Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Pop Ups and Spyware [CLOSED]

Started by usafreedom , May 12 2008 11:07 PM

This topic is locked

#1
usafreedom

Posted 12 May 2008 - 11:07 PM

Member

Member
76 posts

Attached is the log

I am having lots of pop ups and fake spyware anti virus warnings

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:06 AM, on 5/13/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\WINDOWS\winself.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\WINDOWS\System32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\kavir.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Gotcha\Gotcha.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe,C:\WINDOWS\System32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe c:\windows\system32\zonelabs\srescan.dll,DoSpecialAction
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [kavir] C:\WINDOWS\kavir.exe
O4 - HKUS\S-1-5-21-757298511-2304659736-1445258045-1006\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User '?')
O4 - HKUS\S-1-5-21-757298511-2304659736-1445258045-1006\..\Run: [kavir] C:\WINDOWS\kavir.exe (User '?')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontec...2ie06101001.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 6076 bytes

#2
Mike

Posted 13 May 2008 - 05:06 AM

Malware Monger

Retired Staff
2,745 posts

Hi ,

I am currently reviewing your log and will post back soon.

Please take note of the following points.

I am still in training, this means that I need all my replies to be approved by an expert, hence there may be a slight delay between my posts. Also please accept that there may be a time difference between us, If you are not in the GMT +1 time zone, than you can expect a slight delay.
Please do not run any tools other than what I request of you to run. Some of the tools we will use are very powerful, and using them without the required knowledge could cause more damage and prove to be more troublesome than the problem you are currently facing.
If at any time you have a doubt about what you are to do, please stop there and ask. No question is considered dumb here at GeeksToGo!.

Thanks,

Mike

#3
Mike

Posted 13 May 2008 - 07:34 AM

Malware Monger

Retired Staff
2,745 posts

Hi again usafreedom,

Please follow my instructions in the order they were given, if you come across something you don't understand or don't feel comfortable doing, don't hesitate to ask and I will get you sorted out

Preperation

I will need you to temporarily disable AVG Antispyware and ZoneAlarms' realtime monitoring, as it could conflict with the fixes I will have you do.

ZoneAlarm's OS Firewall

1. Go to the Program tab, then click "Main".
2. Press the first "Custom" button from the top.
3. Uncheck "Enable OS Firewall".
4. Click OK.

AVG Anti-Spyware (formerly ewido)

1. Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an 'S' in the system tray.
2. In the 'Resident Shield' section, toggle the AVG Anti-Spyware active protection 'off' by clicking 'Change state' which will then change the protection status to 'inactive'.
3. If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to "Restart the Resident Shield".
4. Reply 'no' and set it to 'inactive' for the duration of your cleanup.

Now let's get on to the fixes

Step 1. Uploading a suspicious file

Please go to Uploadmalware to upload a suspicious file for analysis.

Enter your username from this forum
Copy and paste the link to this thread
Browse for this filename: C:\WINDOWS\winself.exe
In the comments, please mention that I asked you to upload this file
Click on Send File

Step 2. Making a Batch File

Open notepad by going to START > RUN and type notepad.exe in the box that appears. In the window that pops up please copy and paste the following

@ECHO off
sc stop MsSecurity1.209.4
sc delete MsSecurity1.209.4
exit

In Notepad click on the "File" menu > Save As... Under "File name" type fix.bat and Change "Save as type" to All Files, save it to a place you will remember.

Posted Image

Double click on fix.bat.

Step 3. Fixes with Hijack This

Please open HijackThis again and choose "Do a system scan only". Please put a check next to each of the following entries (if still present):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe,C:\WINDOWS\System32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKCU\..\Run: [kavir] C:\WINDOWS\kavir.exe
O4 - HKUS\S-1-5-21-757298511-2304659736-1445258045-1006\..\Run: [kavir] C:\WINDOWS\kavir.exe (User '?')
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe

Now please close all open windows except HJT and press "Fix checked".

Step 4. Running OTMoveIt2

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
C:\WINDOWS\kavir.exe
 C:\WINDOWS\winself.exe
 C:\WINDOWS\System32\wmsdkns.exe
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step 5. Running MalwareByte's Anti-Malware

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 6. Deckards' System Scanner

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Note:These logs may be too large to post in one reply, if so, please post extra.txt in a seperate reply.

In your next reply

Log from OTMoveIt2.
Log from MalwareBytes' Anti-Malware.
Main.txt and Extra.txt from Deckards' System Scanner.

They may be to large to post in only one reply, if so please spread these logs over multiple posts.

#4
usafreedom

Posted 13 May 2008 - 08:35 PM

Member

Topic Starter
Member
76 posts

Malwarebytes' Anti-Malware 1.12
Database version: 745

Scan type: Quick Scan
Objects scanned: 37721
Time elapsed: 9 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 23
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 63

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{00000162-9980-0010-8000-00aa00389b71} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecurity1.209.4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\QdrDrive (Adware.AdBand) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\000090.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\coco.exe.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\xvltdyom.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\winmlda.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\winqrrd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\winsprd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\winsvcy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\wintkge.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\lfn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\nivavir.config (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\000060.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\000070.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\000080.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\msntanaq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\msntbkph.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\msntlimq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\msntpmui.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\msntprep.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\avifile32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avisynthex32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aviwrap32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bjam.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bokja.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\browserad.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cdsm32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\changeurl_30.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msa64chk.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msapasrc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mspphe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mssvr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ntnut.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\saiemod.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\stcloader.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\swin32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\voiceip.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsb.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\2020search.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\2020search2.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\apphelp32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asferror32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asycfilt32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\athprxy32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvaa32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvag32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\audiosrv32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\autodisc32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\zxdnt3d.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\winfrun32.bin (Malware.Trace) -> Quarantined and deleted successfully.
C:\sysfpdn.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\packet.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wpcap.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\xxyabba.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\xxywxxw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\winsub.xml (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jason Aron\Local Settings\Tempmbroit.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#5
usafreedom

Posted 13 May 2008 - 08:39 PM

Member

Topic Starter
Member
76 posts

Deckard's System Scanner v20071014.68
Run by Jason Aron on 2008-05-13 22:36:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.

Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).
System Drive C: has 0.19 GiB (less than 15%) free.

-- HijackThis (run as Jason Aron.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:06 PM, on 5/13/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\System32\wmsdkns.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\WINDOWS\winself.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Documents and Settings\Jason Aron\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jason Aron.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\wmsdkns.exe,
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-21-757298511-2304659736-1445258045-1006\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User '?')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontec...2ie06101001.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 4205 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080513-222253-118 O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
backup-20080513-222253-130 O4 - HKUS\S-1-5-21-757298511-2304659736-1445258045-1006\..\Run: [kavir] C:\WINDOWS\kavir.exe (User '?')
backup-20080513-222253-247 O4 - HKCU\..\Run: [kavir] C:\WINDOWS\kavir.exe
backup-20080513-222253-273 O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
backup-20080513-222253-276 O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
backup-20080513-222253-297 O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
backup-20080513-222253-303 O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
backup-20080513-222253-306 F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe,C:\WINDOWS\System32\wmsdkns.exe,
backup-20080513-222253-356 O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
backup-20080513-222253-453 O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
backup-20080513-222253-478 O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
backup-20080513-222253-526 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080513-222253-542 O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
backup-20080513-222253-609 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20080513-222253-621 O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
backup-20080513-222253-639 O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
backup-20080513-222253-786 O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
backup-20080513-222253-813 O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
backup-20080513-222253-833 O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
backup-20080513-222253-935 O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
backup-20080513-222253-942 O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - unable to read value
.js - JSFile - shell\open\command - unable to read value
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

2 LXARScan (Lexmark X73 MFP Scanner) - c:\windows\system32\drivers\lxarscan.sys <Not Verified; ; USB Scanner Driver>
3 MEMSWEEP2 - c:\windows\system32\sophosmemsweep.sys (file missing)
3 NPF (Netgroup Packet Filter) - c:\windows\system32\drivers\packet.sys
3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
2 PYKPJELC - c:\windows\system32\pykpjelc.xeq
3 wanatw (WAN Miniport (ATW)) - system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 FirebirdGuardianDefaultInstance (Firebird Guardian - DefaultInstance) - c:\program files\firebird\firebird_1_5\bin\fbguard.exe
3 FirebirdServerDefaultInstance (Firebird Server - DefaultInstance) - c:\program files\firebird\firebird_1_5\bin\fbserver.exe
4 MySql - c:/documents and settings/jason aron/local settings/temp/temporary directory 4 for sql.zip/mysql/bin/mysqld-shareware.exe (file missing)
2 uploadmgr (Upload Manager) - c:\windows\system32\svchost.exe

-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Scheduled Tasks -------------------------------------------------------------

2008-05-13 10:00:00 350 --a----c- C:\WINDOWS\Tasks\At11.job
2008-05-13 01:00:00 350 --a----c- C:\WINDOWS\Tasks\At2.job
2008-05-13 00:00:00 350 --a----c- C:\WINDOWS\Tasks\At1.job
2008-05-09 06:00:00 350 --a----c- C:\WINDOWS\Tasks\At7.job
2008-05-09 05:00:00 350 --a----c- C:\WINDOWS\Tasks\At6.job
2008-05-09 04:00:00 350 --a----c- C:\WINDOWS\Tasks\At5.job
2008-05-09 03:00:00 350 --a----c- C:\WINDOWS\Tasks\At4.job
2008-05-09 02:00:00 350 --a----c- C:\WINDOWS\Tasks\At3.job
2008-05-08 23:00:00 350 --a----c- C:\WINDOWS\Tasks\At24.job
2008-05-08 22:00:00 350 --a----c- C:\WINDOWS\Tasks\At23.job
2008-05-08 21:00:00 350 --a----c- C:\WINDOWS\Tasks\At22.job
2008-05-08 20:00:00 350 --a----c- C:\WINDOWS\Tasks\At21.job
2008-05-08 19:00:00 350 --a----c- C:\WINDOWS\Tasks\At20.job
2008-05-08 18:00:00 350 --a----c- C:\WINDOWS\Tasks\At19.job
2008-05-08 17:00:00 350 --a----c- C:\WINDOWS\Tasks\At18.job
2008-05-08 16:00:00 350 --a----c- C:\WINDOWS\Tasks\At17.job
2008-05-08 15:00:00 350 --a----c- C:\WINDOWS\Tasks\At16.job
2008-05-08 14:00:00 350 --a----c- C:\WINDOWS\Tasks\At15.job
2008-05-08 13:00:00 350 --a----c- C:\WINDOWS\Tasks\At14.job
2008-05-08 12:00:00 350 --a----c- C:\WINDOWS\Tasks\At13.job
2008-05-08 11:00:00 350 --a----c- C:\WINDOWS\Tasks\At12.job
2008-05-08 09:00:00 350 --a----c- C:\WINDOWS\Tasks\At10.job
2008-05-08 08:00:00 350 --a----c- C:\WINDOWS\Tasks\At9.job
2008-05-08 07:00:00 350 --a----c- C:\WINDOWS\Tasks\At8.job

-- Files created between 2008-04-13 and 2008-05-13 -----------------------------

2008-05-13 22:24:50 0 d------c- C:\Documents and Settings\Jason Aron\Application Data\Malwarebytes
2008-05-13 22:24:39 0 d------c- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-13 22:24:38 0 d------c- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-13 01:07:02 0 d------c- C:\Program Files\Trend Micro
2008-05-09 05:11:57 0 d------c- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-09 05:11:56 0 d------c- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-09 04:35:33 28168 --a----c- C:\WINDOWS\System32\nbbkhpkr.exe <Not Verified; Microsoft; cmx>
2008-05-09 04:35:31 10752 --a----c- C:\WINDOWS\System32\zsfqjdgy.exe
2008-05-01 17:13:34 36872 --a----c- C:\WINDOWS\System32\fszzuume.exe <Not Verified; Microsoft; cmx>
2008-04-24 01:22:14 9728 --a----c- C:\WINDOWS\System32\xqyyvkqp.exe
2008-04-24 01:22:14 35848 --a----c- C:\WINDOWS\System32\ojiszymg.exe <Not Verified; Microsoft; cmx>

-- Find3M Report ---------------------------------------------------------------

2008-05-13 22:36:08 0 d-a----c- C:\Program Files\Common Files
2008-05-13 10:56:37 24 --a----c- C:\WINDOWS\System32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000002-80221102}.dat
2008-05-13 10:56:37 24 --a----c- C:\WINDOWS\System32\DVCState-{00000002-00000000-00000002-00001102-00000002-80221102}.dat
2008-05-13 00:42:20 0 d------c- C:\Program Files\Gotcha
2008-05-09 05:15:58 4212 ---h---c- C:\WINDOWS\System32\zllictbl.dat
2008-05-03 09:13:23 0 d------c- C:\Documents and Settings\Jason Aron\Application Data\uTorrent
2008-02-16 17:41:38 5120 --a----c- C:\WINDOWS\thenticate.dll

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [10/06/2003 02:16 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [08/17/2007 09:01 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/05/2006 09:12 PM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []

C:\Documents and Settings\Jason Aron\Start Menu\Programs\Startup\
DESKTOP.INI [11/15/2001 8:31:16 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [11/8/2002 7:12:02 PM]
DESKTOP.INI [11/15/2001 8:31:16 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [8/7/2001 6:06:54 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\wmsdkns.exe,"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

-- End of Deckard's System Scanner: finished at 2008-05-13 22:38:01 ------------

#6
usafreedom

Posted 13 May 2008 - 08:39 PM

Member

Topic Starter
Member
76 posts

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Unable to create WMI object.

Architecture: X86; Language: English

Percentage of Memory in Use: 40%
Physical Memory (total/avail): 510.8 MiB / 304.69 MiB
Pagefile Memory (total/avail): 1249.26 MiB / 1092.94 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1944.34 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 74.52 GiB total, 0.19 GiB free.
D: is CDROM (No Media)

-- Security Center -------------------------------------------------------------

AUOptions is disabled.
AUState says computer has updates disabled.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Jason Aron\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JASONA
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Jason Aron
LOGONSERVER=\\JASONA
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\QuickTime\QTSystem\;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JASONA~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\JASONA~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=JASONA
USERNAME=Jason Aron
USERPROFILE=C:\Documents and Settings\Jason Aron
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Owner (admin)
Jason Aron (admin)
Administrator (new local, admin)

-- Add/Remove Programs ---------------------------------------------------------

Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\Install.log
dBpowerAMP FLAC Codec --> "C:\WINDOWS\System32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\System32\SpoonUninstall-dBpowerAMP FLAC Codec.dat
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstall
Panda ActiveScan --> C:\WINDOWS\System32\ASUninst.exe Panda ActiveScan
ZoneAlarm Pro --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type3712 / Error
Event Submitted/Written: 05/13/2008 10:15:38 PM
Event ID/Source: 28 / WinMgmt
Event Description:
WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Event Record #/Type3706 / Error
Event Submitted/Written: 05/13/2008 09:28:54 AM
Event ID/Source: 28 / WinMgmt
Event Description:
WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Event Record #/Type3701 / Error
Event Submitted/Written: 05/12/2008 11:57:22 PM
Event ID/Source: 28 / WinMgmt
Event Description:
WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Event Record #/Type3696 / Error
Event Submitted/Written: 05/09/2008 05:15:35 AM
Event ID/Source: 28 / WinMgmt
Event Description:
WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Event Record #/Type3691 / Error
Event Submitted/Written: 05/09/2008 04:54:24 AM
Event ID/Source: 28 / WinMgmt
Event Description:
WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type6842 / Error
Event Submitted/Written: 05/13/2008 10:29:17 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type6841 / Error
Event Submitted/Written: 05/13/2008 10:29:12 PM / 05/13/2008 10:29:17 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type6839 / Error
Event Submitted/Written: 05/13/2008 10:15:25 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe.
Reference error message: The operation completed successfully.
.

Event Record #/Type6838 / Error
Event Submitted/Written: 05/13/2008 10:15:25 PM
Event ID/Source: 58 / SideBySide
Event Description:
Syntax error in manifest or policy file "Manifest Parse Error : XML document must have a top level element.
1" on line Manifest Parse Error : XML document must have a top level element.
2.

Event Record #/Type6833 / Error
Event Submitted/Written: 05/13/2008 10:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At11.job command failed to start due to the following error:
%%2147942402

-- End of Deckard's System Scanner: finished at 2008-05-13 22:38:01 ------------

#7
usafreedom

Posted 13 May 2008 - 08:41 PM

Member

Topic Starter
Member
76 posts

C:\WINDOWS\kavir.exe moved successfully.
C:\WINDOWS\winself.exe moved successfully.
C:\WINDOWS\System32\wmsdkns.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05132008_222355

#8
Mike

Posted 15 May 2008 - 12:45 AM

Malware Monger

Retired Staff
2,745 posts

Hi again usafreedom,

Still some bad files present.

Step 1. Upload a suspicious file

Please make sure that your realtime programs are disabled for this fix.

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
- C:\WINDOWS\thenticate.dll
Click on the submit button
Please post the results in your next reply.

Step 2. Fixes

Please fix this line again in Hijack This:
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\wmsdkns.exe,

Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\System32\nbbkhpkr.exe 
C:\WINDOWS\System32\zsfqjdgy.exe
C:\WINDOWS\System32\fszzuume.exe 
C:\WINDOWS\System32\xqyyvkqp.exe
C:\WINDOWS\System32\ojiszymg.exe 
C:\WINDOWS\System32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000002-80221102}.dat
C:\WINDOWS\System32\DVCState-{00000002-00000000-00000002-00001102-00000002-80221102}.dat
C:\WINDOWS\winself.exe
C:\WINDOWS\System32\wmsdkns.exe
c:\windows\system32\pykpjelc.xeq
c:\windows\system32\drivers\packet.sys
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PYKPJELC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uploadmgr

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step 3. Run Dr.Web CurIt

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.

Step 4. Deckards' System Scanner

Please Re-run Deckards' System Scanner

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open one Notepad main.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt in your next reply.

In your next reply

Please post the results of the Jotti Scan.
Please post the log from OTMoveIt2.
Please post the log from Dr.Web CureIt.
Please post Main.txt from Deckards' System Scanner.

If the logs are to big for one reply -- please spread the logs over multiple replies.

#9
Mike

Posted 25 May 2008 - 03:03 AM

Malware Monger

Retired Staff
2,745 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.