Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HELP - Log attached

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby dshakes » July 23rd, 2007, 4:30 pm

"dns" - 2007-07-23 16:16:22 - ComboFix 07-07-23.6 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\DNS~1.CSD\APPLIC~1.\macromedia\Flash Player\#SharedObjects\96LZLSMR\www.broadcaster.com
C:\DOCUME~1\DNS~1.CSD\APPLIC~1.\macromedia\Flash Player\#SharedObjects\96LZLSMR\www.broadcaster.com\played_list.sol
C:\DOCUME~1\DNS~1.CSD\APPLIC~1.\macromedia\Flash Player\#SharedObjects\96LZLSMR\www.broadcaster.com\video_queue.sol
C:\DOCUME~1\DNS~1.CSD\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\DNS~1.CSD\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\Z1
C:\WINDOWS\system32\Z3
C:\WINDOWS\system32\Z3\w0716.exe
C:\WINDOWS\system32\Z5
C:\WINDOWS\system32\Z7
C:\WINDOWS\system32\Z9
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_FOPN
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS


((((((((((((((((((((((((( Files Created from 2007-06-23 to 2007-07-23 )))))))))))))))))))))))))))))))


2007-07-23 16:15 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-23 11:57 3,260 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-23 11:44 14,566,808 --a------ C:\Program Files\jre-6u2-windows-i586-p.exe
2007-07-23 09:08 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-23 09:05 <DIR> d-------- C:\Program Files\AVG Anti-Spyware
2007-07-23 08:57 <DIR> d-------- C:\Program Files\ATF Cleaner
2007-07-23 08:41 <DIR> d-------- C:\Program Files\Hijack This
2007-07-20 16:50 <DIR> d-------- C:\VundoFix Backups
2007-07-20 15:51 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-20 10:30 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-20 10:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-20 10:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-20 09:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-19 07:28 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-07-19 07:28 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-07-19 07:28 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-07-18 12:22 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-07-18 12:22 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-07-18 12:22 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-07-18 12:22 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-07-18 12:17 <DIR> d-------- C:\WINDOWS\system32\Z11
2007-07-18 12:17 <DIR> d-------- C:\Temp\brr
2007-07-18 12:17 <DIR> d-------- C:\Temp\0c2
2007-07-18 12:17 <DIR> d-------- C:\Temp
2007-07-16 16:55 <DIR> d-------- C:\Program Files\RP2007
2007-07-16 15:30 <DIR> d-------- C:\DOCUME~1\DNS~1.CSD\APPLIC~1\Profis


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-23 17:32:16 -------- d-----w C:\Program Files\BSTAurora
2007-07-17 20:57:37 -------- d-----w C:\DOCUME~1\DNS~1.CSD\APPLIC~1\AdobeUM
2007-07-16 19:32:24 -------- d-----w C:\Program Files\Common Files\TJ Shared
2007-06-19 16:08:45 -------- d-----w C:\DOCUME~1\DNS~1.CSD\APPLIC~1\CyberLink
2007-06-06 17:51:52 73 ----a-w C:\WINDOWS\system32\ssprs.dll
2007-06-06 17:51:52 205 ----a-w C:\WINDOWS\system32\lsprst7.dll
2007-06-04 19:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 19:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 19:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 00:13]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 12:55]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 12:56]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 15:58]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 C:\WINDOWS\stsystra.exe]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 21:29]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:14]
"@"="" []
"Logitech Utility"="LOGI_MWX.EXE" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-21 15:09]
"FLMOFFICE4DMOUSE"="C:\Program Files\Labtec\Desktop\V5.1\moffice.exe" [2006-07-26 11:14]
"OFFICEKB"="C:\Program Files\Labtec\Desktop\V5.1\kbdap32a.exe" [2006-07-26 11:14]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 03:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 08:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD LT Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 09:18:22]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 09:18:22]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-28 00:39:18]
Microsoft Office Outlook 2003 (2).lnk - C:\WINDOWS\Installer\{90E00409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2006-09-11 14:34:27]
Scanner File Utility.lnk - C:\Program Files\Kyocera\FileUtility\NsCatCom.exe [2006-07-17 15:01:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

R0 INO_FLPY;INO_FLPY;C:\WINDOWS\system32\Drivers\ino_flpy.sys
R1 APPDRV;APPDRV;C:\WINDOWS\system32\DRIVERS\APPDRV.SYS
R1 NetworkX;NetworkX;C:\WINDOWS\system32\ckldrv.sys
R2 INO_FLTR;INO_FLTR;\??\C:\WINDOWS\system32\Drivers\ino_fltr.sys
R2 InoRPC;eTrust Antivirus RPC Server;"C:\Program Files\CA\eTrust Antivirus\InoRpc.exe"
R2 InoRT;eTrust Antivirus Realtime Server;"C:\Program Files\CA\eTrust Antivirus\InoRT.exe"
R2 InoTask;eTrust Antivirus Job Server;"C:\Program Files\CA\eTrust Antivirus\InoTask.exe"
R2 s24trans;WLAN Transport;C:\WINDOWS\system32\DRIVERS\s24trans.sys
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
R3 HSF_DPV;HSF_DPV;C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
R3 HSXHWAZL;HSXHWAZL;C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
R3 STHDA;SigmaTel High Definition Audio CODEC;C:\WINDOWS\system32\drivers\sthda.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;Microsoft USB Standard Hub Driver;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbuhci.sys
R3 w39n51;Intel(R) PRO/Wireless 3945ABG Adapter Driver;C:\WINDOWS\system32\DRIVERS\w39n51.sys
S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 ApfiltrService;Alps Touch Pad Filter Driver for Windows 2000/XP;C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
S3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S3 HidUsb;Microsoft HID Class Driver;C:\WINDOWS\system32\DRIVERS\hidusb.sys
S3 USBSTOR;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94372f70-41c3-11db-a5ae-0015c51d7c44}]
AutoRun\command- E:\setupSNK.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-23 16:23:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-23 16:28:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-23 16:27

--- E O F ---
dshakes
Regular Member
 
Posts: 18
Joined: July 20th, 2007, 4:36 pm
Advertisement
Register to Remove

Unread postby dshakes » July 23rd, 2007, 4:32 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:31, on 2007-07-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\Program Files\Labtec\Desktop\V5.1\moffice.exe
C:\Program Files\Labtec\Desktop\V5.1\kbdap32a.exe
C:\Program Files\Labtec\Desktop\V5.1\MOUSE32A.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijack This\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Desktop\V5.1\moffice.exe
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Labtec\Desktop\V5.1\kbdap32a.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office Outlook 2003 (2).lnk = ?
O4 - Global Startup: Scanner File Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DEF4530-8CE6-41c9-84B6-A54536C90213} (BST Enterprise Reports 8.1) - http://csd_sql2000/auroraweb/BSTeReportsCE9.CAB
O16 - DPF: {460324E8-CFB4-4357-85EF-CE3EBFE23A62} (BST Enterprise Reports 8.2) - http://csdbst1/auroraweb/BSTeReportsCE11.CAB
O16 - DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} (Xceed Zip Control v5.0) - http://csd_sql2000/auroraweb/BSTeDepFiles.CAB
O16 - DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} (BST Enterprise 8.0) - http://csd_sql2000/auroraweb/AuroraShell.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csdavidsonms.com
O17 - HKLM\Software\..\Telephony: DomainName = csdavidsonms.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F3370A3-E4AB-4A00-93BE-CD74AD2783CB}: NameServer = 10.20.4.5,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csdavidsonms.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F3370A3-E4AB-4A00-93BE-CD74AD2783CB}: NameServer = 10.20.4.5,4.2.2.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8675 bytes
dshakes
Regular Member
 
Posts: 18
Joined: July 20th, 2007, 4:36 pm

Unread postby dshakes » July 23rd, 2007, 4:33 pm

and about the firewall, we have one running from cisco, thats what i have been told by the it department. i did this fix myself since i didnt want to wait a week for it to come around...thats baout all i know about the firewall.
dshakes
Regular Member
 
Posts: 18
Joined: July 20th, 2007, 4:36 pm

Unread postby dshakes » July 23rd, 2007, 4:35 pm

and finally, the combofix.exe changed my clock to military time, how do I fix it back???
dshakes
Regular Member
 
Posts: 18
Joined: July 20th, 2007, 4:36 pm

Unread postby beynac » July 23rd, 2007, 5:13 pm

about the firewall, we have one running from cisco, thats what i have been told by the it department.

I take that to mean that you're behind a company firewall. That's fine.

and finally, the combofix.exe changed my clock to military time, how do I fix it back???

Open your Control Panel and then Regional and Language Options. Select the Regional Options tab and click the Customize button. Click the Time tab and then select the time format you wish to use. You previously used the format h:mm:ss tt. Type this in if it is not in the drop-down list.Click on Apply. You will then see an example of the time in the new format. If you are happy with this, click OK then OK again, otherwise change it and try again.

------------------------------------------

Run HijackThis and click Scan and then check (tick) the following, if present (don't worry if any are missing):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Close down all programs, browsers and other open windows. Make sure that only the above items are checked and then click on Fix checked.

--------------------------------------

ComboFix found some more 'nasties' and there's some more to get rid of.

Open Notepad and copy/paste the text in the quotebox below into it:
Folder::
C:\WINDOWS\system32\Z11
C:\Temp


Save this on your Desktop as CFScript.txt

Image
Referring to the picture above, drag CFScript.txt into ComboFix.exe. ComboFix will then run. When finished, it will produce a log for you: C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

-------------------------------------

Please post, as a reply to this thread:
  • The ComboFix log
  • A new HijackThis log
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby dshakes » July 23rd, 2007, 5:32 pm

"dns" - 2007-07-23 17:28:12 - ComboFix 07-07-23.6 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\dns.CSDAVIDSONMS\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Temp
C:\Temp\0c2\tmpFF.log
C:\Temp\brr\tmpZTF.log


((((((((((((((((((((((((( Files Created from 2007-06-23 to 2007-07-23 )))))))))))))))))))))))))))))))


2007-07-23 16:15 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-23 11:57 3,260 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-23 11:44 14,566,808 --a------ C:\Program Files\jre-6u2-windows-i586-p.exe
2007-07-23 09:08 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-23 09:05 <DIR> d-------- C:\Program Files\AVG Anti-Spyware
2007-07-23 08:57 <DIR> d-------- C:\Program Files\ATF Cleaner
2007-07-23 08:41 <DIR> d-------- C:\Program Files\Hijack This
2007-07-20 16:50 <DIR> d-------- C:\VundoFix Backups
2007-07-20 15:51 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-20 10:30 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-20 10:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-20 10:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-20 09:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-19 07:28 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-07-19 07:28 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-07-19 07:28 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-07-18 12:22 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-07-18 12:22 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-07-18 12:22 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-07-18 12:22 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-07-18 12:17 <DIR> d-------- C:\WINDOWS\system32\Z11
2007-07-16 16:55 <DIR> d-------- C:\Program Files\RP2007
2007-07-16 15:30 <DIR> d-------- C:\DOCUME~1\DNS~1.CSD\APPLIC~1\Profis


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-23 17:32:16 -------- d-----w C:\Program Files\BSTAurora
2007-07-17 20:57:37 -------- d-----w C:\DOCUME~1\DNS~1.CSD\APPLIC~1\AdobeUM
2007-07-16 19:32:24 -------- d-----w C:\Program Files\Common Files\TJ Shared
2007-06-19 16:08:45 -------- d-----w C:\DOCUME~1\DNS~1.CSD\APPLIC~1\CyberLink
2007-06-06 17:51:52 73 ----a-w C:\WINDOWS\system32\ssprs.dll
2007-06-06 17:51:52 205 ----a-w C:\WINDOWS\system32\lsprst7.dll
2007-06-04 19:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 19:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 19:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 00:13]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 12:55]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 12:56]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 15:58]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 C:\WINDOWS\stsystra.exe]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 21:29]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:14]
"@"="" []
"Logitech Utility"="LOGI_MWX.EXE" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-21 15:09]
"FLMOFFICE4DMOUSE"="C:\Program Files\Labtec\Desktop\V5.1\moffice.exe" [2006-07-26 11:14]
"OFFICEKB"="C:\Program Files\Labtec\Desktop\V5.1\kbdap32a.exe" [2006-07-26 11:14]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 03:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 08:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD LT Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 09:18:22]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 09:18:22]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-28 00:39:18]
Microsoft Office Outlook 2003 (2).lnk - C:\WINDOWS\Installer\{90E00409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2006-09-11 14:34:27]
Scanner File Utility.lnk - C:\Program Files\Kyocera\FileUtility\NsCatCom.exe [2006-07-17 15:01:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

R0 INO_FLPY;INO_FLPY;C:\WINDOWS\system32\Drivers\ino_flpy.sys
R1 APPDRV;APPDRV;C:\WINDOWS\system32\DRIVERS\APPDRV.SYS
R1 NetworkX;NetworkX;C:\WINDOWS\system32\ckldrv.sys
R2 INO_FLTR;INO_FLTR;\??\C:\WINDOWS\system32\Drivers\ino_fltr.sys
R2 InoRPC;eTrust Antivirus RPC Server;"C:\Program Files\CA\eTrust Antivirus\InoRpc.exe"
R2 InoRT;eTrust Antivirus Realtime Server;"C:\Program Files\CA\eTrust Antivirus\InoRT.exe"
R2 InoTask;eTrust Antivirus Job Server;"C:\Program Files\CA\eTrust Antivirus\InoTask.exe"
R2 s24trans;WLAN Transport;C:\WINDOWS\system32\DRIVERS\s24trans.sys
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
R3 HSF_DPV;HSF_DPV;C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
R3 HSXHWAZL;HSXHWAZL;C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
R3 STHDA;SigmaTel High Definition Audio CODEC;C:\WINDOWS\system32\drivers\sthda.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;Microsoft USB Standard Hub Driver;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbuhci.sys
R3 w39n51;Intel(R) PRO/Wireless 3945ABG Adapter Driver;C:\WINDOWS\system32\DRIVERS\w39n51.sys
S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 ApfiltrService;Alps Touch Pad Filter Driver for Windows 2000/XP;C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
S3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S3 HidUsb;Microsoft HID Class Driver;C:\WINDOWS\system32\DRIVERS\hidusb.sys
S3 USBSTOR;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94372f70-41c3-11db-a5ae-0015c51d7c44}]
AutoRun\command- E:\setupSNK.exe

*Newly Created Service* - CATCHME

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-23 17:30:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-23 17:31:15
C:\ComboFix-quarantined-files.txt ... 2007-07-23 17:31
C:\ComboFix2.txt ... 2007-07-23 16:28

--- E O F ---
dshakes
Regular Member
 
Posts: 18
Joined: July 20th, 2007, 4:36 pm

Unread postby dshakes » July 23rd, 2007, 5:33 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:33, on 2007-07-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\Program Files\Labtec\Desktop\V5.1\moffice.exe
C:\Program Files\Labtec\Desktop\V5.1\kbdap32a.exe
C:\Program Files\Labtec\Desktop\V5.1\MOUSE32A.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijack This\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Desktop\V5.1\moffice.exe
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Labtec\Desktop\V5.1\kbdap32a.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office Outlook 2003 (2).lnk = ?
O4 - Global Startup: Scanner File Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DEF4530-8CE6-41c9-84B6-A54536C90213} (BST Enterprise Reports 8.1) - http://csd_sql2000/auroraweb/BSTeReportsCE9.CAB
O16 - DPF: {460324E8-CFB4-4357-85EF-CE3EBFE23A62} (BST Enterprise Reports 8.2) - http://csdbst1/auroraweb/BSTeReportsCE11.CAB
O16 - DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} (Xceed Zip Control v5.0) - http://csd_sql2000/auroraweb/BSTeDepFiles.CAB
O16 - DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} (BST Enterprise 8.0) - http://csd_sql2000/auroraweb/AuroraShell.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csdavidsonms.com
O17 - HKLM\Software\..\Telephony: DomainName = csdavidsonms.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F3370A3-E4AB-4A00-93BE-CD74AD2783CB}: NameServer = 10.20.4.5,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csdavidsonms.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F3370A3-E4AB-4A00-93BE-CD74AD2783CB}: NameServer = 10.20.4.5,4.2.2.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8642 bytes
dshakes
Regular Member
 
Posts: 18
Joined: July 20th, 2007, 4:36 pm

Unread postby beynac » July 23rd, 2007, 5:54 pm

Hi.

There's still one folder that's being stubborn and the HijackThis fix didn't work. Let's try something else to get rid of the folder and redo the fix.

----------------------------------------

Run HijackThis and click Scan and then check (tick) the following, if present (don't worry if any are missing):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Close down all programs, browsers and other open windows. Make sure that only the above items are checked and then click on Fix checked.

---------------------------------------

Download OTMoveIt by OldTimer to your Desktop.
  • Double-click OTMoveIt.exe to launch it.
  • Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.
C:\WINDOWS\system32\Z11


  • Click the Move It button.
  • The list will be processed and the results will appear in the right hand pane.
  • If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • When finished click Exit to exit the programme.
  • A log - C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).
------------------------------------

Please post the OTMoveIt log.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby dshakes » July 23rd, 2007, 6:29 pm

C:\WINDOWS\system32\Z11 moved successfully.

Created on 07/23/2007 18:26:38


And here is the follow up hijack this.....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:36 PM, on 7/23/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\Program Files\Labtec\Desktop\V5.1\moffice.exe
C:\Program Files\Labtec\Desktop\V5.1\kbdap32a.exe
C:\Program Files\Labtec\Desktop\V5.1\MOUSE32A.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijack This\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Desktop\V5.1\moffice.exe
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Labtec\Desktop\V5.1\kbdap32a.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office Outlook 2003 (2).lnk = ?
O4 - Global Startup: Scanner File Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DEF4530-8CE6-41c9-84B6-A54536C90213} (BST Enterprise Reports 8.1) - http://csd_sql2000/auroraweb/BSTeReportsCE9.CAB
O16 - DPF: {460324E8-CFB4-4357-85EF-CE3EBFE23A62} (BST Enterprise Reports 8.2) - http://csdbst1/auroraweb/BSTeReportsCE11.CAB
O16 - DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} (Xceed Zip Control v5.0) - http://csd_sql2000/auroraweb/BSTeDepFiles.CAB
O16 - DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} (BST Enterprise 8.0) - http://csd_sql2000/auroraweb/AuroraShell.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csdavidsonms.com
O17 - HKLM\Software\..\Telephony: DomainName = csdavidsonms.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F3370A3-E4AB-4A00-93BE-CD74AD2783CB}: NameServer = 10.20.4.5,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csdavidsonms.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F3370A3-E4AB-4A00-93BE-CD74AD2783CB}: NameServer = 10.20.4.5,4.2.2.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8566 bytes
dshakes
Regular Member
 
Posts: 18
Joined: July 20th, 2007, 4:36 pm

Unread postby dshakes » July 23rd, 2007, 6:55 pm

beynac,

I am leaving work now, it is 7:00PM on the East Coast here, I will return tomorrow morning around 7:30 local time. Hopefully we can get this cleared up tomorrow. Thanks for all your help...it is greatly appreciated.
dshakes
Regular Member
 
Posts: 18
Joined: July 20th, 2007, 4:36 pm

Unread postby beynac » July 23rd, 2007, 7:08 pm

It looks as if we've done it. :D

I note that you have successfully changed your date format. We've just got a bit of tidying up to do now.

You can delete the following:
  • VundoFix and its report
  • ComboFix and its log
  • SmitFraudFix and its report
  • OTMoveIt and the folder C:\_OTMoveIt\
---------------------------------------------

Flush System Restore

We need to 'flush' your System Restore points and create a new clean one.

Turn OFF System Restore.
  • Click on Start
  • Right-click My Computer
  • Click Properties
  • Click the System Restore tab
  • Check Turn off System Restore
  • Click Apply, and then click OK
Restart your computer

Turn ON System Restore.
  • Click on Start
  • Right-click My Computer
  • Click Properties
  • Click the System Restore tab
  • Uncheck Turn off System Restore
  • Click Apply, and then click OK
---------------------------------------------

I would normally make some recommendations now that the computer is clean, but we've covered most of that during this thread. Please let me know whether you have any questions.

It's just after midnight here in the UK - I'm going to bed now! :sleepy2:
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby dshakes » July 24th, 2007, 8:03 am

Well the system has been flushed. Thank you very much for all your help!!

Does streaming music on Windows Media Player open up the computer to these viruses?? I used to do that and it would be accompanied by many pop ups, I havent done it since my mini melt down and I am kind of leary of it...what's your take?
dshakes
Regular Member
 
Posts: 18
Joined: July 20th, 2007, 4:36 pm

Unread postby beynac » July 24th, 2007, 10:48 am

Good afternoon.

This is outside my experience, as I don't listen to music online, so I asked my colleagues for advice. One person has pointed out that you can get popups due to licensing issues (see WMP FAQs here):
There have been reports that when you try to play some protected Windows Media Audio (WMA) and Windows Media Video (WMV) files, one or more Web pages might appear as if they are trying to install spyware, viruses, or other malicious software onto your computer. When you try to play a protected file, the Player checks that media usage rights (also called licenses) that are needed to play the file are on your computer. If no rights exist, the Player tries to download the rights from a Web site that is specified by the company that issued the rights. In rare instances, instead of sending rights to your computer, the Web site could attempt to install spyware, viruses, or other malicious software onto your computer. Typically, this occurs when you use peer-to-peer file sharing programs, such as Morpheus, iMesh, and LimeWire, to download certain protected audio or video files. This issue does not occur when you obtain protected files from legitimate online stores, such as Napster. There are several steps you can take to reduce the chance that you will encounter this issue:

• Use Windows Update to download and install the latest security updates for your version of Windows. In addition, if you are not running Windows XP Service Pack 2 (SP2), we strongly recommend that you consider doing so.

• Visit Microsoft Security At Home to learn about using an Internet firewall, using up-to-date antivirus software, and other general steps you can take to protect your computer.

• Download and install either the latest update to Windows Media Player 10 (version 10.00.00.3802 or later) or Windows Media Player 11 from Windows Media Player Download. Note that both versions of the Player are only available for Windows XP.

• If you obtain protected files from people or companies that you do not know or trust, consider changing the setting in the Player that controls whether the Player should try to acquire rights automatically. When you change this setting and you attempt to play, burn, or sync a protected file for which you don't have a valid rights, a dialog box will appear that will let you choose whether you want to allow your browser to open the indicated Web page. If you doubt the legitimacy of the rights issuer, you can choose not to open the indicated Web page. Note that you will not be able to play, burn, or sync the protected file if you choose not to open the Web page. To change this setting, do the following:

1.
On the Tools menu, click Options, and then click the Privacy tab.

2.
Do one of the following:

• For Windows Media Player 11, clear the Download usage rights automatically when I play a file check box.

• For Windows Media Player 10, clear the Acquire licenses automatically for protected content check box.

Note

If you installed the latest update to Windows Media Player 10 (version 10.00.00.3802 or later) or Windows Media Player 11, clearing this setting will potentially affect all protected files that you try to play, burn, or sync. If you have not installed either version of the Player, this setting will only affect certain types of protected files.

Another person recommends that you avoid Chinese sites and Real Media Player files (if you use Real Alternative, which integrates into WMP) as these two are the common causes of popups.

I hope that this helps. If I get any further advice, I will post again.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby beynac » July 24th, 2007, 12:31 pm

Something I should have mentioned: Be careful which sites you download anything from. You are obviously much safer if you only use reputable music websites.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby Elrond » July 27th, 2007, 9:45 am

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 501 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware