Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Malware, PSGuard I think. [RESOLVED]

Started by beeps , Nov 07 2005 09:43 AM

This topic is locked

#1
beeps

Posted 07 November 2005 - 09:43 AM

Member

Member
148 posts

Hi there,

I seem to be afflicted with all manner of nasty things. Here is my Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 15:37:01, on 07/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
C:\Program Files\Browser MOUSE\R2M.EXE
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\WINDOWS\System32\atwtusb.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\shane\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
O4 - HKLM\..\Run: [FLMBROWSEMOUSE2] C:\Program Files\Browser MOUSE\R2M.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7BEEB0D-3A9C-49DE-AE25-DE5C99F285B5}: NameServer = 85.255.114.45,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE7E5E07-0008-424D-B66B-17324C50A3F2}: NameServer = 85.255.114.45,85.255.112.83
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

Oh, and here is an ewido log from a possibly misguided attempt to sort this out a few minutes before:

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 15:34:47, 07/11/2005
+ Report-Checksum: 791445AE

+ Scan result:

HKLM\SOFTWARE\ShudderLTD -> Spyware.PSGuard : Ignored
:mozilla.10:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Atdmt : Ignored
C:\Documents and Settings\shane\Desktop\Stealth Folder Hider Eval.exe/3.ten -> Not-A-Virus.Monitor.WinSpy.a : Ignored
C:\Documents and Settings\shane\Shared\Pink Floyd - Discography.zip/Setup.exe -> Worm.VB.an : Ignored
C:\WINDOWS\rf.exe -> Not-A-Virus.Monitor.WinSpy.a : Ignored
C:\WINDOWS\system32\hlmicro.exe -> Spyware.Msnagent : Ignored
HKLM\SOFTWARE\ShudderLTD\PSGuard -> Spyware.PSGuard : Error during cleaning
HKLM\SOFTWARE\ShudderLTD\PSGuard\PSGuard -> Spyware.PSGuard : Error during cleaning
HKLM\SOFTWARE\ShudderLTD\PSGuard\PSGuard\License -> Spyware.PSGuard : Cleaned with backup
[652] VM_00D60000 -> TrojanDownloader.Agent.uj : Error during cleaning
[676] VM_00BF0000 -> TrojanDownloader.Agent.uj : Error during cleaning
[920] VM_007B0000 -> TrojanDownloader.Agent.uj : Error during cleaning
[1624] VM_011C0000 -> TrojanDownloader.Agent.uj : Error during cleaning
[1812] VM_008F0000 -> TrojanDownloader.Agent.uj : Error during cleaning
[1876] VM_009E0000 -> TrojanDownloader.Agent.uj : Error during cleaning
[1980] VM_008A0000 -> TrojanDownloader.Agent.uj : Error during cleaning
[1996] VM_00380000 -> TrojanDownloader.Agent.uj : Error during cleaning
[784] VM_00870000 -> TrojanDownloader.Agent.uj : Error during cleaning
[336] VM_00880000 -> TrojanDownloader.Agent.uj : Error during cleaning
[352] VM_003A0000 -> TrojanDownloader.Agent.uj : Error during cleaning
[360] VM_003B0000 -> TrojanDownloader.Agent.uj : Error during cleaning
[408] VM_003D0000 -> TrojanDownloader.Agent.uj : Error during cleaning
[404] VM_003C0000 -> TrojanDownloader.Agent.uj : Error during cleaning
[516] VM_00D40000 -> TrojanDownloader.Agent.uj : Error during cleaning
[600] VM_00990000 -> TrojanDownloader.Agent.uj : Error during cleaning
[780] VM_00D00000 -> TrojanDownloader.Agent.uj : Error during cleaning
[2176] VM_00CE0000 -> TrojanDownloader.Agent.uj : Error during cleaning
C:\Program Files\SurfAccuracy -> Adware.SurfAccuracy : Cleaned with backup
C:\Program Files\SurfAccuracy\SAcc.cfg -> Adware.SurfAccuracy : Cleaned with backup
C:\WINDOWS\adsldpbc.dll -> TrojanDownloader.Delf.lh : Cleaned with backup
C:\WINDOWS\system32\1.exe -> Backdoor.Haxdoor.ed : Cleaned with backup
C:\WINDOWS\system32\bndmod.exe -> Spyware.FindSpy : Cleaned with backup
C:\WINDOWS\system32\cgcpcdii.exe -> TrojanDropper.Small.afo : Cleaned with backup
C:\WINDOWS\system32\dhffpbhc.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINDOWS\system32\favme.exe -> Trojan.Favadd.an : Cleaned with backup
C:\WINDOWS\system32\hwiper.exe -> Trojan.Qhost.df : Cleaned with backup

::Report End

Thanks! :tazz:

#2
infaddict

Posted 09 November 2005 - 11:11 AM

Visiting Staff

Member
734 posts

Hi beeps and welcome to Geeks to Go

My name is infaddict and I will be helping you with your problem. I am currently analysing your log and will post a reply once I have created a fix. Thanks for your patience.

In the meantime, can you let me know if you updated Ewido to the latest definitions prior to running the scan?

Thanks :tazz:

#3
infaddict

Posted 09 November 2005 - 01:25 PM

Visiting Staff

Member
734 posts

Hi beeps

You are infected with PSGuard and it appears your internet connection is being routed thru a server in Kiev, Ukraine. Please let me know in your next post if this is intentionial (i.e. you live in the Ukraine or your ISP is based in the Ukraine). If this seems wrong then please include the items I list in red in your actions.

Before we begin, I need to ensure you have a Antivirus and Firewall installed and running on your computer - otherwise you are wide open to re-infection and we are both wasting our time. I can see Kaspersky Anti-Virus Personal in your log, although it didn't appear to be running when you captured your HijackThis log. I cannot see a firewall and this is a must.

Please can you ensure you have one Antivirus and one Firewall installed before we continue. If you have Kaspersky Anti-Virus Personal and use it, then that is fine. If not (or if it has expired) then uninstall it and install a Free Anti-Virus product such as AVG Free which I use personally. Please install a Free Firewall such as ZoneAlarm.

Once you have done the above, please restart your computer and continue with my instructions.

Preparation

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

You already have Ewido. Please update the definitions to the latest ones (if necessary refer to the Ewido Setup Instructions)
Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

To enable the viewing of Hidden files follow these steps:

Close all programs so that you are at your desktop.
Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.

The Fix

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items.

Only check the following if your internet access should not be routed via Kiev, Ukraine. Otherwise simply close HijackThis.

O17 - HKLM\System\CCS\Services\Tcpip\..\{C7BEEB0D-3A9C-49DE-AE25-DE5C99F285B5}: NameServer = 85.255.114.45,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE7E5E07-0008-424D-B66B-17324C50A3F2}: NameServer = 85.255.114.45,85.255.112.83

Ensure all other windows and browsers are closed and then click FIX CHECKED. Close HiJackThis.

Still in Safe mode, use Windows Explorer or my Computer and delete the following files which are infected :

C:\Documents and Settings\shane\Desktop\Stealth Folder Hider Eval.exe
C:\Documents and Settings\shane\Shared\Pink Floyd - Discography.zip
C:\WINDOWS\rf.exe
C:\WINDOWS\system32\hlmicro.exe

Still in Safe mode, open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.

Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Still in Safe Mode, open Ad-aware and do a full scan. Remove all it finds.

Still in Safe Mode, run Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.

Let us know if any problems persist :tazz:

#4
beeps

Posted 09 November 2005 - 05:45 PM

Member

Topic Starter
Member
148 posts

Hi infaddict! Thanks a million for your help. :tazz:

Well, I had a couple of problems. Firstly both AVG and Zonealarm refused to install for me.
I carried out the rest of your instructions and the other problem I had was that smitrem appeared to freeze, forcing me to exit it possibly before the disk clean up was finished. ( My computer froze several times when in safe mode, which I thought unusual ). The red warning advertisement which had replaced my wallpaper is now gone and instead is now plain white. Anyhoo, here are the various logs:

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 23:36:28, on 09/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
C:\Program Files\Browser MOUSE\R2M.EXE
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\WINDOWS\System32\atwtusb.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\shane\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
O4 - HKLM\..\Run: [FLMBROWSEMOUSE2] C:\Program Files\Browser MOUSE\R2M.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

Panda Activescan log:

Incident Status Location

Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\shane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-54980b39-2e3e3ee3.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\shane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-54980b39-2e3e3ee3.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\shane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-54980b39-2e3e3ee3.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\shane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-54980b39-2e3e3ee3.zip[Installer.class]
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\shane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-52b55e84.zip[InstallerApplet.class]
Dialer:dialer.bb No disinfected C:\Documents and Settings\shane\Desktop\m00.exe
Virus:Bck/Dumador.T Disinfected C:\WINDOWS\dvpd.dll
Virus:Bck/Dumador.AS Disinfected C:\WINDOWS\prntsvra.dll
Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts
Virus:Trj/Qhost.AX Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050907-031224.backup
Virus:Trj/Dhijack.A Disinfected C:\WINDOWS\system32\oleext.dll
Virus:W32/Smitfraud.E Disinfected C:\WINDOWS\system32\oleext32.dll
Adware:Adware/RazeSpyware No disinfected C:\WINDOWS\system32\rzspy.exe
Virus:Bck/Dumador.T Disinfected C:\WINDOWS\winsms.dll

Ewido log:

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 22:50:28, 09/11/2005
+ Report-Checksum: 8762E768

+ Scan result:

HKLM\SOFTWARE\ShudderLTD -> Spyware.PSGuard : Error during cleaning
HKLM\SOFTWARE\ShudderLTD\PSGuard -> Spyware.PSGuard : Error during cleaning
HKLM\SOFTWARE\ShudderLTD\PSGuard\PSGuard -> Spyware.PSGuard : Error during cleaning
HKLM\SOFTWARE\ShudderLTD\PSGuard\PSGuard\License -> Spyware.PSGuard : Cleaned with backup
[180] VM_00D60000 -> TrojanDownloader.Agent.uj : Error during cleaning
[204] VM_00C10000 -> TrojanDownloader.Agent.uj : Error during cleaning
[712] VM_007B0000 -> TrojanDownloader.Agent.uj : Error during cleaning
C:\RECYCLER\S-1-5-21-2052111302-1770027372-839522115-1005\Dc1.exe/3.ten -> Not-A-Virus.Monitor.WinSpy.a : Error during cleaning
C:\RECYCLER\S-1-5-21-2052111302-1770027372-839522115-1005\Dc2.zip/Setup.exe -> Worm.VB.an : Error during cleaning
C:\RECYCLER\S-1-5-21-2052111302-1770027372-839522115-1005\Dc3.exe -> Not-A-Virus.Monitor.WinSpy.a : Cleaned with backup

::Report End

Smitrem log:

Pre-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

Online Pharmacy folder

~~~ system32 folder ~~~

~~~ Windows directory ~~~

desktop.html

~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Wininet.dll ~~~

CLEAN!

#5
infaddict

Posted 10 November 2005 - 12:18 PM

Visiting Staff

Member
734 posts

Hi beeps

Firstly both AVG and Zonealarm refused to install for me.

Can you give me more information please? How did they refuse to install? Did you get any error messages and if so, please give me full details of them.

As I said before, without a antivirus and firewall you are open to re-infection and we are both wasting our time. Even if you go away clean, you will be back in a couple of weeks or months and be infected again.

smitrem appeared to freeze, forcing me to exit it possibly before the disk clean up was finished. ( My computer froze several times when in safe mode, which I thought unusual ). The red warning advertisement which had replaced my wallpaper is now gone and instead is now plain white.

Ok, we will try a few more things a see how we get on. You can try changing your wallpaper to something else now and let me know how you get on.

Download the Hoster Here
Unzip Hoster to your desktop but please do not use program yet

Download WindPFind
Extract WinPFind.zip to your c:\ folder.

Open up the Hoster program.

Make sure that the "make hosts writable?" button in the upper right corner is enabled.
Click back up Host files
then click Restore orginal host files
close program

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
Please ensure you login to an account with Administrator privileges.

In Safe mode, use Windows Explorer or my Computer and delete the following files which are infected :

C:\Documents and Settings\shane\Desktop\m00.exe
C:\WINDOWS\system32\rzspy.exe

Still in Safe mode, open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.

Wait for the tool to complete and disk cleanup to finish. Please be patient as this can take a long time.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Still in Safe Mode, open c:\WinPFind and double-click on WinPFind.exe. Note, if you have had to restart your computer (e.g. due to freezing), please boot back into Safe Mode before running WinPFind.

When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

Please post a reply with :

fresh HijackThis log taken from Normal Mode after completing all instructions above
smitfiles.txt located in your root drive
WinPFind.txt
Info on how your system is running

Thanks

#6
beeps

Posted 11 November 2005 - 08:46 AM

Member

Topic Starter
Member
148 posts

Hi infaddict,

When I attempted to load avg again I was told I had to update Roxio first, which I did. I was then presented with this error message:

Local machine: installation failed
Initialization:
Error: Checking of state of the item file link_User_AVG6_Desk (User) failed.
File opening failed. %FILE% = "C:\Documents and Settings\User\Desktop\AVG 6.0.lnk"
Permission denied

This time around Zonealarm seemed to work without any problems.

I followed your instructions and here are my results.

HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 05:03:18, on 11/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
C:\Program Files\Browser MOUSE\R2M.EXE
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\WINDOWS\System32\atwtusb.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\shane\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
O4 - HKLM\..\Run: [FLMBROWSEMOUSE2] C:\Program Files\Browser MOUSE\R2M.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

SmitRem txt

Pre-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Wininet.dll ~~~

CLEAN!

WinPFind txt:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
FSG! 16/07/2005 16:32:38 666 C:\log.txt
PEC2 16/07/2005 16:32:38 666 C:\log.txt
UPX! 04/10/2005 10:25:30 6146 C:\q632080.exe
FSG! 16/07/2005 16:33:44 666 C:\thelog.txt
PEC2 16/07/2005 16:33:44 666 C:\thelog.txt
FSG! 16/07/2005 16:32:14 177 C:\win.txt
PEC2 16/07/2005 16:32:14 177 C:\win.txt

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 29/08/2002 12:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 26/10/2004 22:38:24 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 26/10/2004 22:38:24 716800 C:\WINDOWS\SYSTEM32\DivX.dll
Umonitor 29/08/2002 12:00:00 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 29/10/2005 07:17:14 302621 C:\WINDOWS\SYSTEM32\SetupCarnival.exe
winsync 29/08/2002 12:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\HOSTS

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/11/2005 04:28:06 S 2048 C:\WINDOWS\bootstat.dat
09/11/2005 21:03:44 HS 27136 C:\WINDOWS\Thumbs.db
09/11/2005 21:00:24 HS 22016 C:\WINDOWS\system32\Thumbs.db
11/11/2005 04:28:00 H 8192 C:\WINDOWS\system32\config\default.LOG
11/11/2005 04:28:24 H 1024 C:\WINDOWS\system32\config\SAM.LOG
11/11/2005 04:28:08 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
11/11/2005 04:32:54 H 188416 C:\WINDOWS\system32\config\software.LOG
11/11/2005 04:28:08 H 839680 C:\WINDOWS\system32\config\system.LOG
11/11/2005 04:27:02 H 6 C:\WINDOWS\Tasks\SA.DAT
07/11/2005 01:39:00 HS 14848 C:\WINDOWS\Web\Thumbs.db
07/11/2005 01:39:06 HS 10240 C:\WINDOWS\Web\printers\images\Thumbs.db
07/11/2005 01:39:04 HS 84480 C:\WINDOWS\Web\Wallpaper\Thumbs.db

Checking for CPL files...
Microsoft Corporation 29/08/2002 12:00:00 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 29/08/2002 12:00:00 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 29/08/2002 12:00:00 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 29/08/2002 12:00:00 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 29/08/2002 12:00:00 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 29/08/2002 12:00:00 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29/08/2002 12:00:00 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 03/06/2005 02:52:54 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 29/08/2002 12:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 29/08/2002 12:00:00 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 29/08/2002 12:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 29/08/2002 12:00:00 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 29/08/2002 12:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
11/05/2003 07:51:40 R 14336 C:\WINDOWS\SYSTEM32\pmxusb.cpl
Microsoft Corporation 29/08/2002 12:00:00 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 23/09/2004 17:57:40 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
29/11/2001 16:10:44 475136 C:\WINDOWS\SYSTEM32\slcpappl.cpl
Microsoft Corporation 29/08/2002 12:00:00 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
14/08/2001 15:43:00 348160 C:\WINDOWS\SYSTEM32\tablet.cpl
Microsoft Corporation 29/08/2002 12:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 29/08/2002 12:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 29/08/2002 12:00:00 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 29/08/2002 12:00:00 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 29/08/2002 12:00:00 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 29/08/2002 12:00:00 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 29/08/2002 12:00:00 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 29/08/2002 12:00:00 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 29/08/2002 12:00:00 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 29/08/2002 12:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 29/08/2002 12:00:00 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 29/08/2002 12:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 29/08/2002 12:00:00 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 29/08/2002 12:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 29/08/2002 12:00:00 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 29/08/2002 12:00:00 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 29/08/2002 12:00:00 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 29/08/2002 12:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 29/08/2002 12:00:00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
C-Media Corporation 15/04/2002 09:53:12 421888 C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\cmicnfg.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
09/12/2003 12:09:30 1015 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Album Fast Start.lnk
29/03/2003 13:49:10 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
19/04/2004 12:14:44 926 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON SMART PANEL for Scanner.lnk
05/03/2004 11:26:30 1725 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
01/12/2003 09:53:04 1898 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
29/03/2003 13:37:04 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
29/03/2003 13:49:10 HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
29/03/2003 13:37:04 HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Kaspersky Anti-Virus
{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Kaspersky Anti-Virus
{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}
SpywareGuardDLBLOCK.CBrowserHelper = C:\Program Files\SpywareGuard\dlprotect.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9394EDE7-C8B5-483E-8773-474BF36AF6E4}
ST = C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
MSNToolBandBHO = C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} = MSN : C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
C-Media Speaker Configuration C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER
Cmaudio RunDll32 cmicnfg.cpl,CMICtrlWnd
HotKey C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
FLMBROWSEMOUSE2 C:\Program Files\Browser MOUSE\R2M.EXE
FLMOFFICE4DMOUSE C:\Program Files\Browser MOUSE\mouse32a.exe
atwtusb atwtusb.exe beta
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
KAVPersonal50 "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
RegistryMechanic
PicasaNet "C:\Program Files\Hello\Hello.exe" -b
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\CTFMON.EXE

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoDispAppearancePage 0
NoColorChoice 0
NoSizeChoice 0
NoDispBackgroundPage 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/11/2005 04:47:19

I now seem to be able to connect to the internet intermittently, at apparently random intervals. I had intended to post this last night for example but was unable to do so until now.

Are we making progress? :tazz:

*Edit* I dunno but things seem to have gotten a bit worse if anything. I cant access zonealarm or uninstall it, it seems to be messing with my system. My background screen now tells me it turned off my active desktop as a precaution ( i think i shut the comp down wrongly ) and gives me the option to restore it. Things seem to be working better with it off however. Anyhoo, maybe its all part of the process of getting rid of this thing.

Oh, also I am only able to access the internet immediately after booting up the computer. If I leave it alone for any length of time I find myself unable to get on the web.

Edited by beeps, 11 November 2005 - 07:06 PM.

#7
infaddict

Posted 13 November 2005 - 02:53 AM

Visiting Staff

Member
734 posts

Hi Beeps

Sorry for the delay in replying but I am sick :tazz:

. I am hoping I will be able to reply in the next couple of days. Thanks for your patience.

#8
beeps

Posted 13 November 2005 - 08:33 AM

Member

Topic Starter
Member
148 posts

Oh, no problem man, I am sick too actually. It seems everybody is at this time of year.

I'm just crossing my fingers that my system holds up until then, it seems to be getting worse by the hour.

Should be fine though, I'll just try not to put it under any more strain and chill out until you are better.

Thanks dude, get well soon! :tazz:

#9
infaddict

Posted 13 November 2005 - 01:45 PM

Visiting Staff

Member
734 posts

Hi beeps

When I attempted to load avg again I was told I had to update Roxio first, which I did. I was then presented with this error message:

Local machine: installation failed
Initialization:
Error: Checking of state of the item file link_User_AVG6_Desk (User) failed.
File opening failed. %FILE% = "C:\Documents and Settings\User\Desktop\AVG 6.0.lnk"
Permission denied

This error might happen if you've ever had a older version of AVG installed on you system (notice the error says 6.0 and the free version is up to 7.1). Please can you use Control Panel->Add/Remove Programs and look for any AVG antivirus entries and uninstall them. Then reboot your computer and re-try installing AVG Free (download again from here if you have deleted the install file).

This time around Zonealarm seemed to work without any problems.

Strangely, I can see no sign of ZoneAlarm in your log. If it was installed and running properly, I would expect to see this in you HijackThis log. Do you have a ZoneAlarm icon in your system tray (a reg/yellow square with the letters 'ZA' which changes to red/green bars when internet is being used)? If not, then my guess is something has gone wrong with the installation. Please can you use Control Panel->Add/Remove Programs and look for any ZoneAlarm entries and uninstall them. Then reboot your computer and try installing one of these other free firewalls : Sygate Personal Firewall ... Kerio Personal Firewall

Once you've done the above, please download WebRoot SpySweeper from HERE (It's a 2 week trial):

Click the Free Trial link under to "SpySweeper" to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
- Sweep Memory
- Sweep Registry
- Sweep Cookies
- Sweep All User Accounts
- Enable Direct Disk Sweeping
- Sweep Contents of Compressed Files
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

After you've posted the Spyware Sweeper session log, please restart your computer and the post me a fresh HijackThis log :tazz:

#10
beeps

Posted 13 November 2005 - 07:39 PM

Member

Topic Starter
Member
148 posts

Hi there infaddict, I hope I havent dragged you out of your sickbed for this. Thanks anyway for returning so quickly.

I had AVG on my computer long ago I think, so maybe this is inteferring with the new version. There is no trace of the old one on my machine however, and in fact it may have been my old computer on which I had AVG installed. So there is no AVG to uninstall.

I do not have ZoneAlarm on my system tray but I do have the yellow and red icon on my desktop, on my start menu and listed in my programs folder. When I click them though nothing happens.
Attempts to uninstall it give me the error message:

"The file

C:\WINDOWS\System32\Zonelabs\vsmon.exe could not be opened"

Right clicking the icon and clicking run as gives me:

"current user
DUTRON-UZKAEDN\Shane" with dot to turn on or off ( starts as on )

below this a tick box to "protect my computer from unauthorised activity"

and then an option to choose a different user " following user" - and an empty box to write in

Clicking " ok" gives me:

"validation failed for C\:WINDOWS\System32\VSINIT.dll

you are probably missing the necessary root certificate"

followed sometimes by the same message with "VSDATA" in place of "VSINIT"

So I've made no progress with either of them.
Will I go ahead and run Webroot anyway?

Oh, I've just noticed from your sig that you are a Blackadder fan. Marvellous, this has just trebled my faith in you since no mere virus can possibly foil the machinations of someone who truly appreciates the mighty Blackadder! :tazz:

Edited by beeps, 13 November 2005 - 07:40 PM.

#11
infaddict

Posted 14 November 2005 - 04:12 AM

Visiting Staff

Member
734 posts

Hey beeps

Please go ahead and run Spy Sweeper anyway and post back with the results. Then restart you machine and post again with a fresh HijackThis log.

We will re-visit the AVG and ZoneAlarm business after this :woot:

Speaking of BlackAdder, if this doesn't work, we'll have to resort to the age old fix : Stick 2 pencils up our nose, put some rubber underpants on our heads and run around shouting 'ah wibble' :tazz:

#12
beeps

Posted 14 November 2005 - 10:53 AM

Member

Topic Starter
Member
148 posts

Hi, I ran webroot. It was scanning happily enough finding lots of trojan downloaders and stuff when it came upon
C:\WINDOWS\System32\Zonelabs\vsvault.dll

It then froze, forcing my to restart the computer to get out.

Bah, foiled by the bloody zonelabs thingy again! Is there a way of skipping this in the scan?

On restart I was given an alert that a new program : dmhla.exe - had been added to start up when windows starts. It gives me the option to remove it, should I do so? :tazz:

Here is the incomplete log:

********
16:09: | Start of Session, 14 November 2005 |
16:09: Spy Sweeper started
16:09: Sweep initiated using definitions version 572
16:09: Starting Memory Sweep
16:10: Found Trojan Horse: trojan-downloader-ruin
16:10: Detected running threat: C:\WINDOWS\explorer.exe (ID = 81)
16:11: Memory Sweep Complete, Elapsed Time: 00:01:39
16:11: Starting Registry Sweep
16:11: Found Adware: cws_analyzeie
16:11: HKCR\clsid\{60d75c7f-d119-4a89-b3b3-d8aa07ef3300}\ (ID = 116873)
16:11: HKLM\software\classes\clsid\{60d75c7f-d119-4a89-b3b3-d8aa07ef3300}\ (ID = 116895)
16:11: Found Adware: searchtoolbar
16:11: HKLM\software\searchtoolbar\ (3 subtraces) (ID = 141346)
16:12: Found Adware: surf accuracy
16:12: HKLM\software\sacc\ (5 subtraces) (ID = 203068)
16:12: HKLM\software\microsoft\windows\currentversion\uninstall\sacc\ (2 subtraces) (ID = 203070)
16:12: Found Adware: psguard desktop hijacker
16:12: HKLM\software\shudderltd\psguard\ || versioninfo (ID = 488001)
16:12: Found Trojan Horse: trojan-downloader-2pursuit
16:12: HKCR\clsid\{b212d577-05b7-4963-911e-4a8588160dfa}\ (5 subtraces) (ID = 511619)
16:12: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {b212d577-05b7-4963-911e-4a8588160dfa} (ID = 514158)
16:12: HKCR\clsid\{405132a4-5dd1-4ba8-a181-95c8d435093a}\ (5 subtraces) (ID = 530420)
16:12: HKLM\software\classes\clsid\{405132a4-5dd1-4ba8-a181-95c8d435093a}\ (5 subtraces) (ID = 530421)
16:12: HKLM\software\microsoft\windows\currentversion\urls\ (10 subtraces) (ID = 605127)
16:12: HKLM\software\microsoft\windows\currentversion\ruins\ (94 subtraces) (ID = 605128)
16:12: Found Adware: psguard
16:12: HKLM\software\shudderltd\psguard\psguard\ || installationid (ID = 656376)
16:12: Found Trojan Horse: trojan-backdoor-haxdoor
16:12: HKLM\system\currentcontrolset\control\safeboot\minimal\avpu32.sys\ (1 subtraces) (ID = 703453)
16:12: HKLM\system\currentcontrolset\control\safeboot\minimal\avpu64.sys\ (1 subtraces) (ID = 703455)
16:12: HKLM\system\currentcontrolset\control\safeboot\network\avpu32.sys\ (1 subtraces) (ID = 703457)
16:12: HKLM\system\currentcontrolset\control\safeboot\network\avpu64.sys\ (1 subtraces) (ID = 703459)
16:12: HKLM\system\currentcontrolset\services\avpu32\ (11 subtraces) (ID = 703462)
16:12: HKLM\system\currentcontrolset\services\avpu64\ (11 subtraces) (ID = 703474)
16:12: HKU\S-1-5-21-2052111302-1770027372-839522115-1005\software\searchtoolbar\ (5 subtraces) (ID = 141343)
16:12: HKU\S-1-5-21-2052111302-1770027372-839522115-1005\software\microsoft\gg\conf\ (55 subtraces) (ID = 802702)
16:12: HKU\S-1-5-21-2052111302-1770027372-839522115-1005\software\microsoft\style32\ (11 subtraces) (ID = 910485)
16:12: Registry Sweep Complete, Elapsed Time:00:00:48
16:12: Starting Cookie Sweep
16:12: Cookie Sweep Complete, Elapsed Time: 00:00:00
16:12: Starting File Sweep
16:13: c:\documents and settings\shane\application data\shudder global limited (11 subtraces) (ID = -2147473536)
16:13: c:\documents and settings\shane\application data\shudder global limited\psguard (10 subtraces) (ID = -2147475035)
16:13: Found System Monitor: win-spy monitor
16:13: c:\windows\dll (3 subtraces) (ID = -2147480025)
16:20: Found Trojan Horse: trojan-secdrop
16:20: bndmod.exe (ID = 81237)
16:20: hlmicro.exe (ID = 125496)
16:22: Found System Monitor: potentially rootkit-masked files
16:22: qz.dll (ID = 0)
16:22: qy.sys (ID = 0)
16:22: qz.sys (ID = 0)
16:22: avpu64.sys (ID = 0)
16:22: avpu32.sys (ID = 0)
16:31: Sweep Canceled
********
16:05: | Start of Session, 14 November 2005 |
16:05: Spy Sweeper started

And another incomplete scan with rootskits disabled:

********
16:59: | Start of Session, 14 November 2005 |
16:59: Spy Sweeper started
16:59: Sweep initiated using definitions version 572
16:59: Starting Memory Sweep
16:59: Found Trojan Horse: trojan-downloader-ruin
16:59: Detected running threat: C:\WINDOWS\explorer.exe (ID = 81)
17:00: Memory Sweep Complete, Elapsed Time: 00:01:36
17:00: Starting Registry Sweep
17:00: Found Adware: cws_analyzeie
17:00: HKCR\clsid\{60d75c7f-d119-4a89-b3b3-d8aa07ef3300}\ (ID = 116873)
17:00: HKLM\software\classes\clsid\{60d75c7f-d119-4a89-b3b3-d8aa07ef3300}\ (ID = 116895)
17:01: Found Adware: searchtoolbar
17:01: HKLM\software\searchtoolbar\ (3 subtraces) (ID = 141346)
17:01: Found Adware: surf accuracy
17:01: HKLM\software\sacc\ (5 subtraces) (ID = 203068)
17:01: HKLM\software\microsoft\windows\currentversion\uninstall\sacc\ (2 subtraces) (ID = 203070)
17:01: Found Adware: psguard desktop hijacker
17:01: HKLM\software\shudderltd\psguard\ || versioninfo (ID = 488001)
17:01: Found Trojan Horse: trojan-downloader-2pursuit
17:01: HKCR\clsid\{b212d577-05b7-4963-911e-4a8588160dfa}\ (5 subtraces) (ID = 511619)
17:01: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {b212d577-05b7-4963-911e-4a8588160dfa} (ID = 514158)
17:01: HKCR\clsid\{405132a4-5dd1-4ba8-a181-95c8d435093a}\ (5 subtraces) (ID = 530420)
17:01: HKLM\software\classes\clsid\{405132a4-5dd1-4ba8-a181-95c8d435093a}\ (5 subtraces) (ID = 530421)
17:01: HKLM\software\microsoft\windows\currentversion\urls\ (10 subtraces) (ID = 605127)
17:01: HKLM\software\microsoft\windows\currentversion\ruins\ (94 subtraces) (ID = 605128)
17:01: Found Adware: psguard
17:01: HKLM\software\shudderltd\psguard\psguard\ || installationid (ID = 656376)
17:01: Found Trojan Horse: trojan-backdoor-haxdoor
17:01: HKLM\system\currentcontrolset\control\safeboot\minimal\avpu32.sys\ (1 subtraces) (ID = 703453)
17:01: HKLM\system\currentcontrolset\control\safeboot\minimal\avpu64.sys\ (1 subtraces) (ID = 703455)
17:01: HKLM\system\currentcontrolset\control\safeboot\network\avpu32.sys\ (1 subtraces) (ID = 703457)
17:01: HKLM\system\currentcontrolset\control\safeboot\network\avpu64.sys\ (1 subtraces) (ID = 703459)
17:01: HKLM\system\currentcontrolset\services\avpu32\ (11 subtraces) (ID = 703462)
17:01: HKLM\system\currentcontrolset\services\avpu64\ (11 subtraces) (ID = 703474)
17:01: HKU\S-1-5-21-2052111302-1770027372-839522115-1005\software\searchtoolbar\ (5 subtraces) (ID = 141343)
17:01: HKU\S-1-5-21-2052111302-1770027372-839522115-1005\software\microsoft\gg\conf\ (55 subtraces) (ID = 802702)
17:01: HKU\S-1-5-21-2052111302-1770027372-839522115-1005\software\microsoft\style32\ (11 subtraces) (ID = 910485)
17:01: Registry Sweep Complete, Elapsed Time:00:00:33
17:01: Starting Cookie Sweep
17:01: Cookie Sweep Complete, Elapsed Time: 00:00:00
17:01: Starting File Sweep
17:01: c:\documents and settings\shane\application data\shudder global limited (11 subtraces) (ID = -2147473536)
17:01: c:\documents and settings\shane\application data\shudder global limited\psguard (10 subtraces) (ID = -2147475035)
17:01: Found System Monitor: win-spy monitor
17:01: c:\windows\dll (3 subtraces) (ID = -2147480025)
17:06: Found Trojan Horse: trojan-secdrop
17:06: bndmod.exe (ID = 81237)
17:06: hlmicro.exe (ID = 125496)
17:17: Sweep Canceled
********
16:09: | Start of Session, 14 November 2005 |
16:09: Spy Sweeper started
16:09: Sweep initiated using definitions version 572
16:09: Starting Memory Sweep
16:10: Found Trojan Horse: trojan-downloader-ruin
16:10: Detected running threat: C:\WINDOWS\explorer.exe (ID = 81)
16:11: Memory Sweep Complete, Elapsed Time: 00:01:39
16:11: Starting Registry Sweep
16:11: Found Adware: cws_analyzeie
16:11: HKCR\clsid\{60d75c7f-d119-4a89-b3b3-d8aa07ef3300}\ (ID = 116873)
16:11: HKLM\software\classes\clsid\{60d75c7f-d119-4a89-b3b3-d8aa07ef3300}\ (ID = 116895)
16:11: Found Adware: searchtoolbar
16:11: HKLM\software\searchtoolbar\ (3 subtraces) (ID = 141346)
16:12: Found Adware: surf accuracy
16:12: HKLM\software\sacc\ (5 subtraces) (ID = 203068)
16:12: HKLM\software\microsoft\windows\currentversion\uninstall\sacc\ (2 subtraces) (ID = 203070)
16:12: Found Adware: psguard desktop hijacker
16:12: HKLM\software\shudderltd\psguard\ || versioninfo (ID = 488001)
16:12: Found Trojan Horse: trojan-downloader-2pursuit
16:12: HKCR\clsid\{b212d577-05b7-4963-911e-4a8588160dfa}\ (5 subtraces) (ID = 511619)
16:12: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {b212d577-05b7-4963-911e-4a8588160dfa} (ID = 514158)
16:12: HKCR\clsid\{405132a4-5dd1-4ba8-a181-95c8d435093a}\ (5 subtraces) (ID = 530420)
16:12: HKLM\software\classes\clsid\{405132a4-5dd1-4ba8-a181-95c8d435093a}\ (5 subtraces) (ID = 530421)
16:12: HKLM\software\microsoft\windows\currentversion\urls\ (10 subtraces) (ID = 605127)
16:12: HKLM\software\microsoft\windows\currentversion\ruins\ (94 subtraces) (ID = 605128)
16:12: Found Adware: psguard
16:12: HKLM\software\shudderltd\psguard\psguard\ || installationid (ID = 656376)
16:12: Found Trojan Horse: trojan-backdoor-haxdoor
16:12: HKLM\system\currentcontrolset\control\safeboot\minimal\avpu32.sys\ (1 subtraces) (ID = 703453)
16:12: HKLM\system\currentcontrolset\control\safeboot\minimal\avpu64.sys\ (1 subtraces) (ID = 703455)
16:12: HKLM\system\currentcontrolset\control\safeboot\network\avpu32.sys\ (1 subtraces) (ID = 703457)
16:12: HKLM\system\currentcontrolset\control\safeboot\network\avpu64.sys\ (1 subtraces) (ID = 703459)
16:12: HKLM\system\currentcontrolset\services\avpu32\ (11 subtraces) (ID = 703462)
16:12: HKLM\system\currentcontrolset\services\avpu64\ (11 subtraces) (ID = 703474)
16:12: HKU\S-1-5-21-2052111302-1770027372-839522115-1005\software\searchtoolbar\ (5 subtraces) (ID = 141343)
16:12: HKU\S-1-5-21-2052111302-1770027372-839522115-1005\software\microsoft\gg\conf\ (55 subtraces) (ID = 802702)
16:12: HKU\S-1-5-21-2052111302-1770027372-839522115-1005\software\microsoft\style32\ (11 subtraces) (ID = 910485)
16:12: Registry Sweep Complete, Elapsed Time:00:00:48
16:12: Starting Cookie Sweep
16:12: Cookie Sweep Complete, Elapsed Time: 00:00:00
16:12: Starting File Sweep
16:13: c:\documents and settings\shane\application data\shudder global limited (11 subtraces) (ID = -2147473536)
16:13: c:\documents and settings\shane\application data\shudder global limited\psguard (10 subtraces) (ID = -2147475035)
16:13: Found System Monitor: win-spy monitor
16:13: c:\windows\dll (3 subtraces) (ID = -2147480025)
16:20: Found Trojan Horse: trojan-secdrop
16:20: bndmod.exe (ID = 81237)
16:20: hlmicro.exe (ID = 125496)
16:22: Found System Monitor: potentially rootkit-masked files
16:22: qz.dll (ID = 0)
16:22: qy.sys (ID = 0)
16:22: qz.sys (ID = 0)
16:22: avpu64.sys (ID = 0)
16:22: avpu32.sys (ID = 0)
16:31: Sweep Canceled
********
16:05: | Start of Session, 14 November 2005 |
16:05: Spy Sweeper started
16:06: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.

16:06: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.

Edited by beeps, 14 November 2005 - 11:23 AM.

#13
beeps

Posted 14 November 2005 - 01:04 PM

Member

Topic Starter
Member
148 posts

Ok I managed to get a sucessful scan by switching off compressed files and rotskits options.

********
17:24: | Start of Session, 14 November 2005 |
17:24: Spy Sweeper started
17:24: Sweep initiated using definitions version 572
17:24: Starting Memory Sweep
17:24: Found Trojan Horse: trojan-downloader-ruin
17:24: Detected running threat: C:\WINDOWS\explorer.exe (ID = 81)
17:26: Memory Sweep Complete, Elapsed Time: 00:01:40
17:26: Starting Registry Sweep
17:26: Found Adware: cws_analyzeie
17:26: HKCR\clsid\{60d75c7f-d119-4a89-b3b3-d8aa07ef3300}\ (ID = 116873)
17:26: HKLM\software\classes\clsid\{60d75c7f-d119-4a89-b3b3-d8aa07ef3300}\ (ID = 116895)
17:26: Found Adware: searchtoolbar
17:26: HKLM\software\searchtoolbar\ (3 subtraces) (ID = 141346)
17:26: Found Adware: surf accuracy
17:26: HKLM\software\sacc\ (5 subtraces) (ID = 203068)
17:26: HKLM\software\microsoft\windows\currentversion\uninstall\sacc\ (2 subtraces) (ID = 203070)
17:26: Found Adware: psguard desktop hijacker
17:26: HKLM\software\shudderltd\psguard\ || versioninfo (ID = 488001)
17:26: Found Trojan Horse: trojan-downloader-2pursuit
17:26: HKCR\clsid\{b212d577-05b7-4963-911e-4a8588160dfa}\ (5 subtraces) (ID = 511619)
17:26: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {b212d577-05b7-4963-911e-4a8588160dfa} (ID = 514158)
17:26: HKCR\clsid\{405132a4-5dd1-4ba8-a181-95c8d435093a}\ (5 subtraces) (ID = 530420)
17:26: HKLM\software\classes\clsid\{405132a4-5dd1-4ba8-a181-95c8d435093a}\ (5 subtraces) (ID = 530421)
17:26: HKLM\software\microsoft\windows\currentversion\urls\ (10 subtraces) (ID = 605127)
17:26: HKLM\software\microsoft\windows\currentversion\ruins\ (94 subtraces) (ID = 605128)
17:26: Found Adware: psguard
17:26: HKLM\software\shudderltd\psguard\psguard\ || installationid (ID = 656376)
17:26: Found Trojan Horse: trojan-backdoor-haxdoor
17:26: HKLM\system\currentcontrolset\control\safeboot\minimal\avpu32.sys\ (1 subtraces) (ID = 703453)
17:26: HKLM\system\currentcontrolset\control\safeboot\minimal\avpu64.sys\ (1 subtraces) (ID = 703455)
17:26: HKLM\system\currentcontrolset\control\safeboot\network\avpu32.sys\ (1 subtraces) (ID = 703457)
17:26: HKLM\system\currentcontrolset\control\safeboot\network\avpu64.sys\ (1 subtraces) (ID = 703459)
17:26: HKLM\system\currentcontrolset\services\avpu32\ (11 subtraces) (ID = 703462)
17:26: HKLM\system\currentcontrolset\services\avpu64\ (11 subtraces) (ID = 703474)
17:26: HKU\S-1-5-21-2052111302-1770027372-839522115-1005\software\searchtoolbar\ (5 subtraces) (ID = 141343)
17:26: HKU\S-1-5-21-2052111302-1770027372-839522115-1005\software\microsoft\gg\conf\ (55 subtraces) (ID = 802702)
17:26: HKU\S-1-5-21-2052111302-1770027372-839522115-1005\software\microsoft\style32\ (11 subtraces) (ID = 910485)
17:26: Registry Sweep Complete, Elapsed Time:00:00:47
17:26: Starting Cookie Sweep
17:26: Cookie Sweep Complete, Elapsed Time: 00:00:00
17:26: Starting File Sweep
17:27: c:\documents and settings\shane\application data\shudder global limited (11 subtraces) (ID = -2147473536)
17:27: c:\documents and settings\shane\application data\shudder global limited\psguard (10 subtraces) (ID = -2147475035)
17:27: Found System Monitor: win-spy monitor
17:27: c:\windows\dll (3 subtraces) (ID = -2147480025)
17:31: Found Trojan Horse: trojan-secdrop
17:31: bndmod.exe (ID = 81237)
17:31: hlmicro.exe (ID = 125496)
17:32: File Sweep Complete, Elapsed Time: 00:05:41
17:32: Full Sweep has completed. Elapsed time 00:08:10
17:32: Traces Found: 278
17:33: Removal process initiated
17:33: Quarantining All Traces: cws_analyzeie
17:33: Quarantining All Traces: psguard
17:33: Quarantining All Traces: trojan-backdoor-haxdoor
17:33: Quarantining All Traces: trojan-downloader-ruin
17:33: Warning: Unable to quarantine C:\WINDOWS\explorer.exe. This is a protected operating system file.
17:33: Failed to quarantine trojan-downloader-ruin
17:33: Failed to quarantine C:\WINDOWS\explorer.exe
17:33: Quarantining All Traces: win-spy monitor
17:33: Quarantining All Traces: psguard desktop hijacker
17:33: Quarantining All Traces: trojan-downloader-2pursuit
17:33: Quarantining All Traces: trojan-secdrop
17:33: Quarantining All Traces: searchtoolbar
17:33: Quarantining All Traces: surf accuracy
17:33: Warning: Launched explorer.exe
17:33: Warning: Quarantine process could not restart Explorer.
17:35: Removal process completed. Elapsed time 00:01:57
********
16:59: | Start of Session, 14 November 2005 |
16:59: Spy Sweeper started
16:59: Sweep initiated using definitions version 572
16:59: Starting Memory Sweep
16:59: Found Trojan Horse: trojan-downloader-ruin
16:59: Detected running threat: C:\WINDOWS\explorer.exe (ID = 81)
17:00: Memory Sweep Complete, Elapsed Time: 00:01:36
17:00: Starting Registry Sweep
17:00: Found Adware: cws_analyzeie
17:00: HKCR\clsid\{60d75c7f-d119-4a89-b3b3-d8aa07ef3300}\ (ID = 116873)
17:00: HKLM\software\classes\clsid\{60d75c7f-d119-4a89-b3b3-d8aa07ef3300}\ (ID = 116895)
17:01: Found Adware: searchtoolbar
17:01: HKLM\software\searchtoolbar\ (3 subtraces) (ID = 141346)
17:01: Found Adware: surf accuracy
17:01: HKLM\software\sacc\ (5 subtraces) (ID = 203068)
17:01: HKLM\software\microsoft\windows\currentversion\uninstall\sacc\ (2 subtraces) (ID = 203070)
17:01: Found Adware: psguard desktop hijacker
17:01: HKLM\software\shudderltd\psguard\ || versioninfo (ID = 488001)
17:01: Found Trojan Horse: trojan-downloader-2pursuit
17:01: HKCR\clsid\{b212d577-05b7-4963-911e-4a8588160dfa}\ (5 subtraces) (ID = 511619)
17:01: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {b212d577-05b7-4963-911e-4a8588160dfa} (ID = 514158)
17:01: HKCR\clsid\{405132a4-5dd1-4ba8-a181-95c8d435093a}\ (5 subtraces) (ID = 530420)
17:01: HKLM\software\classes\clsid\{405132a4-5dd1-4ba8-a181-95c8d435093a}\ (5 subtraces) (ID = 530421)
17:01: HKLM\software\microsoft\windows\currentversion\urls\ (10 subtraces) (ID = 605127)
17:01: HKLM\software\microsoft\windows\currentversion\ruins\ (94 subtraces) (ID = 605128)
17:01: Found Adware: psguard
17:01: HKLM\software\shudderltd\psguard\psguard\ || installationid (ID = 656376)
17:01: Found Trojan Horse: trojan-backdoor-haxdoor
17:01: HKLM\system\currentcontrolset\control\safeboot\minimal\avpu32.sys\ (1 subtraces) (ID = 703453)
17:01: HKLM\system\currentcontrolset\control\safeboot\minimal\avpu64.sys\ (1 subtraces) (ID = 703455)
17:01: HKLM\system\currentcontrolset\control\safeboot\network\avpu32.sys\ (1 subtraces) (ID = 703457)
17:01: HKLM\system\currentcontrolset\control\safeboot\network\avpu64.sys\ (1 subtraces) (ID = 703459)
17:01: HKLM\system\currentcontrolset\services\avpu32\ (11 subtraces) (ID = 703462)
17:01: HKLM\system\currentcontrolset\services\avpu64\ (11 subtraces) (ID = 703474)
17:01: HKU\S-1-5-21-2052111302-1770027372-839522115-1005\software\searchtoolbar\ (5 subtraces) (ID = 141343)
17:01: HKU\S-1-5-21-2052111302-1770027372-839522115-1005\software\microsoft\gg\conf\ (55 subtraces) (ID = 802702)
17:01: HKU\S-1-5-21-2052111302-1770027372-839522115-1005\software\microsoft\style32\ (11 subtraces) (ID = 910485)
17:01: Registry Sweep Complete, Elapsed Time:00:00:33
17:01: Starting Cookie Sweep
17:01: Cookie Sweep Complete, Elapsed Time: 00:00:00
17:01: Starting File Sweep
17:01: c:\documents and settings\shane\application data\shudder global limited (11 subtraces) (ID = -2147473536)
17:01: c:\documents and settings\shane\application data\shudder global limited\psguard (10 subtraces) (ID = -2147475035)
17:01: Found System Monitor: win-spy monitor
17:01: c:\windows\dll (3 subtraces) (ID = -2147480025)
17:06: Found Trojan Horse: trojan-secdrop
17:06: bndmod.exe (ID = 81237)
17:06: hlmicro.exe (ID = 125496)
17:17: Sweep Canceled
********
16:09: | Start of Session, 14 November 2005 |
16:09: Spy Sweeper started
16:09: Sweep initiated using definitions version 572
16:09: Starting Memory Sweep
16:10: Found Trojan Horse: trojan-downloader-ruin
16:10: Detected running threat: C:\WINDOWS\explorer.exe (ID = 81)
16:11: Memory Sweep Complete, Elapsed Time: 00:01:39
16:11: Starting Registry Sweep
16:11: Found Adware: cws_analyzeie
16:11: HKCR\clsid\{60d75c7f-d119-4a89-b3b3-d8aa07ef3300}\ (ID = 116873)
16:11: HKLM\software\classes\clsid\{60d75c7f-d119-4a89-b3b3-d8aa07ef3300}\ (ID = 116895)
16:11: Found Adware: searchtoolbar
16:11: HKLM\software\searchtoolbar\ (3 subtraces) (ID = 141346)
16:12: Found Adware: surf accuracy
16:12: HKLM\software\sacc\ (5 subtraces) (ID = 203068)
16:12: HKLM\software\microsoft\windows\currentversion\uninstall\sacc\ (2 subtraces) (ID = 203070)
16:12: Found Adware: psguard desktop hijacker
16:12: HKLM\software\shudderltd\psguard\ || versioninfo (ID = 488001)
16:12: Found Trojan Horse: trojan-downloader-2pursuit
16:12: HKCR\clsid\{b212d577-05b7-4963-911e-4a8588160dfa}\ (5 subtraces) (ID = 511619)
16:12: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {b212d577-05b7-4963-911e-4a8588160dfa} (ID = 514158)
16:12: HKCR\clsid\{405132a4-5dd1-4ba8-a181-95c8d435093a}\ (5 subtraces) (ID = 530420)
16:12: HKLM\software\classes\clsid\{405132a4-5dd1-4ba8-a181-95c8d435093a}\ (5 subtraces) (ID = 530421)
16:12: HKLM\software\microsoft\windows\currentversion\urls\ (10 subtraces) (ID = 605127)
16:12: HKLM\software\microsoft\windows\currentversion\ruins\ (94 subtraces) (ID = 605128)
16:12: Found Adware: psguard
16:12: HKLM\software\shudderltd\psguard\psguard\ || installationid (ID = 656376)
16:12: Found Trojan Horse: trojan-backdoor-haxdoor
16:12: HKLM\system\currentcontrolset\control\safeboot\minimal\avpu32.sys\ (1 subtraces) (ID = 703453)
16:12: HKLM\system\currentcontrolset\control\safeboot\minimal\avpu64.sys\ (1 subtraces) (ID = 703455)
16:12: HKLM\system\currentcontrolset\control\safeboot\network\avpu32.sys\ (1 subtraces) (ID = 703457)
16:12: HKLM\system\currentcontrolset\control\safeboot\network\avpu64.sys\ (1 subtraces) (ID = 703459)
16:12: HKLM\system\currentcontrolset\services\avpu32\ (11 subtraces) (ID = 703462)
16:12: HKLM\system\currentcontrolset\services\avpu64\ (11 subtraces) (ID = 703474)
16:12: HKU\S-1-5-21-2052111302-1770027372-839522115-1005\software\searchtoolbar\ (5 subtraces) (ID = 141343)
16:12: HKU\S-1-5-21-2052111302-1770027372-839522115-1005\software\microsoft\gg\conf\ (55 subtraces) (ID = 802702)
16:12: HKU\S-1-5-21-2052111302-1770027372-839522115-1005\software\microsoft\style32\ (11 subtraces) (ID = 910485)
16:12: Registry Sweep Complete, Elapsed Time:00:00:48
16:12: Starting Cookie Sweep
16:12: Cookie Sweep Complete, Elapsed Time: 00:00:00
16:12: Starting File Sweep
16:13: c:\documents and settings\shane\application data\shudder global limited (11 subtraces) (ID = -2147473536)
16:13: c:\documents and settings\shane\application data\shudder global limited\psguard (10 subtraces) (ID = -2147475035)
16:13: Found System Monitor: win-spy monitor
16:13: c:\windows\dll (3 subtraces) (ID = -2147480025)
16:20: Found Trojan Horse: trojan-secdrop
16:20: bndmod.exe (ID = 81237)
16:20: hlmicro.exe (ID = 125496)
16:22: Found System Monitor: potentially rootkit-masked files
16:22: qz.dll (ID = 0)
16:22: qy.sys (ID = 0)
16:22: qz.sys (ID = 0)
16:22: avpu64.sys (ID = 0)
16:22: avpu32.sys (ID = 0)
16:31: Sweep Canceled
********
16:05: | Start of Session, 14 November 2005 |
16:05: Spy Sweeper started
16:06: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.

It suggested that I restore my homepage to default. When I did this my computer went haywire. It would not start up, immediately crashing even before loggin in. I ran ewido and adware in safe mode, and then on my seconf attempt to open normally it wen fine. I was informed that the system had recovered from a serious error. Zone alarm is now running properly it seems.

Here is a hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 18:59:56, on 14/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
C:\Program Files\Browser MOUSE\R2M.EXE
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\WINDOWS\System32\atwtusb.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\shane\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
O4 - HKLM\..\Run: [FLMBROWSEMOUSE2] C:\Program Files\Browser MOUSE\R2M.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hopefully thats some of the nasties dealt with. :tazz:

#14
infaddict

Posted 14 November 2005 - 02:10 PM

Visiting Staff

Member
734 posts

Hey beeps, thanks for the prompt reply and staying with me on this fix... we'll nail these infections

SpySweeper is telling me you may have a rootkit infection which is a special type of infection that installs itself deep inside Windows (at the Kernel level) so it can hide itself and do other nasty things. I think this may also be messing with ZoneAlarm.

I think our top priority is trying to fix this rootkit infection.

On restart I was given an alert that a new program : dmhla.exe - had been added to start up when windows starts. It gives me the option to remove it, should I do so?

I cannot find any reference to dmhla.exe in all my research material, so I would say its 99.9999% likely to be bad. Unless you know otherwise, I would not let that program start up or access the internet.

Rootkit detection

Download and Save Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, leave [X]scan through Windows Explorer checked, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

Thanks :tazz:

#15
beeps

Posted 14 November 2005 - 04:23 PM

Member

Topic Starter
Member
148 posts

Hi there!

I ran Blacklight without any problems but it did not give me the option to scan through windows explorer.
It found no objects and I could not find a text file anywhere.

I cant think what I may have done wrong.

I am no longer having problems with staying on the internet btw although my background screen hasn't returned. Dare I hope we've made some impression on these infections? It would appear so, but I wont get over excited too soon :tazz: