Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

do i have zlob trojan still


  • Please log in to reply

#1
sdb91

sdb91

    Member

  • Member
  • PipPip
  • 10 posts
got rid of it i believe but i have a pop up that says that there is updates ready to be installed. but when i turn off my computer it doesn't have the option to turn off computer with or without installing updates. and it is only o my profile.

Logfile of HijackThis v1.99.1
Scan saved at 3:55:18 PM, on 7/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Documents and Settings\sabastian\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.myway....h/default.jhtml
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {C002426B-D6AA-FC21-DD06-FAADDAE273E1} - C:\WINDOWS\system32\hvrwactf.dll (file missing)
O2 - BHO: (no name) - {C70C163A-D3A8-FE2D-8C06-FAADDAE273B3} - C:\WINDOWS\system32\tpmfij.dll (file missing)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Kzmlhqw] "C:\Program Files\??crosoft\?hkntfs.exe"
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll (file missing)
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll (file missing)
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll (file missing)
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

and my unnstall list


Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.9
America Online (Choose which version to remove)
AoA Audio Extractor 1.0
AVG 7.5
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Photo Printer 720
Dell Photo Printer 720 Logger
DellSupport
Digital Content Portal
Free Mp3 Wma Converter V 1.5.6
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
ICQ6
Intel® 537EP V9x DF PCI Modem
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
Internet Explorer Default Page
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2_03
KeepV Flash Converter
KeyScrambler
LEARN Microsoft® Word xp
Learn2 Player (Uninstall Only)
Macromedia Flash Player
Mavis Beacon Teaches Typing 15
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Event Monitor
Modem Helper
Modem On Hold
Mozilla Firefox (2.0.0.5)
MSXML 6.0 Parser (KB927977)
MyWay Search Assistant
Native Instruments Guitar Rig Demo
NBFree MP3 to WMA Converter v2
NetZeroInstallers
Qualxserve Service Agreement
QuickTime
RealPlayer Basic
RoamDrive 1.0.2292.14902
Samsung USB Driver (MCCI 4.24 WHQL)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Series 6 Drill and Practice
Series 63 Databank
Series 63 Drill and Practice
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
STOPzilla
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
Viewpoint Media Player
VZAccess Manager
Watchtower Library 2005 - English Edition
Watchtower Library 2006 - English Edition
WebCyberCoach 3.2 Dell
Windows Driver Package - Microsoft WPD (12/01/2006 1.2.0.0)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10
Windows Media Recorder
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WordPerfect Office 12
Zune

thank you for all your help :whistling:

Edited by sdb91, 23 July 2007 - 03:39 PM.

  • 0

Advertisements


#2
ricox

ricox

    Visiting Staff

  • Visiting Consultant
  • 331 posts
Hello and Welcome to Geeks to Go :whistling:

I am ricox and I will be assisting you with your malware problem.
Currently I'm studying your log and will be back to you as soon as possible. Thank you for your patience. :blink:

Edited by ricox, 24 July 2007 - 10:05 AM.

  • 0

#3
ricox

ricox

    Visiting Staff

  • Visiting Consultant
  • 331 posts
Hi again :whistling:


**********************************************************

First please move HijackThis to a permanent folder
* Open My Computer, then click C:\ and then on Program Files or another folder that is easy to find.
* In the menu bar choose File >> New >> Folder.
* That will create a folder named New Folder, rename it to HJT or some other name you are likely to remember.
* Move HijackThis.exe and backups folder (if exist) from your desktop to a new folder.

**********************************************************

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of C:\rapport.txt in your reply.

**********************************************************

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#4
sdb91

sdb91

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
SmitFraudFix v2.202

Scan done at 21:10:17.37, Tue 07/24/2007
Run from C:\Documents and Settings\sabastian\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\sabastian


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\sabastian\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SABAST~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 24.93.41.125
DNS Server Search Order: 24.93.41.126

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C1FE25E6-4BAB-4C39-A14E-9142FACEF511}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C1FE25E6-4BAB-4C39-A14E-9142FACEF511}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C1FE25E6-4BAB-4C39-A14E-9142FACEF511}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125 24.93.41.126


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Combofix


"sabastian" - 2007-07-25 18:40:34 - ComboFix 07-07-23.6 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-25 to 2007-07-25 )))))))))))))))))))))))))))))))


2007-07-24 21:15 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-24 21:10 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-07-24 21:10 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-07-24 21:10 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-07-24 21:07 <DIR> d-------- C:\Program Files\Hijack This
2007-07-22 02:51 <DIR> d-------- C:\MyAudio
2007-07-20 23:04 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Help
2007-07-10 18:21 <DIR> d-------- C:\DOCUME~1\heather\APPLIC~1\Talkback
2007-07-09 23:31 113,128 --a------ C:\WINDOWS\system32\drivers\keyscrambler.sys
2007-07-09 23:31 <DIR> d-------- C:\Program Files\KeyScrambler
2007-07-09 01:55 368 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-07 02:20 <DIR> d-------- C:\Program Files\AoA Audio Extractor
2007-07-05 18:27 <DIR> d-------- C:\Program Files\KeepV Converter
2007-07-02 23:43 <DIR> d-------- C:\Program Files\RoamDrive
2007-07-02 23:32 <DIR> d-------- C:\DOCUME~1\SABAST~1\APPLIC~1\RoamDrive
2007-07-02 23:03 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-07-02 23:03 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-07-02 23:02 991,232 --a------ C:\WINDOWS\system32\NCTVideoCoreM.dll
2007-07-02 23:02 679,936 --a------ C:\WINDOWS\system32\NCTMPEGFile.dll
2007-07-02 23:02 626,688 --a------ C:\WINDOWS\system32\NCTImageFile.dll
2007-07-02 23:02 589,824 --a------ C:\WINDOWS\system32\NCTVideoView.dll
2007-07-02 23:02 315,392 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll
2007-07-02 23:02 3,031,040 --a------ C:\WINDOWS\system32\NCTVideoTransform.dll
2007-07-02 23:02 294,912 --a------ C:\WINDOWS\system32\NCTAVIFile.dll
2007-07-02 23:02 2,260,992 --a------ C:\WINDOWS\system32\NCTVideoCompress.dll
2007-07-02 23:02 196,608 --a------ C:\WINDOWS\system32\NCTWMVFile.dll
2007-07-02 23:02 139,264 --a------ C:\WINDOWS\system32\NCTVideoPlayer.dll
2007-07-02 23:02 139,264 --a------ C:\WINDOWS\system32\NCTVideoFile.dll
2007-07-02 23:02 1,810,432 --a------ C:\WINDOWS\system32\NCTAudioCompress2.dll
2007-07-02 23:02 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.dll
2007-07-02 23:02 1,245,184 --a------ C:\WINDOWS\system32\NCTRMFile.dll
2007-07-02 23:01 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll
2007-07-02 22:02 <DIR> d-------- C:\DOCUME~1\SABAST~1\APPLIC~1\COWON
2007-07-02 19:17 <DIR> d-------- C:\Program Files\GetFLV
2007-07-02 15:55 <DIR> d-------- C:\DOCUME~1\SABAST~1\APPLIC~1\Talkback
2007-07-02 15:43 <DIR> d-------- C:\Program Files\NBFree MP3 to WMA Converter
2007-07-01 14:33 59,904 --a------ C:\WINDOWS\system32\Mscc2fr.dll
2007-07-01 14:33 32,768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL
2007-07-01 14:33 307,200 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-07-01 14:33 21,504 --a------ C:\WINDOWS\system32\TABCTFR.DLL
2007-07-01 14:33 15,360 --a------ C:\WINDOWS\system32\inetfr.DLL
2007-07-01 14:33 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL
2007-07-01 14:33 119,568 --a------ C:\WINDOWS\system32\VB6FR.DLL
2007-07-01 14:33 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2007-07-01 01:05 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-01 00:51 <DIR> d-------- C:\DOCUME~1\SABAST~1\APPLIC~1\Real
2007-07-01 00:49 1,535 --a------ C:\WINDOWS\mozver.dat
2007-06-29 22:32 <DIR> d-------- C:\DOCUME~1\SABAST~1\APPLIC~1\Printer Info Cache
2007-06-29 22:21 <DIR> d-------- C:\DOCUME~1\SABAST~1\APPLIC~1\Wal-Mart Digital Photo Manager
2007-06-29 22:17 <DIR> d-------- C:\DOCUME~1\SABAST~1\APPLIC~1\Wal-Mart Digital Photo Viewer
2007-06-28 11:53 217,088 -ra------ C:\WINDOWS\system32\SZBase5.dll
2007-06-27 14:02 <DIR> d-------- C:\DOCUME~1\heather\APPLIC~1\U3


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-24 07:36:18 -------- d-----w C:\Program Files\STOPzilla!
2007-07-23 07:30:22 -------- d-----w C:\DOCUME~1\SABAST~1\APPLIC~1\U3
2007-07-09 05:25:11 -------- d-----w C:\Program Files\Enigma Software Group
2007-07-03 03:23:28 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-01 19:36:37 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-01 19:36:37 104 --sh--r C:\WINDOWS\system32\A4762F337B.sys
2007-06-22 19:59:18 126,976 ----a-r C:\WINDOWS\system32\IS3HTUI5.dll
2007-06-22 19:59:10 294,912 ----a-r C:\WINDOWS\system32\IS3DBA5.dll
2007-06-22 19:58:22 372,736 ----a-r C:\WINDOWS\system32\IS3UI5.dll
2007-06-22 19:58:08 69,632 ----a-r C:\WINDOWS\system32\IS3Hks5.dll
2007-06-22 19:57:48 23,040 ----a-r C:\WINDOWS\system32\IS3XDat5.dll
2007-06-22 19:57:30 184,320 ----a-r C:\WINDOWS\system32\IS3Win325.dll
2007-06-22 19:57:10 94,208 ----a-r C:\WINDOWS\system32\IS3Inet5.dll
2007-06-22 19:56:58 90,112 ----a-r C:\WINDOWS\system32\IS3Svc5.dll
2007-06-22 19:56:34 688,128 ----a-r C:\WINDOWS\system32\IS3Base5.dll
2007-06-17 04:51:44 37,240 ----a-w C:\DOCUME~1\SABAST~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-14 18:38:15 -------- d-sh--w C:\Program Files\outlook
2007-06-14 17:04:24 -------- d-----w C:\Program Files\Common Files\iS3
2007-06-14 04:41:33 1,811,326 --sha-w C:\WINDOWS\system32\jmllm.ini2
2007-06-13 23:09:15 1,816,099 --sha-w C:\WINDOWS\system32\jmllm.bak2
2007-06-13 22:49:58 9,216 ----a-w C:\WINDOWS\system32\avgwlntf.dll
2007-06-13 22:49:56 110,592 ----a-w C:\WINDOWS\system32\avgfwafu.dll
2007-06-13 22:29:23 167 ----a-w C:\2902.bat
2007-06-10 03:16:33 384 ----a-w C:\DOCUME~1\SABAST~1\APPLIC~1\internaldb6334.dat
2007-06-10 02:49:27 167 ----a-w C:\WINDOWS\system32\4011.bat
2007-06-10 02:23:31 194 ----a-w C:\DOCUME~1\SABAST~1\APPLIC~1\internaldb8467.dat
2007-06-08 17:17:31 167 ----a-w C:\WINDOWS\system32\7451.bat
2007-06-08 03:19:55 1,808,551 --sha-w C:\WINDOWS\system32\jmllm.bak1
2007-06-07 21:50:45 167 ----a-w C:\WINDOWS\system32\8554.bat
2007-06-07 21:50:40 73 ----a-w C:\WINDOWS\system32\n.bat
2007-06-07 21:50:26 0 ----a-w C:\WINDOWS\system32\x.dat
2007-06-07 21:50:23 86,016 ----a-w C:\WINDOWS\system32\ps.exe
2007-06-07 21:49:51 0 ----a-w C:\WINDOWS\system32\taskkill.exe
2007-06-07 06:10:29 -------- d-----w C:\Program Files\Charter High-Speed Security Suite
2007-06-07 06:10:22 -------- d-----w C:\DOCUME~1\SABAST~1\APPLIC~1\U3(2)
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-10 03:00:57 118,842 ------r C:\WINDOWS\bwUnin-6.3.2.129-3528733L.exe
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2006-09-02 22:38:50 1,603 ----a-w C:\Program Files\uninstal.log


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C002426B-D6AA-FC21-DD06-FAADDAE273E1}]
C:\WINDOWS\system32\hvrwactf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C70C163A-D3A8-FE2D-8C06-FAADDAE273B3}]
C:\WINDOWS\system32\tpmfij.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-02 15:08]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"Kzmlhqw"="C:\Program Files\??crosoft\?hkntfs.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2006-03-13 17:50:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-06-13 17:49 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Charter High-Speed Security Suite.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Charter High-Speed Security Suite.lnk
backup=C:\WINDOWS\pss\Charter High-Speed Security Suite.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
backup=C:\WINDOWS\pss\Personal Coach.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
"C:\Program Files\Zune\ZuneLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneNetworkSvc"=2 (0x2)
"FSMA"=2 (0x2)
"fshttps"=3 (0x3)
"FSDFWD"=3 (0x3)
"BackWeb Plug-in - 3528733"=2 (0x2)
"FSBWSYS"=2 (0x2)
"F-Secure Gatekeeper Handler Starter"=2 (0x2)

R1 AvgMfx86;AVG Minifilter x86 Resident Driver;C:\WINDOWS\system32\Drivers\avgmfx86.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.sys
R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys
R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys
R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys
R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys
R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys
R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys
R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys
R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys
R3 Dot4;MS IEEE-1284.4 Driver;C:\WINDOWS\system32\DRIVERS\Dot4.sys
R3 Dot4Print;Print Class Driver for IEEE-1284.4;C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
R3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
R3 E100B;Intel® PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 senfilt;senfilt;C:\WINDOWS\system32\drivers\senfilt.sys
S0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
S0 szkg;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys
S2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSfilter.sys
S2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSgk.sys
S2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSrec.sys
S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
S4 BackWeb Plug-in - 3528733;Charter High-Speed Security Suite;C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
S4 F-Secure Gatekeeper Handler Starter;FSGKHS;"C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe"


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-25 18:49:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000004ea

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-25 18:51:30
C:\ComboFix-quarantined-files.txt ... 2007-07-25 18:51
  • 0

#5
ricox

ricox

    Visiting Staff

  • Visiting Consultant
  • 331 posts
Hi,

C:\WINDOWS\system32\4011.bat
C:\2902.bat
C:\WINDOWS\system32\7451.bat
C:\WINDOWS\system32\8554.bat
C:\WINDOWS\system32\n.bat


If you don't know this files, please delete them manually from your hard disk.

then,


Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\jmllm.ini2
C:\WINDOWS\system32\jmllm.bak2
C:\WINDOWS\system32\jmllm.bak1
C:\WINDOWS\system32\x.dat

Folder::
C:\Program Files\outlook

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C002426B-D6AA-FC21-DD06-FAADDAE273E1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C70C163A-D3A8-FE2D-8C06-FAADDAE273B3}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kzmlhqw"=-


Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


******************************************************

Please submit the following files to one of these online file scanners.

C:\WINDOWS\bwUnin-6.3.2.129-3528733L.exe
C:\WINDOWS\system32\ps.exe
C:\WINDOWS\system32\taskkill.exe
Jotti File Scan
VirusTotal File Scan
This will produce a report after the scan is complete, please copy and paste those results in your next post.

******************************************************

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
******************************************************

Information to include in your next post:

* C:\combofix.txt
* AVG Anti-Spyware report
* fresh HijackThis log
* jotti/virustotal report
  • 0

#6
sdb91

sdb91

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
virusscan jotti scan

Scan taken on 30 Jul 2007 01:37:02 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


C:\WINDOWS\system32\ps.exe ---- Wouldn't scan. avg popped up And it found trojan small andi clicked heal.



C:\WINDOWS\system32\taskkill.exe ---- wouldn't scan



I have the full version of AVG and don't know how to do those changes


Antivirus Version Last Update Result
AhnLab-V3 2007.7.28.0 2007.07.30 -
AntiVir 7.4.0.54 2007.07.30 -
Authentium 4.93.8 2007.07.30 -
Avast 4.7.997.0 2007.07.30 -
AVG 7.5.0.476 2007.07.30 -
BitDefender 7.2 2007.07.30 -
CAT-QuickHeal 9.00 2007.07.30 -
ClamAV 0.91 2007.07.30 -
DrWeb 4.33 2007.07.30 -
eSafe 7.0.15.0 2007.07.29 -
eTrust-Vet 31.1.5016 2007.07.30 -
Ewido 4.0 2007.07.30 -
FileAdvisor 1 2007.07.30 -
Fortinet 2.91.0.0 2007.07.30 -
F-Prot 4.3.2.48 2007.07.30 -
F-Secure 6.70.13030.0 2007.07.30 -
Ikarus T3.1.1.8 2007.07.30 -
Kaspersky 4.0.2.24 2007.07.30 -
McAfee 5086 2007.07.30 -
Microsoft 1.2704 2007.07.30 -
NOD32v2 2429 2007.07.30 -
Norman 5.80.02 2007.07.30 -
Panda 9.0.0.4 2007.07.30 -
Prevx1 V2 2007.07.30 -
Rising 19.34.02.00 2007.07.30 -
Sophos 4.19.0 2007.07.26 -
Sunbelt 2.2.907.0 2007.07.28 -
Symantec 10 2007.07.30 -
TheHacker 6.1.7.158 2007.07.30 -
VBA32 3.12.2.1 2007.07.30 -
VirusBuster 4.3.26:9 2007.07.30 -
Webwasher-Gateway 6.0.1 2007.07.30 -
Additional information
File size: 118842 bytes
MD5: 294d8942af4a1fee275b55531c959b7b
SHA1: 322c125edd25f025af4641a32ebee23204e240eb

C:\WINDOWS\system32\ps.exe
C:\WINDOWS\system32\taskkill.exe ----- neither would scan

combofix

"sabastian" - 2007-07-30 16:21:58 - ComboFix 07-07-23.6 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\sabastian\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\outlook
C:\WINDOWS\system32\jmllm.bak1
C:\WINDOWS\system32\jmllm.bak2
C:\WINDOWS\system32\jmllm.ini2
C:\WINDOWS\system32\x.dat


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-30 )))))))))))))))))))))))))))))))


2007-07-30 16:22 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2007-07-24 21:15 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-24 21:10 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-07-24 21:10 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-07-24 21:10 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-07-24 21:07 <DIR> d-------- C:\Program Files\Hijack This
2007-07-22 02:51 <DIR> d-------- C:\MyAudio
2007-07-20 23:04 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Help
2007-07-10 18:21 <DIR> d-------- C:\DOCUME~1\heather\APPLIC~1\Talkback
2007-07-09 23:31 113,128 --a------ C:\WINDOWS\system32\drivers\keyscrambler.sys
2007-07-09 23:31 <DIR> d-------- C:\Program Files\KeyScrambler
2007-07-09 01:55 368 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-07 02:20 <DIR> d-------- C:\Program Files\AoA Audio Extractor
2007-07-05 18:27 <DIR> d-------- C:\Program Files\KeepV Converter
2007-07-02 23:43 <DIR> d-------- C:\Program Files\RoamDrive
2007-07-02 23:32 <DIR> d-------- C:\DOCUME~1\SABAST~1\APPLIC~1\RoamDrive
2007-07-02 23:03 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-07-02 23:03 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-07-02 23:02 991,232 --a------ C:\WINDOWS\system32\NCTVideoCoreM.dll
2007-07-02 23:02 679,936 --a------ C:\WINDOWS\system32\NCTMPEGFile.dll
2007-07-02 23:02 626,688 --a------ C:\WINDOWS\system32\NCTImageFile.dll
2007-07-02 23:02 589,824 --a------ C:\WINDOWS\system32\NCTVideoView.dll
2007-07-02 23:02 315,392 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll
2007-07-02 23:02 3,031,040 --a------ C:\WINDOWS\system32\NCTVideoTransform.dll
2007-07-02 23:02 294,912 --a------ C:\WINDOWS\system32\NCTAVIFile.dll
2007-07-02 23:02 2,260,992 --a------ C:\WINDOWS\system32\NCTVideoCompress.dll
2007-07-02 23:02 196,608 --a------ C:\WINDOWS\system32\NCTWMVFile.dll
2007-07-02 23:02 139,264 --a------ C:\WINDOWS\system32\NCTVideoPlayer.dll
2007-07-02 23:02 139,264 --a------ C:\WINDOWS\system32\NCTVideoFile.dll
2007-07-02 23:02 1,810,432 --a------ C:\WINDOWS\system32\NCTAudioCompress2.dll
2007-07-02 23:02 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.dll
2007-07-02 23:02 1,245,184 --a------ C:\WINDOWS\system32\NCTRMFile.dll
2007-07-02 23:01 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll
2007-07-02 22:02 <DIR> d-------- C:\DOCUME~1\SABAST~1\APPLIC~1\COWON
2007-07-02 19:17 <DIR> d-------- C:\Program Files\GetFLV
2007-07-02 15:55 <DIR> d-------- C:\DOCUME~1\SABAST~1\APPLIC~1\Talkback
2007-07-02 15:43 <DIR> d-------- C:\Program Files\NBFree MP3 to WMA Converter
2007-07-01 14:33 59,904 --a------ C:\WINDOWS\system32\Mscc2fr.dll
2007-07-01 14:33 32,768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL
2007-07-01 14:33 307,200 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-07-01 14:33 21,504 --a------ C:\WINDOWS\system32\TABCTFR.DLL
2007-07-01 14:33 15,360 --a------ C:\WINDOWS\system32\inetfr.DLL
2007-07-01 14:33 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL
2007-07-01 14:33 119,568 --a------ C:\WINDOWS\system32\VB6FR.DLL
2007-07-01 14:33 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2007-07-01 01:05 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-01 00:51 <DIR> d-------- C:\DOCUME~1\SABAST~1\APPLIC~1\Real
2007-07-01 00:49 1,535 --a------ C:\WINDOWS\mozver.dat
2007-06-29 22:32 <DIR> d-------- C:\DOCUME~1\SABAST~1\APPLIC~1\Printer Info Cache
2007-06-29 22:21 <DIR> d-------- C:\DOCUME~1\SABAST~1\APPLIC~1\Wal-Mart Digital Photo Manager
2007-06-29 22:17 <DIR> d-------- C:\DOCUME~1\SABAST~1\APPLIC~1\Wal-Mart Digital Photo Viewer
2007-06-28 11:53 217,088 -ra------ C:\WINDOWS\system32\SZBase5.dll
2007-06-27 14:02 <DIR> d-------- C:\DOCUME~1\heather\APPLIC~1\U3
2007-06-22 14:59 294,912 -ra------ C:\WINDOWS\system32\IS3DBA5.dll
2007-06-22 14:59 126,976 -ra------ C:\WINDOWS\system32\IS3HTUI5.dll
2007-06-22 14:58 69,632 -ra------ C:\WINDOWS\system32\IS3Hks5.dll
2007-06-22 14:58 372,736 -ra------ C:\WINDOWS\system32\IS3UI5.dll
2007-06-22 14:57 94,208 -ra------ C:\WINDOWS\system32\IS3Inet5.dll
2007-06-22 14:57 23,040 -ra------ C:\WINDOWS\system32\IS3XDat5.dll
2007-06-22 14:57 184,320 -ra------ C:\WINDOWS\system32\IS3Win325.dll
2007-06-22 14:56 90,112 -ra------ C:\WINDOWS\system32\IS3Svc5.dll
2007-06-22 14:56 688,128 -ra------ C:\WINDOWS\system32\IS3Base5.dll
2007-06-16 23:51 37,240 --a------ C:\DOCUME~1\SABAST~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-14 12:04 <DIR> d-------- C:\Program Files\STOPzilla!
2007-06-14 12:04 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-06-14 12:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-06-14 11:56 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-13 17:49 9,216 --a------ C:\WINDOWS\system32\avgwlntf.dll
2007-06-13 17:49 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2007-06-13 17:29 167 --a------ C:\2902.bat
2007-06-13 00:25 167 --a------ C:\DOCUME~1\heather\1232.bat
2007-06-10 19:20 167 --a------ C:\DOCUME~1\heather\9057.bat
2007-06-09 21:49 167 --a------ C:\WINDOWS\system32\4011.bat
2007-06-09 21:48 167 --a------ C:\DOCUME~1\SABAST~1\3813.bat
2007-06-09 21:26 167 --a------ C:\DOCUME~1\SABAST~1\5442.bat
2007-06-08 12:17 167 --a------ C:\WINDOWS\system32\7451.bat
2007-06-08 12:17 167 --a------ C:\DOCUME~1\heather\3062.bat
2007-06-08 08:11 167 --a------ C:\DOCUME~1\heather\6354.bat
2007-06-07 22:11 167 --a------ C:\DOCUME~1\heather\6448.bat
2007-06-07 18:47 73 --a------ C:\DOCUME~1\heather\n.bat
2007-06-07 18:47 167 --a------ C:\DOCUME~1\heather\1375.bat
2007-06-07 18:47 0 --a------ C:\DOCUME~1\heather\x.dat
2007-06-07 18:46 10,326 --a------ C:\DOCUME~1\heather\install.exe
2007-06-07 17:01 <DIR> d--hs---- C:\DOCUME~1\SABAST~1\Complete
2007-06-07 16:53 384 --a------ C:\DOCUME~1\SABAST~1\APPLIC~1\internaldb6334.dat
2007-06-07 16:53 194 --a------ C:\DOCUME~1\SABAST~1\APPLIC~1\internaldb8467.dat
2007-06-07 16:50 73 --a------ C:\WINDOWS\system32\n.bat
2007-06-07 16:50 167 --a------ C:\WINDOWS\system32\8554.bat
2007-06-07 16:49 0 --a------ C:\WINDOWS\system32\taskkill.exe
2007-06-07 02:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-07 01:20 <DIR> d-------- C:\DOCUME~1\SABAST~1\APPLIC~1\U3
2007-06-07 00:44 <DIR> d-------- C:\DOCUME~1\SABAST~1\APPLIC~1\U3(2)
2007-06-06 17:17 <DIR> d-------- C:\DOCUME~1\SABAST~1\Incomplete
2007-06-03 18:37 3,407,872 --a------ C:\DOCUME~1\heather\ntuser.dat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-03 03:23:28 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-01 19:36:37 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-01 19:36:37 104 --sh--r C:\WINDOWS\system32\A4762F337B.sys
2007-06-07 06:10:29 -------- d-----w C:\Program Files\Charter High-Speed Security Suite
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-10 03:00:57 118,842 ------r C:\WINDOWS\bwUnin-6.3.2.129-3528733L.exe
2006-09-02 22:38:50 1,603 ----a-w C:\Program Files\uninstal.log


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-02 15:08]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2006-03-13 17:50:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-06-13 17:49 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Charter High-Speed Security Suite.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Charter High-Speed Security Suite.lnk
backup=C:\WINDOWS\pss\Charter High-Speed Security Suite.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
backup=C:\WINDOWS\pss\Personal Coach.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
"C:\Program Files\Zune\ZuneLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneNetworkSvc"=2 (0x2)
"FSMA"=2 (0x2)
"fshttps"=3 (0x3)
"FSDFWD"=3 (0x3)
"BackWeb Plug-in - 3528733"=2 (0x2)
"FSBWSYS"=2 (0x2)
"F-Secure Gatekeeper Handler Starter"=2 (0x2)

R1 AvgMfx86;AVG Minifilter x86 Resident Driver;C:\WINDOWS\system32\Drivers\avgmfx86.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.sys
R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys
R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys
R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys
R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys
R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys
R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys
R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys
R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys
R3 Dot4;MS IEEE-1284.4 Driver;C:\WINDOWS\system32\DRIVERS\Dot4.sys
R3 Dot4Print;Print Class Driver for IEEE-1284.4;C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
R3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
R3 E100B;Intel® PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 senfilt;senfilt;C:\WINDOWS\system32\drivers\senfilt.sys
S0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
S0 szkg;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys
S2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSfilter.sys
S2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSgk.sys
S2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSrec.sys
S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
S4 BackWeb Plug-in - 3528733;Charter High-Speed Security Suite;C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
S4 F-Secure Gatekeeper Handler Starter;FSGKHS;"C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe"


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-30 16:28:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-30 16:29:50
C:\ComboFix-quarantined-files.txt ... 2007-07-30 16:29
C:\ComboFix2.txt ... 2007-07-25 18:51

--- E O F ---

hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 4:35:08 PM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.myway....h/default.jhtml
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll (file missing)
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll (file missing)
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll (file missing)
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

scanned with avg but didn't make the changes and it removed everything that came up

Edited by sdb91, 30 July 2007 - 03:41 PM.

  • 0

#7
ricox

ricox

    Visiting Staff

  • Visiting Consultant
  • 331 posts
Hi, sorry for delay.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

MyWay Search Assistant

then,

Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.myway....h/default.jhtml
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)

Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this folder (if present):

C:\Program Files\MyWaySA

********************************************

After that, reboot your computer.

********************************************

Go to http://www.savefile.com/ and upload C:\2902.bat file, post a link to this file in your next reply.

********************************************

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
********************************************

Post also a fresh HijackThis log.
  • 0

#8
sdb91

sdb91

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)

These weren't in the hijackthis log

savefile.com won't let me upload C:\2902.bat

at Kaspersky WebScanner when i click accept nothing happens
  • 0

#9
ricox

ricox

    Visiting Staff

  • Visiting Consultant
  • 331 posts
Hi,

savefile.com won't let me upload C:\2902.bat


Can you zip this file ?

>> How to create and extract a Zip File in Windows ME/XP/2003 <<

*****************************

at Kaspersky WebScanner when i click accept nothing happens


Kaspersky WebScanner work only with Internet Explorer.
If don't work, try Panda ActiveScan:

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
(work only on Internet Explorer )
  • 0

#10
sdb91

sdb91

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Incident Status Location

Adware:adware/mirar Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][2].txt
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][1].txt
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\heather\Cookies\[email protected][1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\heather\Local Settings\Temp\Cookies\[email protected][1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\heather\Local Settings\Temp\Cookies\[email protected][1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\sabastian\Cookies\[email protected][2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\sabastian\Cookies\[email protected][2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\sabastian\Cookies\[email protected][1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\sabastian\Cookies\[email protected][2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\sabastian\Cookies\[email protected][1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\sabastian\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\sabastian\Cookies\[email protected][1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\sabastian\Cookies\[email protected][1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\sabastian\Cookies\[email protected][1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\sabastian\Cookies\[email protected][2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\sabastian\Cookies\[email protected][1].txt
Virus:Generic Trojan Disinfected C:\Documents and Settings\sabastian\Desktop\ComboFix.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\sabastian\Desktop\New Folder\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\sabastian\Desktop\New Folder\SmitfraudFix\restart.exe
Adware:Adware/PurityScan Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\SEMBLY~1\winspool.exe.vir
Adware:Adware/PurityScan Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\RACLE~1\fast.exe.vir
Adware:Adware/Spylocked Not disinfected C:\RECYCLER\S-1-5-21-1781917984-1601988006-4178214567-1006\Dc147.exe[²ÜÇ\InstallOptions.dll]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Spyware:Cookie/Com.com Not disinfected F:\Driving\Mozilla\Firefox\Profiles\npeparao.default\COOKIES.TXT[.com.com/]
Spyware:Cookie/onestat.com Not disinfected F:\Driving\Mozilla\Firefox\Profiles\npeparao.default\COOKIES.TXT[stat.onestat.com/]
Spyware:Cookie/Doubleclick Not disinfected F:\Driving\Mozilla\Firefox\Profiles\npeparao.default\COOKIES.TXT[.doubleclick.net/]
Spyware:Cookie/Mediaplex Not disinfected F:\Driving\Mozilla\Firefox\Profiles\npeparao.default\COOKIES.TXT[.mediaplex.com/]
Spyware:Cookie/Atlas DMT Not disinfected F:\Driving\Mozilla\Firefox\Profiles\npeparao.default\COOKIES.TXT[.atdmt.com/]


couldn't find C:\2902.bat
  • 0

#11
ricox

ricox

    Visiting Staff

  • Visiting Consultant
  • 331 posts
Hi,

i did that panda antivirus scan and i do know what happened the screen went blue and it said that there was a problem with software i've installed


Go to start > Run > type: eventvwr and click ok > see if anything shows a red or yellow marker (in System and Application)

Please also read this article: Windows XP Blue Screen of Death STOP Codes, A list of most BSoD errors and solutions

***************************************

couldn't find C:\2902.bat


Try one of them:

C:\Documents and Settings\heather\1232.bat
C:\Documents and Settings\heather\9057.bat
C:\WINDOWS\system32\4011.bat
C:\Documents and Settings\SABAST~1\3813.bat
C:\Documents and Settings\SABAST~1\5442.bat
C:\WINDOWS\system32\7451.bat
C:\Documents and Settings\heather\3062.bat
C:\Documents and Settings\heather\6354.bat
C:\Documents and Settings\heather\6448.bat


***************************************

Please remove C:\QooBox folder from your hard disc

***************************************

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

***************************************

Also let me know how your computer is now running - any more problems?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP