylus CX6600 Series\" /O6 \"USB001\" /M \"Stylus CX6600\""
"Microsoft System Firewall 2006.2"="reg32.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
@=""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"kav"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft System Firewall 2006.2"="reg32.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminder.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Event Planner Reminder.lnk"
"backup"="C:\\WINDOWS\\pss\\Event Planner Reminder.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\CREATI~1\\HALLMA~1\\Planner\\PLNRnote.exe "
"item"="Event Planner Reminder"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Event Planner Reminders Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\Event Planner Reminders Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Sierra\\Planner\\PLNRnote.exe "
"item"="Event Planner Reminders Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Picture Package Menu.lnk"
"backup"="C:\\WINDOWS\\pss\\Picture Package Menu.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SONYCO~1\\PICTUR~1\\PICTUR~3\\SonyTray.exe "
"item"="Picture Package Menu"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Picture Package VCD Maker.lnk"
"backup"="C:\\WINDOWS\\pss\\Picture Package VCD Maker.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SONYCO~1\\PICTUR~1\\PICTUR~1\\RESIDE~1.EXE -h"
"item"="Picture Package VCD Maker"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Pat and Donna^Start Menu^Programs^Startup^Event Reminder.lnk]
"path"="C:\\Documents and Settings\\Pat and Donna\\Start Menu\\Programs\\Startup\\Event Reminder.lnk"
"backup"="C:\\WINDOWS\\pss\\Event Reminder.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\MINDSC~1\\PRINTM~1\\PMREMIND.EXE /Q"
"item"="Event Reminder"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Pat and Donna^Start Menu^Programs^Startup^HotSync Manager.lnk]
"path"="C:\\Documents and Settings\\Pat and Donna\\Start Menu\\Programs\\Startup\\HotSync Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\HotSync Manager.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Palm\\HOTSYNC.EXE "
"item"="HotSync Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Pat and Donna^Start Menu^Programs^Startup^TrueAssistant.lnk]
"path"="C:\\Documents and Settings\\Pat and Donna\\Start Menu\\Programs\\Startup\\TrueAssistant.lnk"
"backup"="C:\\WINDOWS\\pss\\TrueAssistant.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\TRUEAS~1\\TRUEAS~1.EXE "
"item"="TrueAssistant"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="regsvr32"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\MCROSO~1.NET\\regsvr32.exe\" -vt wnew"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BCMSMMSG"
"hkey"="HKLM"
"command"="BCMSMMSG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BillMinder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BILLMIND"
"hkey"="HKLM"
"command"="C:\\QUICKENW\\BILLMIND.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CFD"
"hkey"="HKLM"
"command"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSAgnt"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DesktopWeather"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\The Weather Channel FW\\Desktop Weather\\DesktopWeather.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ImInstaller_IncrediMail]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="incredimail_install"
"hkey"="HKLM"
"command"="C:\\DOCUME~1\\PATAND~1\\LOCALS~1\\Temp\\ImInstaller\\IncrediMail\\incredimail_install.exe -startup -product IncrediMail"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkUFind"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCMService"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Simple Star PhotoShow Media Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mssysmgr"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\SIMPLE~1\\PHOTOS~1\\data\\Xtras\\mssysmgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gnotify"
"hkey"="HKLM"
"command"="C:\\Program Files\\Google\\Gmail Notifier\\G001-1.0.25.0\\gnotify.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=dword:00000002
"SPBBCSvc"=dword:00000002
"ccSetMgr"=dword:00000002
"ccPwdSvc"=dword:00000003
"ccEvtMgr"=dword:00000002
"AVP"=dword:00000002
"Adobe LM Service"=dword:00000003

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061228-190926-964
O11 - Options group: [INTERNATIONAL] International*
backup-20061228-190926-689
O4 - HKCU\..\Run: [Sso] C:\WINDOWS\system32\n?tdde.exe
backup-20061228-190926-494
O4 - HKLM\..\Run: [WinReg] c:\windows\system\svchost.exe
backup-20061228-190926-757
O2 - BHO: (no name) - {F15279B7-C02E-CA8C-7A46-9CECDCE14F98} - C:\WINDOWS\system32\bhqu.dll (file missing)
backup-20061228-190926-583
O2 - BHO: (no name) - {6322F5D9-1912-1BB7-44E5-4691FBD389CE} - C:\WINDOWS\system32\eikyohd.dll (file missing)
backup-20061228-190926-672
O2 - BHO: (no name) - {CA159987-264B-74E8-1CF6-77E29D762691} - C:\WINDOWS\system32\pdbib.dll (file missing)
backup-20061228-190926-871
O2 - BHO: (no name) - {D26C6F16-DDDF-847D-DEAC-D228E072669A} - C:\WINDOWS\system32\dfzvk.dll (file missing)
backup-20061228-190926-373
O2 - BHO: (no name) - {54499810-7988-2D2D-D879-7F129346BCC2} - C:\WINDOWS\system32\ltpffv.dll (file missing)
backup-20061228-190926-405
O2 - BHO: (no name) - {AE80B804-079B-0C3A-CA18-09E55C6A10C5} - C:\WINDOWS\system32\seyyyyd.dll (file missing)
backup-20061228-190926-768
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
backup-20061228-190926-125
R3 - URLSearchHook: (no name) - {54499810-7988-2D2D-D879-7F129346BCC2} - C:\WINDOWS\system32\ltpffv.dll (file missing)
backup-20061228-190926-208
R3 - URLSearchHook: (no name) - {AE80B804-079B-0C3A-CA18-09E55C6A10C5} - C:\WINDOWS\system32\seyyyyd.dll (file missing)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-12-29 12:16:00.54
C:\ComboFix.txt ... 06-12-29 12:16

I will post the updated HiJackThis log in a new response to account for the character limit on responses.

Thanks,
Leafer
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #4 ·
Logfile of HijackThis v1.99.1
Scan saved at 12:19:46 PM, on 12/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\app2srv.exe
C:\WINDOWS\system32\app2srv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MCROSO~1.NET\regsvr32.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\htran.exe
C:\WINDOWS\system32\htran
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [Microsoft System Firewall 2006.2] reg32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\RunServices: [Microsoft System Firewall 2006.2] reg32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\MCROSO~1.NET\regsvr32.exe" -vt wnew
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://yahoo.sbc.com
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{86F49BB5-51A6-481F-A1AE-58E7FCE8AFF8}: NameServer = 192.168.1.1
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Browsers - Unknown owner - C:\WINDOWS\system32\app2srv.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Thanks for your help!

:cool: Leafer
 

·
Registered
Joined
·
4,699 Posts
Hello there, :up:

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop but do not run it.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Microsoft System Firewall 2006.2] reg32.exe
O4 - HKLM\..\RunServices: [Microsoft System Firewall 2006.2] reg32.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\MCROSO~1.NET\regsvr32.exe" -vt wnew


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\SYSTEM\win.exe
C:\WINDOWS\SYSTEM\vir.exe
C:\WINDOWS\SYSTEM\win.com
C:\WINDOWS\SYSTEM\reg.dll
C:\WINDOWS\SYSTEM\rundll.exe
C:\WINDOWS\SYSTEM\id.exe
C:\WINDOWS\SYSTEM32\reg32.exe
C:\WINDOWS\system\svchost.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\Program Files\Outerinfo
C:\WINDOWS\SYSTEM32\àdobe
C:\Documents and Settings\Pat and Donna\Application Data\àdobe

C:\WINDOWS\SYSTEM32\svchost .exe <--do not delete the legitimate svchost.exe, this file has a space in it, if you are unsure please leave it and let me know you didn't remove it.

Open the Suspicious File Packer you downloaded earlier.
Paste the following bold part into the Suspicious File Packer window:

C:\WINDOWS\SYSTEM32\app2srv.exe
C:\WINDOWS\SYSTEM32\htran.exe


Allow SFP to pack the file. This will generate a CAB archive on your desktop.

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° When prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the fox --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

Reboot back to normal mode.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)
REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]
Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Download and save Blacklight to your desktop.
Double-click blbeta.exe then accept the agreement.
Click on scan then click next,
You'll see a list of all items found.
Do not choose for rename yet! I want to see the log first; legitimate items can also be present.
There is a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.
Also post a new Hijackthis log.

David
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #7 ·
David,

I ran BlackLight and here is the log:

12/29/06 14:36:41 [Info]: BlackLight Engine 1.0.55 initialized
12/29/06 14:36:41 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/29/06 14:36:41 [Note]: 7019 4
12/29/06 14:36:41 [Note]: 7005 0
12/29/06 14:36:51 [Note]: 7006 0
12/29/06 14:36:51 [Note]: 7011 904
12/29/06 14:36:51 [Note]: 7026 0
12/29/06 14:36:52 [Note]: 7026 0
12/29/06 14:37:04 [Note]: FSRAW library version 1.7.1021

Also, here is the updated HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:49:45 PM, on 12/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Documents and Settings\Pat and Donna\Desktop\blbeta.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://yahoo.sbc.com
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{86F49BB5-51A6-481F-A1AE-58E7FCE8AFF8}: NameServer = 192.168.1.1
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Browsers - Unknown owner - C:\WINDOWS\system32\app2srv.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Thanks!
Leafer
 

·
Registered
Joined
·
4,699 Posts
Hey there,
I've just been looking at the files you uploaded, and they sure seem suspcious,
They seem to be new, no reference to them on the internet.
I have a quick question, have you used any remote assistance recently?

Open notepad and copy and paste the following text in the quote box into the window:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" /s >>notify.txt
start notify.txt
Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards:

Doubleclick fix.bat and let the program run.
Post the contents back in this thread.

I need you to download the following file:

Getservices.zip - Get list of XP/2000/NT Services

Extract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad as a reply to this post. It's a going to be quite long, so you might want to upload the file here as an attachment to this thread, whatever suits you best.

I need those two logs in your next log. :up:
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #9 ·
David,

Since you mentioned it, I have been giving it some thought. We use the VNC connection between our computers, but we haven't used the remote admin recently. One thing I noticed after I finished your help guide was that there was a hidden folder on the C: that was called System Volume Information. It is huge and has files in it with french text and crazy symbol patterns. Can I delete this?

I have attached the two log files you requested. Thanks again for all your help!

Leafer
 

Attachments

·
Registered
Joined
·
34 Posts
Discussion Starter · #10 ·
David,

Since I finished your tutorial I have not seen the NSAnti.a virus come up anymore. However, Kaspersky is going crazy finding not-a-virus:RemoteAdmin.Win32 files.

Two are not-a-virus:RemoteAdmin.Win32.WinVNC.4 and two are not-a-virus:RemoteAdmin.Win32.RAdmin.22.

One is not-a-virus:RemoteAdmin.Win32.CCProxy.63.

They are coming out of the System Volume Information folder that I mentioned in the previous post. Just thought you should know. Kaspersky was able to delete them.

Thanks,
Leafer
 

·
Registered
Joined
·
4,699 Posts
The System Volume Information folder contains system restore points.
We will purge these points in a while create a new one, once the system is clean.
The service you have is related to the NSAnti.a virus we talked about at the start.
It seems to want to connect to an IP from Shanghai, we're going to remove it now.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\SYSTEM32\app2srv.exe
C:\WINDOWS\SYSTEM32\htran.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Open notepad and copy and paste the following text in the quote box into the window:
sc stop "Network Browsers"
sc delete "Network Browsers"
Save this as fix2.bat
Choose to save as all files.
This is how the batch must look afterwards:

Doubleclick fix2.bat and let the program run.

We need to purge your infected system restore points.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Now, we want to create a new, clean restore point.
Please first reboot your computer.
Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create and you're done.

Please perform this online scan: Kaspersky Webscan
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.
When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

David
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #14 ·
David,

The system seems to be working as good as new. Thank you so much for your help, it is hard to express in words the gratitude I feel towards you for the great time and effort you have put into fixing my problem. I really really appreciate it. Thanks again!

:up: Leafer
 

·
Registered
Joined
·
4,699 Posts
It's been a pleasure to help, it really has! :)
The latest log is looking clean!
Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David
 

·
Registered
Joined
·
4,699 Posts
Oh, I just want to do one more thing if you have time.
Something you can do to help me in return. :)
Can you navigate to the following, and tell me what's inside:
C:\!Killbox

Whatever you get your hands on can you submit here:
http://www.bleepingcomputer.com/submit-malware.php?channel=5

This could be a new infection, and we would like to analyse it.
Thanks for the help, let me know how you get on! :up:
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #17 ·
Hey David,

I would be more than happy to provide you with any and all of the files you want. Here is a list of what is there:

app2srv.exe
id.exe
id.exe( 1)
reg.dll
reg.dll( 3)
rundll.exe
rundll.exe( 2)
vir.exe
vir.exe( 5)
win.com
win.com( 4)

There was also a log file in the Logs folder. I have attached that. Just let me know.

I was going to ask you. I got rid of remote admin and Real VNC. Do you know of program that would be more secure that I could use to connect remotely to my computer?

Thanks,
Leafer
 

Attachments

·
Registered
Joined
·
4,699 Posts
Hey there, thanks for doing this for me. :up:
I also want to do a bit more cleaning on your PC after.

I'll be honest with you, I don't really know much at all about Remote Servers.
I think it would best to ask your question in the XP forum of the board here at TSG.
That way you should recieve help from more knowledgable people in that field.

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop but do not run it.

Paste the following bold part into the Suspicious File Packer window:

C:\!Killbox\app2srv.exe
C:\!Killbox\id.exe
C:\!Killbox\reg.dll
C:\!Killbox\rundll.exe
C:\!Killbox\vir.exe
C:\!Killbox\win.com
C:\!Killbox\app2srv.exe


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.

I also then want to make sure nothing is leftover in the registry.

Download Bobbi Flekman's RegSearch from
http://www.bleepingcomputer.com/files/regsearch.php

Create a folder for RegSearch on the C: drive called C:\RegSearch. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it RegSearch. Extract all the files from the zip archive into that folder.

Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program.
Copy / Paste the following line into the Search Box--> app2srv
Copy / Paste the following into the box just below (2nd down) --> htran

then hit Ok

After completion Notepad will be opened with all the found instances of the string. The resulting file is saved in the same location as RegSearch.exe

Paste that here in your next reply.
 

·
Registered
Joined
·
4,699 Posts
Excellent, thanks for submitting the files, we'll get them distributed to antivirus companies.
Do you know anything about "Eltima Software", it is related to the service we removed?
It appears to be a commerical keylogger, did you install this?
It sounds dodgy, but the service contained a file that Kaspersky flagged as being bad.
Before we continue, can you tell me if you know about this software?

Then, I need one more log. Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.
 
1 - 20 of 26 Posts
Status
Not open for further replies.
Top