Possible Smitfraud or Virtumonde infection
Started by
metalchick666
, Apr 25 2007 01:10 PM
#16
Posted 10 May 2007 - 09:03 PM
#17
Posted 11 May 2007 - 01:32 PM
metalchick666,
Download ComboFix from Here or Here to your Desktop.
Download ComboFix from Here or Here to your Desktop.
- Double click combofix.exe and follow the prompts.
- When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
#18
Posted 11 May 2007 - 10:38 PM
Thanks again OwNt.
Here is the ComboFix log:
"Owner" - 2007-05-12 0:30:05 Service Pack 1
ComboFix 07-05.08.3.V - Running from: "C:\Documents and Settings\Owner\Desktop\"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\install.log
C:\WINDOWS\system32\msdtc.dll
((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-12 ))))))))))))))))))))))))))))))))))
2007-05-07 16:16 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\BonkEnc
2007-05-07 15:09 <DIR> d-------- C:\Program Files\BonkEnc
2007-05-07 15:08 3,740,266 --a------ C:\Program Files\BonkEnc-1.0.2.exe
2007-05-01 22:54 <DIR> d-------- C:\Deckard
2007-05-01 22:31 <DIR> d-------- C:\VundoFix Backups
2007-04-28 13:42 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-04-25 22:32 899,952 --a------ C:\Program Files\fsbl.exe
2007-04-25 14:53 <DIR> d-------- C:\Program Files\Hijack This
2007-04-25 12:49 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-21 14:36 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-04-20 23:49 13,198,504 --a------ C:\Program Files\ssftrialsnrsetup1_1918549844.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-01 01:27:52 -------- d-----w C:\Program Files\SpywareBlaster
2007-04-28 18:47:29 -------- d-----w C:\Program Files\backups
2007-04-25 18:52:36 -------- d-----w C:\Program Files\iWin Games
2007-04-25 18:23:14 -------- d-----w C:\Program Files\Online Services
2007-04-24 03:03:26 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-04-07 03:55:47 -------- d-----w C:\Program Files\Soulseek
2007-03-30 03:14:30 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-03-23 21:09:07 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\webex
2007-03-23 21:08:52 51,304 ----a-w C:\WINDOWS\system32\drivers\atnt40k.sys
2007-03-23 21:08:42 199,751 ----a-w C:\WINDOWS\system32\atasnt40.dll
2007-03-23 17:05:56 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\SonicWALL
2007-03-23 17:00:03 -------- d-----w C:\Program Files\Common Files\Deterministic Networks
2007-03-23 16:59:53 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-23 16:59:44 -------- d-----w C:\Program Files\SonicWALL
2007-03-23 16:58:54 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-03-09 05:02:00 75,512 ----a-w C:\WINDOWS\zllsputility.exe
2007-03-09 05:01:42 1,087,216 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-02-15 03:21:24 1,682,333 ----a-w C:\Program Files\jewel-quest-2-setup.exe
2007-02-11 15:35:54 67,480 ----a-w C:\Program Files\MySpaceIM_Setup.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"POINTER"="\"C:\\Program Files\\Microsoft Hardware\\Mouse\\point32.exe\""
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Lexmark X6100 Series"="\"C:\\Program Files\\Lexmark X6100 Series\\lxbfbmgr.exe\""
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe\" /STARTUP"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"NVIEW"="\"rundll32.exe\" nview.dll,nViewLoadHook"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=dword:00000000
"Btn_Search"=dword:00000000
"NoBandCustomize"=dword:00000000
"NoToolbarCustomize"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{85F60C7C-6FB9-A35C-C1D5-66DEF483E0A5}"="C:\Program Files\Zone Labs\ZoneAlarm\images.dll" [x]
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AloPar.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\Parallel Arbitrator
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe gamma loader.lnk
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe reader speed launch.lnk
C:\PROGRA~1\Adobe\ACROBA~3.0\Reader\READER~1.EXE
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^microsoft office.lnk
C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^quicken scheduled updates.lnk
C:\PROGRA~1\Quicken\bagent.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^owner^start menu^programs^startup^openoffice.org 1.1.0.lnk
C:\PROGRA~1\OPENOF~1.0\program\QUICKS~1.EXE
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccapp
"c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccregvfy
"c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hotkeyscmds
C:\WINDOWS\System32\hkcmd.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray
C:\WINDOWS\System32\igfxtray.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper
"C:\Program Files\iTunes\iTunesHelper.exe"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard manager
C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs
"C:\Program Files\Messenger\msmsgs.exe" /background
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcpldaemon
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\omnipass
C:\Program Files\Softex\OmniPass\scureapp.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task
"C:\Program Files\QuickTime\qttask.exe" -atboottime
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\reminder
"C:\Windows\Creator\Remind_XP.exe"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\storageguard
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tkbellexe
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updatemgr
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampagent
"C:\Program Files\Winamp3\winampa.exe"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yahoo! pager
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=dword:00000002
"omniserv"=dword:00000002
"Fax"=dword:00000003
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"="C:\\PROGRAM FILES\\AIM95\\aim.exe -cnetwait.odl"
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\""
"ALiUSBfix"="C:\\WINDOWS\\System32\\GREENMARK.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Symantec NetDetect.job
********************************************************************
catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-12 00:35:02
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 2007-05-12 0:35:17
C:\ComboFix-quarantined-files.txt ... 2007-05-12 00:35
The Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 12:36:29 AM, on 5/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi6.ebay.com...I...t=8&rows=25
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://cgi6.ebay.com...I...t=8&rows=25
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [POINTER] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NVIEW] "rundll32.exe" nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bits...om/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineco...loadcontrol.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/gf.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/...aploader_v6.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: ZoneAlarm - {85F60C7C-6FB9-A35C-C1D5-66DEF483E0A5} - C:\Program Files\Zone Labs\ZoneAlarm\images.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Here is the ComboFix log:
"Owner" - 2007-05-12 0:30:05 Service Pack 1
ComboFix 07-05.08.3.V - Running from: "C:\Documents and Settings\Owner\Desktop\"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\install.log
C:\WINDOWS\system32\msdtc.dll
((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-12 ))))))))))))))))))))))))))))))))))
2007-05-07 16:16 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\BonkEnc
2007-05-07 15:09 <DIR> d-------- C:\Program Files\BonkEnc
2007-05-07 15:08 3,740,266 --a------ C:\Program Files\BonkEnc-1.0.2.exe
2007-05-01 22:54 <DIR> d-------- C:\Deckard
2007-05-01 22:31 <DIR> d-------- C:\VundoFix Backups
2007-04-28 13:42 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-04-25 22:32 899,952 --a------ C:\Program Files\fsbl.exe
2007-04-25 14:53 <DIR> d-------- C:\Program Files\Hijack This
2007-04-25 12:49 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-21 14:36 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-04-20 23:49 13,198,504 --a------ C:\Program Files\ssftrialsnrsetup1_1918549844.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-01 01:27:52 -------- d-----w C:\Program Files\SpywareBlaster
2007-04-28 18:47:29 -------- d-----w C:\Program Files\backups
2007-04-25 18:52:36 -------- d-----w C:\Program Files\iWin Games
2007-04-25 18:23:14 -------- d-----w C:\Program Files\Online Services
2007-04-24 03:03:26 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-04-07 03:55:47 -------- d-----w C:\Program Files\Soulseek
2007-03-30 03:14:30 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-03-23 21:09:07 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\webex
2007-03-23 21:08:52 51,304 ----a-w C:\WINDOWS\system32\drivers\atnt40k.sys
2007-03-23 21:08:42 199,751 ----a-w C:\WINDOWS\system32\atasnt40.dll
2007-03-23 17:05:56 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\SonicWALL
2007-03-23 17:00:03 -------- d-----w C:\Program Files\Common Files\Deterministic Networks
2007-03-23 16:59:53 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-23 16:59:44 -------- d-----w C:\Program Files\SonicWALL
2007-03-23 16:58:54 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-03-09 05:02:00 75,512 ----a-w C:\WINDOWS\zllsputility.exe
2007-03-09 05:01:42 1,087,216 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-02-15 03:21:24 1,682,333 ----a-w C:\Program Files\jewel-quest-2-setup.exe
2007-02-11 15:35:54 67,480 ----a-w C:\Program Files\MySpaceIM_Setup.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"POINTER"="\"C:\\Program Files\\Microsoft Hardware\\Mouse\\point32.exe\""
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Lexmark X6100 Series"="\"C:\\Program Files\\Lexmark X6100 Series\\lxbfbmgr.exe\""
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe\" /STARTUP"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"NVIEW"="\"rundll32.exe\" nview.dll,nViewLoadHook"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=dword:00000000
"Btn_Search"=dword:00000000
"NoBandCustomize"=dword:00000000
"NoToolbarCustomize"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{85F60C7C-6FB9-A35C-C1D5-66DEF483E0A5}"="C:\Program Files\Zone Labs\ZoneAlarm\images.dll" [x]
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AloPar.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\Parallel Arbitrator
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe gamma loader.lnk
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe reader speed launch.lnk
C:\PROGRA~1\Adobe\ACROBA~3.0\Reader\READER~1.EXE
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^microsoft office.lnk
C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^quicken scheduled updates.lnk
C:\PROGRA~1\Quicken\bagent.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^owner^start menu^programs^startup^openoffice.org 1.1.0.lnk
C:\PROGRA~1\OPENOF~1.0\program\QUICKS~1.EXE
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccapp
"c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccregvfy
"c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hotkeyscmds
C:\WINDOWS\System32\hkcmd.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray
C:\WINDOWS\System32\igfxtray.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper
"C:\Program Files\iTunes\iTunesHelper.exe"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard manager
C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs
"C:\Program Files\Messenger\msmsgs.exe" /background
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcpldaemon
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\omnipass
C:\Program Files\Softex\OmniPass\scureapp.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task
"C:\Program Files\QuickTime\qttask.exe" -atboottime
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\reminder
"C:\Windows\Creator\Remind_XP.exe"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\storageguard
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tkbellexe
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updatemgr
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampagent
"C:\Program Files\Winamp3\winampa.exe"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yahoo! pager
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=dword:00000002
"omniserv"=dword:00000002
"Fax"=dword:00000003
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"="C:\\PROGRAM FILES\\AIM95\\aim.exe -cnetwait.odl"
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\""
"ALiUSBfix"="C:\\WINDOWS\\System32\\GREENMARK.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Symantec NetDetect.job
********************************************************************
catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-12 00:35:02
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 2007-05-12 0:35:17
C:\ComboFix-quarantined-files.txt ... 2007-05-12 00:35
The Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 12:36:29 AM, on 5/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi6.ebay.com...I...t=8&rows=25
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://cgi6.ebay.com...I...t=8&rows=25
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [POINTER] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NVIEW] "rundll32.exe" nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bits...om/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineco...loadcontrol.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/gf.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/...aploader_v6.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: ZoneAlarm - {85F60C7C-6FB9-A35C-C1D5-66DEF483E0A5} - C:\Program Files\Zone Labs\ZoneAlarm\images.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
#19
Posted 12 May 2007 - 11:04 AM
Hello metalchick666,
I don't see anything fairly obvious indicating malware is still on your system.
Please let me know if you are still receiving pop-ups, if so we will dig a little deeper.
I don't see anything fairly obvious indicating malware is still on your system.
Please let me know if you are still receiving pop-ups, if so we will dig a little deeper.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users