Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security Cleanup » [Virus] Virus's and spyware!
Search Topic:
Uniqs:
2484		 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Links: ·SCU FAQ ·Pre-Clean Rules ·Site IMs ·VundoFix ·Zlob/Smitfraud ·MonaRonaDona
« HJT Log - Can't clean computer, please help  
page: 1 · 2 · 3
AuthorAll Replies


icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable

[Virus] Virus's and spyware!

Hello all,

I've been working on my friends computer since last monday, cleaning out spyware and virus's. I've cleared most out, but I still think theres more left. I've used Spybot search and destroy, ad-aware, avast!, and AVG. This computer has two accounts. On the "Mom" account it seems fine. On the other account, (their both admin accounts by the way) all is not fine, and it keeps giving the Blue screen of death on the other account. I'm not sure why, but the recent blue screen was something about xpdx.sys. I found xpdx.sys, but I can't delete it, because it says it cant find the file, and it says its 0 kbs, when its 60kb.

Heres a hijack this log:

Logfile of HijackThis v1.99.0
Scan saved at 21:51, on 2007-07-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\catchme.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{448C6F08-0701-1033-0826-020409200001}] "C:\Program Files\Common Files\{448C6F08-0701-1033-0826-020409200001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Startup: winlogon.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - »housecall60.trendmicro.com/house···an60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - »www.kaspersky.com/downloads/kws/···code.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - »spaces.msn.com/PhotoUpload/MsnPU···,0,911,0
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - »software-dl.real.com/237ef6a9f56···E601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···52978812
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - »a840.g.akamai.net/7/840/537/2004···an53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - »chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - »messenger.msn.com/download/MsnMe···ader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - »messenger.zone.msn.com/binary/ZI···2846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - »messenger.zone.msn.com/binary/Ba···1267.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - »www.verizon.net/checkmypc/includ···Qual.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\System32\ScsiAccess.EXE (file missing)

I also ran SDfix. Heres the log of that:

SDFix: Version 1.88

Run by Beth on 2007-07-01 at 22:03

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
DP1112
windev-6401-3e37

ImagePath:
\??\C:\WINDOWS\System32\Drivers\DP.sys
\??\C:\WINDOWS\System32\windev-6401-3e37.sys

DP1112 - Deleted
windev-6401-3e37 - Deleted

Modified Winlogon.exe Found!

Winlogon Files Found:

C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\dllcache\winlogon.exe

Infected Files Listed Below:

C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\dllcache\winlogon.exe

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...

Service runtime2 - Deleted after Reboot

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\windev-6401-3e37.sys - Deleted
C:\DOCUME~1\BETH\APPLIC~1\MICROS~1\20509.DAT - Deleted
C:\WINDOWS\system32\pfnlet\winlogon.ini - Deleted
C:\Documents and Settings\Beth\Start Menu\Programs\Startup\winlogon.lnk - Deleted
C:\WINDOWS\system32\1_exception.nls - Deleted
C:\WINDOWS\system32\cssrss.exe - Deleted
C:\WINDOWS\system32\nso12k.sys - Deleted
C:\WINDOWS\system32\unsvchosts.lzma - Deleted
C:\WINDOWS\system32\vexg4am1et2.exe - Deleted
C:\WINDOWS\system32\vexga4m1et4.exe - Deleted
C:\WINDOWS\system32\windev-peers.ini - Deleted
C:\WINDOWS\system32\windows_log.txt - Deleted
C:\WINDOWS\tcb.pmw - Deleted
C:\WINDOWS\Temp\startdrv.exe - Deleted
C:\WINDOWS\system32\xpdx.sys - Deleted
C:\WINDOWS\system32\drivers\runtime2.sys - Deleted

Removing Temp Files...

ADS Check:

Checking C:\WINDOWS
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Documents and Settings\Beth\Application Data\U3\temp\Launchpad Removal.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off2.tmp
C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off3.tmp
C:\WINDOWS\java\classes\srakba.tmp
C:\WINDOWS\java\classes\srakba.tmp2
C:\WINDOWS\system32\tstwa.tmp

Listing User Accounts:

Administrator Beth Guest
HelpAssistant Owner SUPPORT_388945a0

Finished

How does the hijack this log look to you security folks? Anything else to run? Im tired of working on this computer.. it's been a week now of cleaning out this mess.
--
Team Discovery
to forum · permalink · · 2007-07-01 22:25:14 · (locked)


icex _
Premium
join:2004-05-22
USA
clubs:		 By the way, SDFix is catchme.exe
to forum · permalink · · 2007-07-01 22:27:49 · (locked)


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

reply to icex _
Yuk! All of those files found by SDFix are really malicious rootkits and remote access trojans

Are are you aware of the complications and security risks of such a compromise?

What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
»www.microsoft.com/technet/securi···rat.mspx

When should I re-format? How should I reinstall?
»Security »When should I re-format? How should I reinstall?

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
»Security »How to report ID theft, fraud, drive-by installs, hijacking and malware?

Basically, your system has been compromised. Anyone may have had access to anything on your system or done whatever they want to it and hidden it from you. The rootkit makes it worse as your system is no longer trustworthy.

It's a trivial matter to clean up the rootkit itself, most rootkits and all botnet clients are Remote Access Trojans (RATs), and SDFIX has done that but....

A RAT is a program that allows a remote user to connect to the computer and issue commands.

Unless you can be sure that a remote user did not connect to the machine and run commands on it (which is almost always impossible to ascertain), you cannot know what damage the bad guy has done above and beyond installing the rootkit.

That unknown is what accounts for the recommendation to rebuild the machine.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2007
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2007-07-01 23:54:28 · (locked)


icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable

1 edit		 Thank you for your reply.

Yes, I know all about backdoors and remote access trojans, their nasty and hard to deal with. I'd like to get this computer cleaned up, because my friend doesent have format disks for this computer. Its a 2001 dell dimension 2300..

Is the only solution to format ? Or can it be cleaned up?
to forum · permalink · · 2007-07-02 00:05:53 · (locked)


icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable

2 edits		reply to icex _
Avast! keeps finding these virus's but will not delete them.

C:\System Volume Information\...\installfile1.exe
C:\System Volume Information\...\installfile1.exe
C:\System Volume Information\...\installfile1.exe
C:\System Volume Information\...\A0023379.sys
C:\System Volume Information\...\A0023382.exe
C:\Windows\itpbb_4.exe\Compinst1.exe\installfile1.exe

Gives a error occured during file deleting: The operation is not supported for this type of archive.

I will call my friend tommorow and see what she wants me to do. They have alot of stuff on here, so I'd like to try to fix it before i format it. Is there anyway to reformat without the dell disks?

Edited to add: I beleive the infection begun on June 3rd, 2007. As soon as she noticed problems, she quit using this computer and called me. I dident get it until last week though, and she called on June 12th..
to forum · permalink · · 2007-07-02 00:15:42 · (locked)


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

1 edit		reply to icex _
The problem lies in the cleanup because of system changes that may have been made that are not detectable by any scanners. There could be hidden ways for an intruder to get back into that machine and I wouldn't trust it even if you think you can clean it. Sure, you've deleted the infected files, but how would you know what has been done to lower system security?

Not much else you can do but warn them that a system compromise is like leaving your house unlocked and allowing anyone to walk in and steal information and then give them a duplicate key so they can come back if they missed anything.

Anything in the System Volume Information folder is the backups of System restore and those can be easily reset but wndows won't allow 3rd party apps to delete them. You'll need to reset system restore thusly to clear them:

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Put a Checkmark in the box next to "Turn off System Restore".
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Remove the checkmark next to "Turn off System Restore".
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
»support.microsoft.com/default.as···s;310405
...........................
This file...send it to me to examine please:
C:\Windows\itpbb_4.exe\Compinst1.exe\installfile1.exe

Here is how:

Please go here to upload a suspicious file for analysis.
»www.uploadmalware.com/

* Enter your username from this forum as: icex _ at DSLR

* Copy and paste the link to this thread:

* Click "Browse" on the 1. field.
Browse to the following file and click the file with your mouse, press "Open"
C:\Windows\itpbb_4.exe\Compinst1.exe\installfile1.exe

* In the comments, please mention that I asked you to upload this file:

* Click on Send File

--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2007
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2007-07-02 00:30:41 · (locked)


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

reply to icex _
Let's run this tool next, please:

1. Download this file - combofix.exe

2. Double click on combofix.exe & follow the prompts.

Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.

3. When finished, it shall produce a log for you, Combofix.txt. Post that log in your next reply

--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2007
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2007-07-02 00:38:42 · (locked)


icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable

reply to CalamityJane
CalamityJane,

Thank you for your reply.

I tried uploading C:\Windows\itpbb_4.exe\Compinst1.exe\installfile1.exe but it would not upload. It uploaded C:\Windows\itpbb_4.exe.
--
Team Discovery
to forum · permalink · · 2007-07-02 00:46:05 · (locked)


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

reply to icex _
I got it - it's adware. Delete the file if possible.

Run the ComboFix tool in my last reply

And, finally, did you run the AVG Antispyware program that is in the FAQ (Step 1d)?
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance

If not, do that now please after the ComboFix which won't take very long and will give me a comprehensive log to look at. Then run the AVG antispyware program after updating it.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2007
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2007-07-02 00:59:15 · (locked)


icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable

reply to CalamityJane
Here is the log, sorry for the slow reply.

Start Time= 2007-07-02 13:01:38.50

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-02 00:56:04 ( .D... ) "C:\Program Files\GRISOFT"
2007-07-02 00:43:56 64 ( A.... ) "C:\ComboFix.txt.bat"
2007-07-01 00:58:28 517120 ( A.... ) "C:\WINDOWS\system32\winlogon.exe"
2007-06-28 04:06:28 ( .D... ) "C:\Program Files\Alwil Software"
2007-06-27 14:44:10 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2007-06-27 14:07:26 ( .D... ) "C:\Program Files\CCleaner"
2007-06-26 12:45:26 ( .D... ) "C:\Program Files\Common Files\{448C6F08-0702-1033-0826-020409200001}"
2007-06-07 21:52:46 14359 ( A.... ) "C:\WINDOWS\system32\a3dx8.dll"
2007-06-05 20:30:22 134353 ( A.... ) "C:\WINDOWS\system32\alt.exe"
2007-06-05 08:24:04 87552 ( A.... ) "C:\WINDOWS\catchme.exe"
2007-06-03 19:07:48 12800 ( A.... ) "C:\WINDOWS\system32\svchost.exe"
2007-06-03 18:42:46 220349 ( A.... ) "C:\WINDOWS\itpb_4.exe"
2007-06-03 13:42:58 ( .D... ) "C:\Documents and Settings\Beth\Application Data\U3"
2007-06-01 22:55:06 2 ( A.... ) "C:\WINDOWS\system32\wnscpsv32.exe"
2007-06-01 11:19:20 17664 ( A.... ) "C:\WINDOWS\system32\vxddsk.exe"
2007-06-01 11:19:18 32256 ( A.... ) "C:\WINDOWS\system32\SUSP.exe"
2007-06-01 11:19:18 14848 ( A.... ) "C:\WINDOWS\system32\wml.exe"
2007-06-01 11:19:14 16640 ( A.... ) "C:\WINDOWS\system32\satmat.exe"
2007-06-01 11:19:12 30464 ( A.... ) "C:\WINDOWS\system32\Biprep.exe"
2007-06-01 11:19:08 21248 ( A.... ) "C:\WINDOWS\7search.dll"
2007-06-01 11:19:06 31744 ( A.... ) "C:\WINDOWS\flt.dll"
2007-06-01 11:19:00 31488 ( A.... ) "C:\WINDOWS\764.exe"
2007-06-01 11:18:56 27136 ( A.... ) "C:\WINDOWS\pbar.dll"
2007-06-01 11:18:48 29440 ( A.... ) "C:\WINDOWS\stcloader.exe"
2007-06-01 11:18:42 27648 ( A.... ) "C:\WINDOWS\voiceip.dll"
2007-06-01 11:18:38 20224 ( A.... ) "C:\WINDOWS\bokja.exe"
2007-06-01 11:18:38 19968 ( A.... ) "C:\WINDOWS\swin32.dll"
2007-06-01 11:18:38 13312 ( A.... ) "C:\WINDOWS\cdsm32.dll"
2007-06-01 11:18:36 29440 ( A.... ) "C:\WINDOWS\mspphe.dll"
2007-06-01 11:18:30 14848 ( A.... ) "C:\WINDOWS\bjam.dll"
2007-06-01 11:18:26 24832 ( A.... ) "C:\WINDOWS\system32\MSIXU.DLL"
2007-06-01 11:18:22 31488 ( A.... ) "C:\WINDOWS\system32\WER8274.DLL"
2007-06-01 11:18:16 27392 ( A.... ) "C:\WINDOWS\system32\salm.exe"
2007-06-01 11:18:16 11520 ( A.... ) "C:\WINDOWS\system32\180ax.exe"
2007-06-01 11:18:12 20224 ( A.... ) "C:\WINDOWS\system32\updatetc.exe"
2007-06-01 11:18:06 9984 ( A.... ) "C:\WINDOWS\saiemod.dll"
2007-06-01 11:17:34 25088 ( A.... ) "C:\WINDOWS\system32\msdn_lib.dll"
2007-06-01 11:06:34 34816 ( A.... ) "C:\WINDOWS\rau001978.exe"
2007-05-10 19:00:26 ( .D... ) "C:\Program Files\Common Files\Java"
2007-04-30 11:46:10 745600 ( A.... ) "C:\WINDOWS\system32\aswBoot.exe"
2007-04-30 11:35:28 95872 ( A.... ) "C:\WINDOWS\system32\AvastSS.scr"
2007-04-27 16:45:12 14970328 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2007-04-17 01:47:36 33624 ( A.... ) "C:\WINDOWS\system32\wups.dll"
2007-04-17 01:45:54 1710936 ( A.... ) "C:\WINDOWS\system32\wuaueng.dll"
2007-04-17 01:45:48 549720 ( A.... ) "C:\WINDOWS\system32\wuapi.dll"
2007-04-17 01:45:42 325976 ( A.... ) "C:\WINDOWS\system32\wucltui.dll"
2007-04-17 01:45:36 203096 ( A.... ) "C:\WINDOWS\system32\wuweb.dll"
2007-04-17 01:45:28 92504 ( A.... ) "C:\WINDOWS\system32\cdm.dll"
2007-04-17 01:45:20 53080 ( A.... ) "C:\WINDOWS\system32\wuauclt.exe"
2007-04-17 01:45:20 43352 ( A.... ) "C:\WINDOWS\system32\wups2.dll"
2007-04-02 17:21:28 428032 ( A.... ) "C:\WINDOWS\system32\swreg.exe"

((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"AWMON"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Watch.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"{448C6F08-0701-1033-0826-020409200001}"="\"C:\\Program Files\\Common Files\\{448C6F08-0701-1033-0826-020409200001}\\Update.exe\" te-110-12-0000282"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
"Creative Detector"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ares"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTDetect"
"hkey"="HKCU"
"command"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="\" /WinStart"
"hkey"="HKCU"
"command"="\"\\\" /WinStart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSASCui"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{448C6F08-0701-1033-0826-020409200001}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Update"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\{448C6F08-0701-1033-0826-020409200001}\\Update.exe\" te-110-12-0000282"
"inimapping"="0"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\85D491DD93E32F55.job
C:\WINDOWS\tasks\AAF587AF918A3BEF.job

Completion time: 2007-07-02 13:03:11.35
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt
--
Team Discovery
to forum · permalink · · 2007-07-02 01:04:48 · (locked)


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

reply to icex _
The free version of AVG ANtispyware is on the far right. Here is the direct download link (be sure you get the updates first before scanning with it)

--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2007
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2007-07-02 01:05:53 · (locked)


icex _
Premium
join:2004-05-22
USA
clubs:		reply to CalamityJane
Deleted.

I will download AVG Antispyware now and run it.. it'll take a few.
--
Team Discovery
to forum · permalink · · 2007-07-02 01:11:27 · (locked)


icex _
Premium
join:2004-05-22
USA
clubs:		 This will takee about 2 hours for me to download, because unfortunatly, I'm 28k dial up lol.
--
Team Discovery
to forum · permalink · · 2007-07-02 01:14:25 · (locked)


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

reply to icex _
Ok, no problem. I've got to go to bed myself now.

We can pick this up tomorrow?

The combofix log doesn't look right.

The top part should begin with something like this:

quote:
ComboFix 07-06-18.2 - C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe
"Compaq_Administrator" - 2007-07-02 1:08:45 - Service Pack 2 NTFS
It would be located here:
C:\ComboFix.txt
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2007
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2007-07-02 01:27:37 · (locked)


icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable

1 edit		 Sure, I'll post results tonight and I'll be on at 11 or 12.

Combofix: Nope, it starts with Start time:

Would you like me to rerun it?

Edit: Reran it with same results.

Also the clock is screwed up. It shows 13:38, even though I set it to eastern time.. and it doesent show am/pm :S lol
to forum · permalink · · 2007-07-02 01:31:59 · (locked)


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

I found the problem with ComboFix. The download link I gave you is an old version. My apologies.

Delete that ComboFix.exe and replace it with this one please:
Run a fresh scan with that one and post the results please.

The clock format is reset by the tool so that one of the logs will be produced properly. As soon as we're done with the fixing, it can be reset back to preferred settings as follows:
Here is a link that shows how to change the clock settings and what the symbols mean.
»www.howtogeek.com/howto/windows-···s-vista/

That is for Vista but would be similar in win2k and XP. If you go to the control panel and choose "regional & language settings"




Then choose "customize" and the "time" tab you can set the clock display in a number of ways as desired.




How did you make out with the AVG Antispyware scan?

--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2007
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2007-07-02 09:41:11 · (locked)


icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable

 Sorry I dident get to post the log last night. I left the scanner on and went to bed.

Here is the log, and I'll repost the combofix after this:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 15:49 2007-07-02

+ Scan result:

HKU\S-1-5-21-1482476501-1326574676-1801674531-1004\Software\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} -> Adware.Generic : Ignored.
HKLM\SOFTWARE\Classes\AppID\{4F5E5D72-C915-4f3b-908B-527D064B0FAA} -> Adware.SysProtect : Ignored.
C:\SDFix\backups\backups.zip/backups/nso12k.sys -> Downloader.Agent.bnz : Ignored.
C:\Program Files\Common Files\qwkr\qwkrd\vocabulary -> Downloader.TSUpdate.j : Ignored.
C:\Documents and Settings\Beth\setup1.exe -> Downloader.VB.axs : Ignored.
C:\SDFix\backups\backups.zip/backups/xpdx.sys -> Hijacker.Costrat.e : Ignored.
C:\SDFix\backups\backups.zip/backups/cssrss.exe -> Proxy.Agent.mv : Ignored.
C:\WINDOWS\system32\qvcvafpf.exe -> Trojan.Agent.ny : Ignored.
C:\WINDOWS\system32\msorcl32.exe -> Trojan.Renos.nbf : Ignored.
C:\WINDOWS\system32\wnscpsv32.exe -> Trojan.Small : Ignored.
C:\SDFix\backups\backups.zip/backups/windev-6401-3e37.sys -> Trojan.Tibs.ab : Ignored.
C:\WINDOWS\system32\alt.exe -> Trojan.Tibs.y : Ignored.

::Report end
--
Team Discovery
to forum · permalink · · 2007-07-02 13:44:14 · (locked)


icex _
Premium
join:2004-05-22
USA
clubs:		 I'm not sure why the log says ignored, because I selected delete on all of them. I'm rerunning the scanner to make sure it's gone..
--
Team Discovery
to forum · permalink · · 2007-07-02 13:48:17 · (locked)


icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable

reply to CalamityJane
Well CalamityJane it just blue screened again.

The windows logon process system process terminated unexpectedly with a status of 0x0000000000

The system has been shut down.

I was running combofix.. but teatimer kept popping up saying iexplore was changing the search page from microsoft to google, then back to microsoft from google. :S
--
Team Discovery
to forum · permalink · · 2007-07-02 13:54:53 · (locked)


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

reply to icex _
said by icex _ See Profile :

I'm not sure why the log says ignored, because I selected delete on all of them. I'm rerunning the scanner to make sure it's gone..
That's ok. It does that when you generate the log before you have finished - we see that a lot.
.......
Please turn OFF the Spybot Teatimer while we are running fixes and diagnostics. That could interfere with the things we are trying to fix. You can turn it back on for protection AFTER we get the system cleaned up.

re: Winlogon error. I need to see a fresh Hijackthis log and a fresh scan with the new ComboFix tool (new version)
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2007
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2007-07-02 14:31:52 · (locked)
Thread is
Forums » Up and Running » Security » Security Cleanup« HJT Log - Can't clean computer, please help  
page: 1 · 2 · 3

Tuesday, 10-Nov 13:12:29 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [90] Verizon Keeps Swinging At AT&T
· [85] VoIP Over 3G Still Not Working For iPhone
· [79] Moto Sold About 100,000 Droids
· [36] Government Will Release Some Telco Wiretap Lobbying Documents
· [33] Bill Would Force ISPs To Block Financial Scams
· [24] Mediacom Hints At 50, 100 Mbps Speeds
· [17] Clearwire To Get Another $1.5 Billion
· [12] Monday Evening Links
· [12] Google Offers Free Holiday Airport Wi-Fi
· [12] Sprint Announces Job Cuts
Most people now reading
· Google Has Acquired Gizmo5 [VOIP Tech Chat]
· House inspector failed to find major gas leak [Home Repair & Improvement]
· 3.x Feral Druid - Bear Tanking Guide [World of Warcraft]
· Replace entry door [Home Repair & Improvement]
· A fishy CRTC tarriff filed by bell? [TekSavvy]
· Please Help, I think my computer is being monitored [Security]
· [ Classes] ATTN Death Knights - Post your spec for critique! [World of Warcraft]
· Slow speed lately? [TekSavvy]
· [ PVP] 3.2 DK PvP D/W Spec... [World of Warcraft]