[derek01f]

Got another one guys... I know you guys are good so thanks in advance

Hijackthis Log:

Well I'm trying to get Hijackthis to work, but cant for some reason. I have the install on the desktop, but when I click on it, it does nothing. Any suggestions?

[Advertisements]

Hello derek01f

Welcome to G2Go.
=====================
Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.

• Save it to the desktop.
• Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
• You will receive a prompt:
  
  • Do you want to skip supplementary searches?
    click NO
• If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
• You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
• Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

[kahdah]

Hello derek01f

Welcome to G2Go.
=====================
Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.

• Save it to the desktop.
• Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
• You will receive a prompt:
  
  • Do you want to skip supplementary searches?
    click NO
• If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
• You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
• Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

[derek01f]

ok thanks doing it now

[derek01f]

heres the log:

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ntuser" = "C:\WINDOWS\system32\drivers\spools.exe" [null data]
"IEUpdate" = "C:\WINDOWS\system32\a3dp.exe" [null data]
"autoload" = "C:\Documents and Settings\sbalsinger\cftmon.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ntuser" = "C:\WINDOWS\system32\drivers\spools.exe" [null data]
"IEUpdate" = "C:\WINDOWS\system32\a3dp.exe" [null data]
"autoload" = "C:\Documents and Settings\sbalsinger\cftmon.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{EEB5B6C2-E405-11d0-9318-0004AC946C18}" = "AS/400 Shell Extensions - AS/400 IPL"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - AS/400 IPL"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunas4.dll" ["IBM Corporation"]
"{38482e00-0ad5-11cf-bc9d-0004ac325a18}" = "AS/400 Network"
-> {HKLM...CLSID} = "AS/400 Network"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunshf.dll" ["IBM Corporation"]
"{DCA251A0-38AC-11d0-82BD-08005AA74F5C}" = "AS/400 Shell Extensions - AS/400 Network"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - AS/400 Network"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunshf.dll" ["IBM Corporation"]
"{8CA2EBC1-40C7-4451-AD01-7DEEB4690358}" = "AS/400 Related Tasks"
-> {HKLM...CLSID} = "AS/400 Related Tasks"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunshf.dll" ["IBM Corporation"]
"{5E44E520-2F69-11d1-9318-0004AC946C18}" = "AS/400 Shell Extensions - Auto Refresh"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Auto Refresh"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunarf.dll" ["IBM Corporation"]
"{C94AFD20-98C1-11d1-9E01-0004AC760C57}" = "AS/400 Shell Extensions - Drag Drop Handler"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Drag Drop Handler"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunddh.dll" ["IBM Corporation"]
"{870C83E1-FF73-11cf-B7F1-0004AC7609F6}" = "AS/400 Shell Extensions - File Systems Properties"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - File Systems Properties"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunfsf.dll" ["IBM Corporation"]
"{1827A857-9C20-11d1-96C3-00062912C9B2}" = "AS/400 Shell Extensions - Java Components"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Java Components"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunjav.dll" ["IBM Corporation"]
"{DCAF7D81-60C4-11d1-9E01-0004AC760C57}" = "AS/400 Shell Extensions - Send Message"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Send Message"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunmgs.dll" ["IBM Corporation"]
"{C60EF841-2F98-11d1-A19A-08005A4F659F}" = "AS/400 Shell Extensions - NFS Server"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - NFS Server"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunnfs.dll" ["IBM Corporation"]
"{8D742A40-77FF-11CF-8877-444553540000}" = "AS/400 Shell Extensions - Security"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Security"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunsec.dll" ["IBM Corporation"]
"{040606B2-1C19-11d2-AA12-08005AD17735}" = "AS/400 Shell Extensions - Visual Basic Components"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Visual Basic Components"
\InProcServer32\(Default) = "C:\WINDOWS\system32\cwbunvba.dll" ["IBM Corporation"]
"{D63E20C4-3F6D-11d3-BCE6-002035C0A6DA}" = "AS/400 Shell Extensions - Journaling"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Journaling"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunjrn.dll" ["IBM Corporation"]
"{01FE9570-15A3-11d2-8309-000629AA1859}" = "AS/400 Shell Extensions - Management Central"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Management Central"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunypc.dll" ["IBM Corporation"]
"{7D7E1B60-0EF8-11d2-8307-000629AA1859}" = "AS/400 Shell Extensions - Management Central Task Activity/Scheduled Tasks"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Management Central Task Activity/Scheduled Tasks"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunypc.dll" ["IBM Corporation"]
"{3B453C20-21CD-11d2-8318-000629AA1859}" = "AS/400 Shell Extensions - Management Central SW Inventory"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Management Central SW Inventory"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunyiv.dll" ["IBM Corporation"]
"{4CE18940-3E8B-11d2-834B-000629AA1859}" = "AS/400 Shell Extensions - Management Central HW Inventory"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Management Central HW Inventory"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunyiv.dll" ["IBM Corporation"]
"{B08B7EAD-2FD4-11d3-917F-00203531488C}" = "AS/400 Shell Extensions - Management Central Inventory Tasks"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Management Central Task Activity/Scheduled Tasks - Inventory"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunyiv.dll" ["IBM Corporation"]
"{90BE6B50-1041-11d2-8307-000629AA1859}" = "AS/400 Shell Extensions - Management Central Endpoint Systems"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Management Central Endpoint Systems"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunypg.dll" ["IBM Corporation"]
"{E4C59510-1050-11d2-8307-000629AA1859}" = "AS/400 Shell Extensions - Management Central System Groups"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Management Central System Groups"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunypg.dll" ["IBM Corporation"]
"{C2661801-FFE8-11cf-B14B-08005AA7218E}" = "AS/400 Shell Extensions - Messages"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Messages"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunmgf.dll" ["IBM Corporation"]
"{22982561-EEC8-11cf-B14B-08005AA7218E}" = "AS/400 Shell Extensions - Spool Files"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Spool Files"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunouf.dll" ["IBM Corporation"]
"{8514E881-FF45-11cf-B14B-08005AA7218E}" = "AS/400 Shell Extensions - Printers"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Printers"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunprf.dll" ["IBM Corporation"]
"{FF142762-FAB1-11cf-B14B-08005AA7218E}" = "AS/400 Shell Extensions - Jobs"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Jobs"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunjbf.dll" ["IBM Corporation"]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> __c00A8054\DLLName = "C:\WINDOWS\system32\__c00A8054.dat" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


Default executables:
--------------------

HKLM\SOFTWARE\Classes\.exe\(Default) = "exefile"
<<!>> HKLM\SOFTWARE\Classes\exefile\shell\open\command\(Default) = "C:\WINDOWS\system32\drivers\spools.exe "%1" %*" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\sbalsinger\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssmypics.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_01"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Broadcom ASF IP monitoring service v6.0.4, BAsfIpM, "C:\WINDOWS\system32\basfipm.exe" ["Broadcom Corp."]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZipm12.dll" ["Hewlett-Packard"]}
VNC Server, winvnc, ""C:\Program Files\TightVNC\WinVNC.exe" -service" ["TightVNC Group"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
HP Master Monitor\Driver = "HPBMMON.DLL" ["Hewlett-Packard"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2008-05-28 09:20:08)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 61 seconds, including 36 seconds for message boxes)

[kahdah]

Please download DAFT and save it to your desktop:

• Double-click the daft.exe icon.
• Click on the Scan button.
• Select everything it is displaying there
• Click the Fix button.
• Then rescan with DAFT again - it should say now that "All associations are OK"
• Close DAFT if you receive that message. This means that it is fixed now.

==================================
Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\ntuser
  HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\IEUpdate
  HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\autoload
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ntuser
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\IEUpdate
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\autoload
  C:\WINDOWS\system32\drivers\spools.exe
  C:\WINDOWS\system32\a3dp.exe
  C:\Documents and Settings\sbalsinger\cftmon.exe
  C:\WINDOWS\system32\__c00A8054.dat
  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00A8054

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=================================
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

============
After all of that I will need you to Download ONE of these anti-virus programs and install it.
These are free.
Antivir
or
AVG free 8.0
Note this is free antispyware protection and Antivirus protection.
or
Avast

as long as you only install one.

[derek01f]

Daft is giving me an AutoIT Error - unable to open script file

[kahdah]

OKay go ahead with the rest of the instructions please.

[derek01f]

OKay go ahead with the rest of the instructions please.

thats what i did... in the middle of moveit

[derek01f]

OTmoveit log:

< HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\ntuser >
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run not found.
< HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\IEUpdate >
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run not found.
< HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\autoload >
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run not found.
< HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ntuser >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run not found.
< HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\IEUpdate >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run not found.
< HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\autoload >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run not found.
File move failed. C:\WINDOWS\system32\drivers\spools.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\a3dp.exe scheduled to be moved on reboot.
File/Folder C:\Documents and Settings\sbalsinger\cftmon.exe not found.
File move failed. C:\WINDOWS\system32\__c00A8054.dat scheduled to be moved on reboot.
< HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00A8054 >
Unable to delete registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00A8054\\ .

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05282008_094148

[derek01f]

ok SDFix Log:


SDFix: Version 1.186
Run by Administrator on Wed 05/28/2008 at 10:31 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Schedule Service Path

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\a3dp.exe - Deleted
C:\Documents and Settings\Administrator\cftmon.exe - Deleted
C:\Documents and Settings\administrator.CAMBRIA\cftmon.exe - Deleted
C:\Documents and Settings\LocalService\cftmon.exe - Deleted
C:\Documents and Settings\sbalsinger\cftmon.exe - Deleted
C:\Documents and Settings\sbalsinger\Application Data\Install.dat - Deleted
C:\WINDOWS\system32\spywarewarning.mht - Deleted
C:\WINDOWS\system32\spywarewarning2.mht - Deleted
C:\WINDOWS\system32\drivers\spools.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\TightVNC\\WinVNC.exe"="C:\\Program Files\\TightVNC\\WinVNC.exe:*:Enabled:TightVNC Win32 Server"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 21 Feb 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 9 Jun 2005 27,648 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Templates\~WRL3329.tmp"
Wed 24 May 2006 19,456 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL0003.tmp"
Tue 8 Apr 2008 20,480 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL0004.tmp"
Fri 18 Aug 2006 911,360 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL0569.tmp"
Fri 18 Aug 2006 903,168 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL0713.tmp"
Wed 27 Jun 2007 22,016 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL0812.tmp"
Tue 8 Apr 2008 24,576 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL1059.tmp"
Mon 17 Jul 2006 53,760 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL1184.tmp"
Tue 12 Feb 2008 23,040 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL1331.tmp"
Mon 17 Jul 2006 51,712 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL1367.tmp"
Mon 21 Apr 2008 22,528 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL1568.tmp"
Wed 26 Sep 2007 48,128 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL1593.tmp"
Tue 12 Feb 2008 23,040 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL1638.tmp"
Mon 17 Jul 2006 52,736 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL1886.tmp"
Mon 17 Jul 2006 56,320 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL2110.tmp"
Wed 26 Sep 2007 49,664 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL2488.tmp"
Tue 22 Jan 2008 22,528 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL2524.tmp"
Mon 17 Jul 2006 53,248 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL2640.tmp"
Tue 12 Feb 2008 23,040 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL2742.tmp"
Tue 12 Feb 2008 22,528 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL2755.tmp"
Thu 22 Feb 2007 20,992 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL2845.tmp"
Mon 21 Apr 2008 23,040 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL3248.tmp"
Wed 26 Sep 2007 49,664 ...H. --- "C:\Documents and Settings\sbalsinger\Application Data\Microsoft\Word\~WRL3613.tmp"
Tue 21 Feb 2006 4,348 ...H. --- "C:\Documents and Settings\sbalsinger\My Documents\My Music\License Backup\drmv1key.bak"
Tue 21 Feb 2006 20 A..H. --- "C:\Documents and Settings\sbalsinger\My Documents\My Music\License Backup\drmv1lic.bak"
Tue 21 Feb 2006 400 A.SH. --- "C:\Documents and Settings\sbalsinger\My Documents\My Music\License Backup\drmv2key.bak"
Wed 28 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b394b842d9c4e6a28427fae777df59a\BIT14.tmp"

Finished!

[derek01f]

for some reason i still can't get hijackthis to install on this machine

[derek01f]

got it working finally. here is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:13 AM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.17.6.135:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://*.jnet.state.pa.us; https://www.jnet.sta...e.pa.us;<local>
R3 - Default URLSearchHook is missing
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://172.17.6.3/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cambria.local
O17 - HKLM\Software\..\Telephony: DomainName = cambria.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{34BF8A9F-786D-40C1-8FDF-BAE93A8E918B}: NameServer = 172.17.2.175,172.17.5.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cambria.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{34BF8A9F-786D-40C1-8FDF-BAE93A8E918B}: NameServer = 172.17.2.175,172.17.5.2
O20 - Winlogon Notify: __c00A8054 - C:\WINDOWS\system32\__c00A8054.dat
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 2866 bytes

[derek01f]

this WinAntivirusPro keeps coming back and running

[derek01f]

i installed Symantec AntiVirus, thats what we use here. For some reason this computer didn't have it on, the server didn't push it out to her

[kahdah]

Please visit this web page for instructions for downloading and running ComboFix
http://www.bleepingc...to-use-combofix
Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.