Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan Mailbot [RESOLVED]

Started by discorae , Aug 30 2006 06:20 PM

This topic is locked

#1
discorae

Posted 30 August 2006 - 06:20 PM

Member

Member
51 posts

Hello!

I hate that I'm back with another question, but am so paranoid about the last incapacitating infection.
(Flrman1 was wonderful in all his help and advice and got me cleaned up real nice here at GTG!)

I've run a Spyware Doctor scan (which won't remove unless you pay :whistling:

) and it detected a "trojan.mailbot" So, now that I know where it's located in my registry, how safe is it for me to delete the infected parts? Two (trojans) came up with multiple portions to this first one:
HKLM\SYSTEM\ControlSet005\Services\pe386 (other lists similar with additions to the ending ie: pe386##, pe386##checked, etc)
the other one is:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler##{2C1CD3D7-86AC-4068-93BC-A02304BB2236}

I've verified they are indeed in the registry, but I don't want to mess up anything! I don't see them listed in the HJT, but I'll post one anyway.

Thanks so much for anyone's assistance :blink:

discorae

ps: I've disabled the real time protection of Windows Defender

Logfile of HijackThis v1.99.1
Scan saved at 8:01:19 PM, on 8/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.firefox.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.firefox.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab46479.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1154143734952
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1150467821529
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...d/UnSkin/gf.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/...sh.1.0.0.87.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/...on.cab40641.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4532BD06-C0D0-498E-928D-BCF1479B0D20}: NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#2
Metallica

Posted 08 September 2006 - 05:05 AM

Spyware Veteran

GeekU Moderator
33,101 posts

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

In your next post, please include

new hijackthis log
combofix log

#3
discorae

Posted 08 September 2006 - 09:25 AM

Member

Topic Starter
Member
51 posts

Hi Metallica!

Thanks for taking the time to answer my question. Here are the combofix log, and another HJT:

Daniel - 06-09-08 10:58:54.68
ComboFix 06.09.07 - Running from: C:\Documents and Settings\Daniel\Desktop

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((( Files Created from 2006-08-08 to 2006-09-08 ))))))))))))))))))))))))))))))))))

2006-08-08 22:30 90,112 --a------ C:\WINDOWS\SYSTEM32\RegDACL.exe
2006-08-08 22:30 38,400 --a------ C:\WINDOWS\SYSTEM32\moveex.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-07 11:10 -------- d-------- C:\Program Files\SpywareGuard
2006-09-07 11:10 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-07 09:52 -------- d-------- C:\Program Files\SpywareBlaster
2006-09-06 22:52 -------- d-------- C:\Program Files\MSN Games
2006-09-05 12:36 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-04 13:38 -------- d-------- C:\Documents and Settings\Daniel\Application Data\PlayFirst
2006-09-04 13:13 -------- d-------- C:\Program Files\Grisoft
2006-08-31 12:45 -------- d-a------ C:\Program Files\BestBuy
2006-08-30 20:01 -------- d-------- C:\Program Files\hijack this
2006-08-30 14:54 -------- d---s---- C:\Documents and Settings\Daniel\Application Data\Microsoft
2006-08-30 13:03 -------- d-------- C:\Program Files\Adobe
2006-08-30 13:02 -------- d-------- C:\Program Files\Common Files\Adobe
2006-08-30 13:02 -------- d-------- C:\Documents and Settings\Daniel\Application Data\InterTrust
2006-08-30 13:01 893 --a------ C:\Documents and Settings\Daniel\Application Data\AdobeDLM.log
2006-08-30 13:01 299 --a------ C:\Documents and Settings\Daniel\Application Data\dm.ini
2006-08-29 12:22 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-29 12:22 -------- d-------- C:\Program Files\Google
2006-08-29 12:22 -------- d-------- C:\Documents and Settings\Daniel\Application Data\Google
2006-08-29 12:21 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-08-26 10:17 -------- d-------- C:\Program Files\CCleaner
2006-08-25 14:36 -------- d-------- C:\Program Files\CleanUp!
2006-08-22 13:59 -------- d-------- C:\Program Files\Real
2006-08-16 13:42 2359350 --a------ C:\Documents and Settings\Daniel\Application Data\ZBWallpaper.bmp
2006-08-15 14:37 -------- d-------- C:\Program Files\MSN Messenger
2006-08-14 18:49 -------- d-------- C:\Documents and Settings\Daniel\Application Data\MSNInstaller
2006-08-14 18:42 -------- d-------- C:\Program Files\MSN
2006-08-11 16:32 777472 --a------ C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
2006-08-11 16:32 27904 --a------ C:\WINDOWS\SYSTEM32\drivers\avg7rsxp.sys
2006-08-10 11:47 -------- d-------- C:\Program Files\Internet Explorer
2006-08-05 12:00 -------- d-------- C:\Program Files\adaware se
2006-08-04 16:51 -------- d-------- C:\Documents and Settings\Daniel\Application Data\Sun
2006-08-04 12:00 -------- d-------- C:\Program Files\Windows Defender
2006-08-02 20:46 -------- d-------- C:\Program Files\Java
2006-08-02 20:18 -------- d-------- C:\Program Files\Common Files\Java
2006-08-02 20:18 -------- d-------- C:\Program Files\Common Files
2006-08-02 16:37 -------- d-------- C:\Documents and Settings\Daniel\Application Data\TrojanHunter
2006-07-31 12:26 -------- d-------- C:\Documents and Settings\Daniel\Application Data\Lavasoft
2006-07-31 12:25 -------- d-------- C:\Program Files\Lavasoft
2006-07-29 09:35 -------- d-------- C:\Documents and Settings\Daniel\Application Data\Mozilla
2006-07-29 08:51 -------- d-------- C:\Program Files\Windows Media Player
2006-07-29 08:51 -------- d-------- C:\Program Files\Outlook Express
2006-07-29 08:51 -------- d-------- C:\Program Files\Common Files\System
2006-07-29 08:47 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-07-29 01:55 -------- d-------- C:\Program Files\Messenger
2006-07-29 00:43 -------- d-------- C:\Program Files\Movie Maker
2006-07-29 00:40 -------- d-------- C:\Program Files\Windows NT
2006-07-29 00:40 -------- d-------- C:\Program Files\NetMeeting
2006-07-28 23:06 -------- d-------- C:\Program Files\XPSP2
2006-07-28 22:59 -------- d-------- C:\Program Files\Fyrzg
2006-07-28 22:38 -------- d-------- C:\Program Files\Zone Labs
2006-07-28 21:09 4992 --a------ C:\WINDOWS\SYSTEM32\drivers\avgtdi.sys
2006-07-28 21:09 23424 --a------ C:\WINDOWS\SYSTEM32\drivers\avgmfrs.sys
2006-07-28 21:09 -------- d-------- C:\Documents and Settings\Daniel\Application Data\AVG7
2006-07-28 21:08 4288 --a------ C:\WINDOWS\SYSTEM32\drivers\avg7rsw.sys
2006-07-28 12:52 64472 --a------ C:\WINDOWS\SYSTEM32\lzx32.sys
2006-07-27 09:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-23 14:35 11430 --a------ C:\delfiles.bat
2006-07-22 11:59 -------- d-------- C:\Program Files\QuickTime
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll
2006-07-13 18:21 -------- d-------- C:\Program Files\Common Files\Services

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"GWMDMMSG"="GWMDMMSG.exe"
"GWMDMpi"="C:\\WINDOWS\\GWMDMpi.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"0mcamcap"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"stup"="c:\\dbxslo.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"stup"="c:\\dbxslo.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\dxdmain

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Fri 09/08/2006 10:59:52.59
ComboFix.txt

Logfile of HijackThis v1.99.1
Scan saved at 11:14:47 AM, on 9/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.firefox.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.firefox.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab46479.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1154143734952
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1150467821529
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...d/UnSkin/gf.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/...sh.1.0.0.87.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/...on.cab40641.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4532BD06-C0D0-498E-928D-BCF1479B0D20}: NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

:whistling:

discorae

#4
discorae

Posted 08 September 2006 - 09:26 AM

Member

Topic Starter
Member
51 posts

discorae

#5
Metallica

Posted 08 September 2006 - 09:38 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Hnmm there is certainly something not right.

Please disable Windows defender and Spywareguard during this procedure.

Go to Start > Run
Type:regedit
Click OK.

On the leftside, click to highlight My Computer at the top.
Go up to "File > Export"
- Make sure in that window there is a tick next to "All" under Export Branch.
  Leave the "Save As Type" as "Registration Files".
  Under "Filename" put backup
Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
Click save and then go to File > Exit.

This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

Once this has been done
Go to: Start | Run type in Notepad Click Format from the Notepad menu and ensure
"Word Wrap" is NOT selected. "Copy & Paste" All the 'RED TEXT below into Notepad..

Please ensure that in Notepad that there is No space before REGEDIT4
But a blank line is required at the end of the regfix

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"0mcamcap"=-

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"stup"=-

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"stup"=-

Click: File | Save As
Change the Save as type to: All Files
Save it to your desktop as: fix.reg

Locate fix.reg on your desktop and double-click it.
When asked if you want to merge with the registry, click "YES".
Wait for the "merged successfully" prompt.

Then reboot the computer and see if you can find this file:
c:\dbxslo.exe

Delete it if it is present.

Then run the scan again and let me know the results.

Regards,

#6
discorae

Posted 08 September 2006 - 12:05 PM

Member

Topic Starter
Member
51 posts

HI!!!

I've done as you instructed and below is the scan report from combofix. I wanted to mention that when I tried to disable the spyware guard, it wouldn't open. When I located it in "my computer", the date for the program was different!! This I found to be VERY strange indeed, It was just installed in the last month or two and the changed date listed 2003! Perhaps nothing to worry about, although it did at least function previously. Anyway..... thanks for your help.

Daniel - 06-09-08 13:57:37.18
ComboFix 06.09.07 - Running from: C:\Documents and Settings\Daniel\Desktop

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((( Files Created from 2006-08-08 to 2006-09-08 ))))))))))))))))))))))))))))))))))

2006-08-08 22:30 90,112 --a------ C:\WINDOWS\SYSTEM32\RegDACL.exe
2006-08-08 22:30 38,400 --a------ C:\WINDOWS\SYSTEM32\moveex.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-08 11:43 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-08 11:27 -------- d-------- C:\Program Files\SpywareBlaster
2006-09-08 11:14 -------- d-------- C:\Program Files\hijack this
2006-09-07 11:10 -------- d-------- C:\Program Files\SpywareGuard
2006-09-07 11:10 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-06 22:52 -------- d-------- C:\Program Files\MSN Games
2006-09-04 13:38 -------- d-------- C:\Documents and Settings\Daniel\Application Data\PlayFirst
2006-09-04 13:13 -------- d-------- C:\Program Files\Grisoft
2006-08-30 14:54 -------- d---s---- C:\Documents and Settings\Daniel\Application Data\Microsoft
2006-08-30 13:03 -------- d-------- C:\Program Files\Adobe
2006-08-30 13:02 -------- d-------- C:\Program Files\Common Files\Adobe
2006-08-30 13:02 -------- d-------- C:\Documents and Settings\Daniel\Application Data\InterTrust
2006-08-30 13:01 893 --a------ C:\Documents and Settings\Daniel\Application Data\AdobeDLM.log
2006-08-30 13:01 299 --a------ C:\Documents and Settings\Daniel\Application Data\dm.ini
2006-08-29 12:22 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-29 12:22 -------- d-------- C:\Program Files\Google
2006-08-29 12:22 -------- d-------- C:\Documents and Settings\Daniel\Application Data\Google
2006-08-29 12:21 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-08-26 10:17 -------- d-------- C:\Program Files\CCleaner
2006-08-25 14:36 -------- d-------- C:\Program Files\CleanUp!
2006-08-22 13:59 -------- d-------- C:\Program Files\Real
2006-08-16 13:42 2359350 --a------ C:\Documents and Settings\Daniel\Application Data\ZBWallpaper.bmp
2006-08-15 14:37 -------- d-------- C:\Program Files\MSN Messenger
2006-08-14 18:49 -------- d-------- C:\Documents and Settings\Daniel\Application Data\MSNInstaller
2006-08-14 18:42 -------- d-------- C:\Program Files\MSN
2006-08-11 16:32 777472 --a------ C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
2006-08-11 16:32 27904 --a------ C:\WINDOWS\SYSTEM32\drivers\avg7rsxp.sys
2006-08-10 11:47 -------- d-------- C:\Program Files\Internet Explorer
2006-08-05 12:00 -------- d-------- C:\Program Files\adaware se
2006-08-04 16:51 -------- d-------- C:\Documents and Settings\Daniel\Application Data\Sun
2006-08-04 12:00 -------- d-------- C:\Program Files\Windows Defender
2006-08-02 20:46 -------- d-------- C:\Program Files\Java
2006-08-02 20:18 -------- d-------- C:\Program Files\Common Files\Java
2006-08-02 20:18 -------- d-------- C:\Program Files\Common Files
2006-08-02 16:37 -------- d-------- C:\Documents and Settings\Daniel\Application Data\TrojanHunter
2006-07-31 12:26 -------- d-------- C:\Documents and Settings\Daniel\Application Data\Lavasoft
2006-07-31 12:25 -------- d-------- C:\Program Files\Lavasoft
2006-07-29 09:35 -------- d-------- C:\Documents and Settings\Daniel\Application Data\Mozilla
2006-07-29 08:51 -------- d-------- C:\Program Files\Windows Media Player
2006-07-29 08:51 -------- d-------- C:\Program Files\Outlook Express
2006-07-29 08:51 -------- d-------- C:\Program Files\Common Files\System
2006-07-29 08:47 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-07-29 01:55 -------- d-------- C:\Program Files\Messenger
2006-07-29 00:43 -------- d-------- C:\Program Files\Movie Maker
2006-07-29 00:40 -------- d-------- C:\Program Files\Windows NT
2006-07-29 00:40 -------- d-------- C:\Program Files\NetMeeting
2006-07-28 23:06 -------- d-------- C:\Program Files\XPSP2
2006-07-28 22:59 -------- d-------- C:\Program Files\Fyrzg
2006-07-28 22:38 -------- d-------- C:\Program Files\Zone Labs
2006-07-28 21:09 4992 --a------ C:\WINDOWS\SYSTEM32\drivers\avgtdi.sys
2006-07-28 21:09 23424 --a------ C:\WINDOWS\SYSTEM32\drivers\avgmfrs.sys
2006-07-28 21:09 -------- d-------- C:\Documents and Settings\Daniel\Application Data\AVG7
2006-07-28 21:08 4288 --a------ C:\WINDOWS\SYSTEM32\drivers\avg7rsw.sys
2006-07-28 12:52 64472 --a------ C:\WINDOWS\SYSTEM32\lzx32.sys
2006-07-27 09:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-23 14:35 11430 --a------ C:\delfiles.bat
2006-07-22 11:59 -------- d-------- C:\Program Files\QuickTime
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll
2006-07-13 18:21 -------- d-------- C:\Program Files\Common Files\Services

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"GWMDMMSG"="GWMDMMSG.exe"
"GWMDMpi"="C:\\WINDOWS\\GWMDMpi.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\dxdmain

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Fri 09/08/2006 13:58:11.00
ComboFix.txt
ComboFix2.txt

:whistling:

discorae

#7
Metallica

Posted 08 September 2006 - 12:28 PM

Spyware Veteran

GeekU Moderator
33,101 posts

That looks clean. Good job. :whistling:

Now please find and delete (if present):
C:\WINDOWS\SYSTEM32\lzx32.sys

Downloading

Surf to: Sophos free tools: Anti-Rootkit
Click the "Download" button
Read the conditions and fill out your Details.
Click the Download Sophos Anti-Rootkit link.
Save the sarsfx.exe to location on your harddrive where you can find it later on.

Installing

Close as many applications as possible and execute sarsfx.exe by doubleclicking it.
Accept the EULA and install the software to the loaction of your choice.(Default is C:\SOPHTEMP)

Running for analysis

In that folder find and double-click sargui.exe
Select the areas that you want to scan for hidden objects (Running processes, Windows registry, Local hard drives)
Click Start > Run and copy this command into the window %TEMP%\sarscan.log and click OK to execute.
A textfile will open. Post the content of that file.

Please do not act upon the data it provides.
I'll try and read it as soon as I can.
Close down the program if I'm not online. You can rerun and it later and fix the things I point out.

Regards,

#8
discorae

Posted 08 September 2006 - 05:03 PM

Member

Topic Starter
Member
51 posts

Alrighty... found and deleted mentioned item (windows\system32\lzx32.sys)

also performed the root kit scan and the results.... (drum roll please) it found nothing.

Sophos Anti-Rootkit Version 1.0 © 2006 Sophos Plc
Started logging on 9/8/2006 at 14:50:48 PM
Warning: Failed to flush drive \\.\C:. Registry scan may produce
invalid results.
The process cannot access the file because it is being used by another process.
Stopped logging on 9/8/2006 at 14:51:34 PM

Sophos Anti-Rootkit Version 1.0 © 2006 Sophos Plc
Started logging on 9/8/2006 at 14:51:56 PM
Warning: Failed to flush drive \\.\C:. Registry scan may produce
invalid results.
The process cannot access the file because it is being used by another process.
Stopped logging on 9/8/2006 at 14:54:11 PM

so I anxiously await your next instruction and, as always, thanks for your assistance!
:whistling:

discorae

Edited by discorae, 08 September 2006 - 05:03 PM.

#9
Metallica

Posted 09 September 2006 - 06:08 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Very good. Last check. :whistling:

Download the Registry Search Tool.
Unzip the contents of RegSrch.zip to a convenient location.
Double-click on RegSrch.vbs.
If you have an anti-virus installed it might prompt you about a running script. Please ignore this warning and allow the script to run.
In the "Enter search string (case insensitive) and click OK..." box paste this string:
- pe386
Click "OK" to search the registry for that string.
Wait for a few minutes while it completes the search.
Click "OK" to open the results in WordPad.
Copy and paste the entire results into your next post.

Oh and something for my curiosity. Is your drive using the FAT32 filesystem?
You can tell by rightclicking the drive icon and choos properties.
On the general tab the Filesystem is mentioned.

Regards,

#10
discorae

Posted 09 September 2006 - 08:27 AM

Member

Topic Starter
Member
51 posts

Mornin' mornin' :whistling:

file system listed says "NTFS"

results of latest test:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "pe386" 9/9/2006 10:18:15 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\pe386]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\pe386\Security]

And that's it for now, I guess.... until next time
thank you!!!!!
:blink:

discorae

#11
Metallica

Posted 09 September 2006 - 08:46 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Ah very good. :whistling:

It's no longer in the CurrentControlSet (which is the one in use).

I'll remove it anyway or else the scanners will keep finding it.

Copy the part in the CODE box below into notepad and save it as pe386uncurrent.reg
Set Filetype to "all files"

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\pe386]

Doubleclick that file and confirm you want to merge it with the registry.

Reboot and run Spyware Doctor.
Let me know if it still finds anything.

Regards,

#12
discorae

Posted 09 September 2006 - 12:11 PM

Member

Topic Starter
Member
51 posts

I think that did the trick!
Funny, but the only thing Spyware Doctor found was a GTG tracking cookie :blink:

Can I remove/delete the items we used to clean up the registry:
combofix and regsrch?

Thanks so much for your help!! Glad it was just easy and you've been incredibly attentive and a prolific-poster (it was worth the wait). I appreciate your time and knowledge!!!

Let me know if there are any further steps or scans to perform.

Cheers :whistling:

discorae

#13
Metallica

Posted 09 September 2006 - 02:51 PM

Spyware Veteran

GeekU Moderator
33,101 posts

They're calling our cookies tracking cookies?

They can forget about getting any commercials from me then. :whistling:

Yes, combofix and regsrch have done their thing and can be discarded.

Please do have a look at my site about removing and preventing spyware.

If you're happy, then I am. :blink:

#14
discorae

Posted 09 September 2006 - 04:07 PM

Member

Topic Starter
Member
51 posts

Hi Metallica

So, I guess I spoke a bit too soon. But first, the scan did say that the GTG cookie was a LOW threat.

In my curiosity I performed a scan with webroot's Spy Sweeper. I know it comes highly recommended and I wish I could afford it; or for that matter, they wouldn't feel it necessary to charge for their product (in order to fix what the scan finds), but I digress. None-the-less, it found something else in the registry that none of the other scans have:

HKCR\clsid\{f0c8173f-bc0e-4a06-aba9-db5a3e1fda89}\
HKLM\software\classes\clsid\{f0c8173f-bc0e-4a06-aba9-db5a3e1fda89}\

they were referred to as "tibs dialer"
(I notice they seem to be related to one another in terms of the string of #s)

then something else called "apropos" located:
c:\documents and settings\all users\application data...\exec.exe

So, I didn't know if you'd be willing to continue to help me edit my registry or if I needed to start a new string. I haven't gotten rid of those aforementioned programs yet (combofix and regsrch), as we may need them.

let me know...your help has been kindly received and I'm very appreciative, but I'll post another string if needed.

Thanks a BUNCH
discorae

ps- I've already checked out your site and bookmarked several things! :whistling:

Thanks for the heads up tho!!

#15
Metallica

Posted 10 September 2006 - 03:20 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Sure thing. No problem. :whistling:

You mentioned you still have Regsearch.

Run it again.
In the "Enter search string (case insensitive) and click OK..." box paste this string:
- {f0c8173f-bc0e-4a06-aba9-db5a3e1fda89}
Click "OK" to search the registry for that string.
Wait for a few minutes while it completes the search.
Click "OK" to open the results in WordPad.
Copy and paste the entire results into your next post.

Regards,