Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Help! Spyware Keeps Returning (hijackthis Log)


  • Please log in to reply
42 replies to this topic

#16 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 15 July 2007 - 03:05 PM

You're one step ahead of me with uninstalling Kaspersky, which was coming up next anyway. Let's check things running and things unseen then.


Run and post back HijackThis scans done in both Safe Mode and normal mode. Try not to do any other activities before running these scans (do each right after the reboot).


Also go here and run the Kaspersky online scan, and post back the log it creates (it requires IE). It will apply a slightly different scan protocol than the installed version you had.

To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.


To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".

    Advertisements

Register to Remove


#17 Kevin G

Kevin G

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 15 July 2007 - 08:04 PM

Well I tried a few other things before I saw your most recent post, basically just uninstalled a bunch of stuff. Still cannot access the internet though. I tried to go to google, by URL and IP, and and both times it tried to transfer to the folowing IP's 82.98.86.169, 218.219.70.221, 64.86.32.99. I have done a search and the revers DNS does not come up with anything as far as spyware/malware blocking or redirecting it. The strange thing is Nothing will connect to the internet, not google earth, firefox, IE. But I can still ping just fine. Are there any good tools out there to clean up your registry of OLD Firewall stuff. Specifically I am still thinking CA, or Zone Alarm.


OK so here is the HJT log from normal mode.

Logfile of HijackThis v1.99.1
Scan saved at 9:53:15 PM, on 7/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-36.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.co...84/mcinsctl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.co...,21/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.22/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



And the HJT log from Safe mode.



Logfile of HijackThis v1.99.1
Scan saved at 9:59:33 PM, on 7/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-36.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.co...84/mcinsctl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.co...,21/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.22/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#18 Kevin G

Kevin G

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 15 July 2007 - 09:15 PM

And here is the Kaspersky Log. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - K A S P E R S K Y O N L I N E S C A N N E R R E P O R T S u n d a y , J u l y 1 5 , 2 0 0 7 1 1 : 1 3 : 2 6 P M O p e r a t i n g S y s t e m : M i c r o s o f t W i n d o w s X P H o m e E d i t i o n , S e r v i c e P a c k 2 ( B u i l d 2 6 0 0 ) K a s p e r s k y O n l i n e S c a n n e r v e r s i o n : 5 . 0 . 9 3 . 0 K a s p e r s k y A n t i - V i r u s d a t a b a s e l a s t u p d a t e : 1 6 / 0 7 / 2 0 0 7 K a s p e r s k y A n t i - V i r u s d a t a b a s e r e c o r d s : 3 6 2 6 1 0 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - S c a n S e t t i n g s : S c a n u s i n g t h e f o l l o w i n g a n t i v i r u s d a t a b a s e : e x t e n d e d S c a n A r c h i v e s : t r u e S c a n M a i l B a s e s : t r u e S c a n T a r g e t - M y C o m p u t e r : C : \ D : \ E : \ S c a n S t a t i s t i c s : T o t a l n u m b e r o f s c a n n e d o b j e c t s : 7 8 7 7 9 N u m b e r o f v i r u s e s f o u n d : 0 N u m b e r o f i n f e c t e d o b j e c t s : 0 N u m b e r o f s u s p i c i o u s o b j e c t s : 0 D u r a t i o n o f t h e s c a n p r o c e s s : 0 0 : 5 2 : 0 6 I n f e c t e d O b j e c t N a m e / V i r u s N a m e / L a s t A c t i o n C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l a s s . d a t O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l a s s . d a t . L O G O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ N T U S E R . D A T O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ n t u s e r . d a t . L O G O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ N e t w o r k S e r v i c e \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l a s s . d a t O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ N e t w o r k S e r v i c e \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l a s s . d a t . L O G O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ N e t w o r k S e r v i c e \ N T U S E R . D A T O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ N e t w o r k S e r v i c e \ n t u s e r . d a t . L O G O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l i a m B o s c h \ C o o k i e s \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l i a m B o s c h \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l a s s . d a t O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l i a m B o s c h \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l a s s . d a t . L O G O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l i a m B o s c h \ L o c a l S e t t i n g s \ H i s t o r y \ H i s t o r y . I E 5 \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l i a m B o s c h \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l i a m B o s c h \ N T U S E R . D A T O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l i a m B o s c h \ n t u s e r . d a t . L O G O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ D e b u g \ P A S S W D . L O G O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ C a t R o o t 2 \ e d b . l o g O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ C a t R o o t 2 \ t m p . e d b O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ C O N F I G \ A p p E v e n t . E v t O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ C O N F I G \ D E F A U L T O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ C O N F I G \ D E F A U L T . L O G O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ C O N F I G \ I n t e r n e t . e v t O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ C O N F I G \ S A M O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ C O N F I G \ S A M . L O G O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ C O N F I G \ S e c E v e n t . E v t O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ C O N F I G \ S E C U R I T Y O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ C O N F I G \ S E C U R I T Y . L O G O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ C O N F I G \ S O F T W A R E O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ C O N F I G \ S O F T W A R E . L O G O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ C O N F I G \ S y s E v e n t . E v t O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ C O N F I G \ S Y S T E M O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ C O N F I G \ S Y S T E M . L O G O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ W B E M \ R e p o s i t o r y \ F S \ I N D E X . B T R O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ W B E M \ R e p o s i t o r y \ F S \ I N D E X . M A P O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ W B E M \ R e p o s i t o r y \ F S \ M A P P I N G . V E R O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ W B E M \ R e p o s i t o r y \ F S \ M A P P I N G 1 . M A P O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ W B E M \ R e p o s i t o r y \ F S \ M A P P I N G 2 . M A P O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ W B E M \ R e p o s i t o r y \ F S \ O B J E C T S . D A T A O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ S Y S T E M 3 2 \ W B E M \ R e p o s i t o r y \ F S \ O B J E C T S . M A P O b j e c t i s l o c k e d s k i p p e d S c a n p r o c e s s c o m p l e t e d .

#19 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 16 July 2007 - 07:54 AM

Part of why we checked with SmitFraudFix was assessing the DNS settings - let's take a specific look with a tool designed for infection that alters those.


Please download FixWareout from here.

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish. The fix will begin, just follow the prompts. If your firewall sends an alert, please don't let your firewall block it, allow it (this tool will download an additional file from the internet). make sure you are online when running this fix.

Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load, this is normal.

The post back the FixWareout log please.

#20 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 16 July 2007 - 07:57 AM

The Kaspersky log reflected no infection by the way. What steps did you do that created it with the spacing like it is (spread out, unlike the other logs). I would like to know so I can caution to correct that in advance in the future and never have asked before.

#21 Kevin G

Kevin G

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 16 July 2007 - 08:59 PM

For the Kaspesrsky log. I just used thier save as option, then copied and pasted. Yeah I didn't like how it looked either. here is the log from fixwareout Username "William Bosch" - 2007-07-16 22:33:24 [Fixwareout edited 2007/07/05] Prerun check Successfully flushed the DNS Resolver Cache. System was rebooted successfully. Postrun check HKLM\SOFTWARE\~\Winlogon\ "System"="" .... .... Misc files. .... Checking for older varients. .... Current runs (hklm hkcu "run" Keys Only) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LXBRKsk"="C:\\PROGRA~1\\LEXMAR~1\\LXBRKsk.exe" "Lexmark 3100 Series"="\"C:\\Program Files\\Lexmark 3100 Series\\lxbrbmgr.exe\"" "BCMSMMSG"="BCMSMMSG.exe" "AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\"" "NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled] "Windows ControlAd"="C:\\Program Files\\Windows ControlAd\\WinCtlAd.exe" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "SQInstaller"="C:\\Program Files\\STC\\SQ_3394_3222.exeSQInstaller.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" .... Hosts file was reset, If you use a custom hosts file please replace it C:\WINDOWS\System32\AUTOEXEC.NT missing End report I would like to note that I was able to setup My e-mail and it worked, both through IMAP and POP as well as sending e-mail, so I know ports 110, 25, and 143. SO I would assume if I were to try newsgroups 110 would be working and the only issue I would have would be port 80 for webpages. Although it is not just IE, it is also firefox. so it is not an IE setting, and I did chek proxy settings anyways, as well as reset all web settings. (I would note this is why I switched to linux 3 years ago, and no longer know anything about windows:) Any other thoughts?

#22 Kevin G

Kevin G

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 16 July 2007 - 09:34 PM

did a couple other tests too. I am not able to access anything through either web browser. Tried accessing my other PC running Apache and GNUMP3d (mp3 server on port 8888) all through local network, as well as my routers firmware page, and none of which will come up in normal mode. although I was able to connect to my other PC using SSH and putty. not sure what kind of browser hijacker or registry setting could affect things this way. Hope I am not giving you to much info, or going the wrong direction, just trying to let you know What I have tried and see if you have any other ideas.

#23 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 17 July 2007 - 01:02 PM

You seem to know a good bit about networking and access. I didn't respond to an earlier question - no, there are not specific tools I might recommend for cleanup of Zone Alarm remnants. In a manner we have been doing that through diagnostic reviews here. The last log shows the autoxec.nt file as missing - this is used to run 16-bit apps, so not as essential as some, and removal of it is a technique used by older infection processes. Best to repair that and other similar changes known with that - Click Here and download xp_fix.exe to your desktop, and click the downloaded file to run the repair.


Also did you check your TCP/IP setting specifically? Go to Start -> Control Panel, and choose Network Connections. Rightclick on your default connection (usually Local Area Connection or Dial-up Connection if you are using Dial-up) and leftclick on Properties. Doubleclick on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.

Edited by Jintan, 17 July 2007 - 01:03 PM.


#24 Kevin G

Kevin G

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 17 July 2007 - 08:03 PM

Yeah I know a lot about networking. I used to work for an Internet Helpdesk, and about 1 year ago switched to a new job at Time warner where I support digital phone, and 3rd level Internet support issues. I just typically work more on the server end of things at this point and have forgotten a lot of the windows side. Also that is why this bugs me so much is I should know what is going on, I just cannot find it. I ran that other fix you just gave me, didn't seem to work. also all the IP setting and DNS settings are set to obtain automatically, and are correct for my router and ISP. Still no go. What exactly is the xp_fix.exe supposed to change?

#25 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 17 July 2007 - 08:55 PM

That fix actually returns some needed files like autoexec.nt. I see now some startups disabled in the last log:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"Windows ControlAd"="C:\\Program Files\\Windows ControlAd\\WinCtlAd.exe"
"SQInstaller"="C:\\Program Files\\STC\\SQ_3394_3222.exeSQInstaller.exe"


Both infections with potential to interfere with access on systems, as disabled from startups they and some of what they might do has not shown in logs. You will need to locate the tool you used to do this disabling (do you have AutoRuns there?) and allow them to complete their task so we can complete ours. Please locate that disabler and re-enable thos startups.



Download The Avenger from here to your Desktop and unzip it.

Copy all the text contained in the code box below by highlighting it and right clicking and selecting "Copy"

Folders to delete:
C:\Program Files\STC
C:\Program Files\Windows ControlAd

Now, start The Avenger program by clicking on its icon on your desktop. Look under "Script file to execute" and click on "Input Script Manually". Next click on the Magnifying Glass icon and a blank dialogue box will open called "View/Edit script". Position your mouse inside the box, rightclick and choose Paste. All the text above in the code box should now appear there. Click Done and click on the Green Light to begin execution of the script. Answer "Yes" twice when prompted.

The Avenger will restart your computer. (if the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)

When you have rebooted, a black command window briefly opens on your desktop, this is normal. A logfile will be created that records all actions that The Avenger performed. This log file is saved to C:\avenger.txt. The deleted files will be backed up and saved to C:\avenger\backup.zip.


=================================================

Once your computer has rebooted, run and post back new HijackThis and Silent Runners logs, along with the avenger.txt log please.

    Advertisements

Register to Remove


#26 Kevin G

Kevin G

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 17 July 2007 - 09:44 PM

To my knowledge autoruns was never run on this PC, although I could be wrong. I did go ahead and get it and did find those keys disabled, so I reanabled them, and they said the file was not found.
Here are the logs.
(I appologize for the avenger log the way it is, I think it is actually in the was that Kaspersky, and avenger save thier logs, when I bring the txt file over to linux it reads it as a binary file, and show up this way)


L o g f i l e o f T h e A v e n g e r v e r s i o n 1 , b y S w a n d o g 4 6

R u n n i n g f r o m r e g i s t r y k e y :

\ R e g i s t r y \ M a c h i n e \ S y s t e m \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ o o q w m v w y



* * * * * * * * * * * * * * * * * * *



S c r i p t f i l e l o c a t e d a t : \ ? ? \ C : \ W I N D O W S \ s y s t e m 3 2 \ r o w e a c d r . t x t

S c r i p t f i l e o p e n e d s u c c e s s f u l l y .



S c r i p t f i l e r e a d s u c c e s s f u l l y



B a c k u p s d i r e c t o r y o p e n e d s u c c e s s f u l l y a t C : \ A v e n g e r



* * * * * * * * * * * * * * * * * * *



B e g i n n i n g t o p r o c e s s s c r i p t f i l e :







F o l d e r c : \ P r o g r a m F i l e s \ S T C n o t f o u n d !

D e l e t i o n o f f o l d e r c : \ P r o g r a m F i l e s \ S T C f a i l e d !



C o u l d n o t p r o c e s s l i n e :

c : \ P r o g r a m F i l e s \ S T C

S t a t u s : 0 x c 0 0 0 0 0 3 4







F o l d e r c : \ P r o g r a m F I l e s \ W i n d o w s C o n t r o l A d n o t f o u n d !

D e l e t i o n o f f o l d e r c : \ P r o g r a m F I l e s \ W i n d o w s C o n t r o l A d f a i l e d !



C o u l d n o t p r o c e s s l i n e :

c : \ P r o g r a m F I l e s \ W i n d o w s C o n t r o l A d

S t a t u s : 0 x c 0 0 0 0 0 3 4





C o m p l e t e d s c r i p t p r o c e s s i n g .



* * * * * * * * * * * * * * * * * * *



F i n i s h e d ! T e r m i n a t e .


================================================================================
=========================================

Logfile of HijackThis v1.99.1
Scan saved at 11:36:54 PM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SQInstaller] C:\Program Files\STC\SQ_3394_3222.exeSQInstaller.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-36.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.co...84/mcinsctl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.co...,21/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.22/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

================================================================================
================================================

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"updateMgr" = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"LXBRKsk" = "C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe" [" "]
"Lexmark 3100 Series" = ""C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"" ["Lexmark International, Inc."]
"BCMSMMSG" = "BCMSMMSG.exe" ["Broadcom Corporation"]
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"NvMediaCenter" = "RunDLL32.exe NvMCTray.dll,NvTaskbarInit" [MS]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"SQInstaller" = "C:\Program Files\STC\SQ_3394_3222.exeSQInstaller.exe" [file not found]
"Windows ControlAd" = "C:\Program Files\Windows ControlAd\WinCtlAd.exe" [file not found]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"DwlClient" = "C:\Program Files\Common Files\Dell\EUSW\Support.exe" ["Dell"]

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++}
"(Default)" = "(empty string)" [file not found]

HKLM\Software\Microsoft\Active Setup\Installed Components\
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}\(Default) = "IE7 Uninstall Stub"
\StubPath = "C:\WINDOWS\system32\ieudinit.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {HKLM...CLSID} = "Adaptec DirectCD Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{C56C4E21-706D-11d0-AFC5-444553540002}" = "My Digital Camera"
-> {HKLM...CLSID} = "My Digital Camera"
\InProcServer32\(Default) = "C:\Program Files\PhotoDeluxe HE 3.1\FotoNation Explorer\camview.dll" ["FotoNation Inc."]
"{3c249f62-e26e-11d4-97f0-009027769c61}" = "Format Shell"
-> {HKLM...CLSID} = "Format Shell"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SMSHELL.DLL" ["OnSpec Electronic Inc.,"]
"{03FF3962-D823-11D4-97F0-009027769C61}" = "Data Caching Shell Extension"
-> {HKLM...CLSID} = "Data Caching Shell Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\FlashShl.dll" [" "]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {HKLM...CLSID} = "KodakShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Kodak\ifscore\KodakShX.dll" ["Eastman Kodak Company"]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
QuickFinderMenu\(Default) = "{C0E10002-0028-0004-C0E1-C0E1C0E1C0E1}"
-> {HKLM...CLSID} = "QuickFinder Shell Extension"
\InProcServer32\(Default) = "c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL" ["Novell, Inc., c/o Corel Corporation Limited"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "William Bosch" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Kodak EasyShare software" -> shortcut to: "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe -hx" [null data]


Enabled Scheduled Tasks:
------------------------

"Disk Cleanup" -> launches: "C:\WINDOWS\SYSTEM32\cleanmgr.exe" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 16 - 17


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = "Real.com"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_04"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "*i" (unwritable string)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ad-Aware 2007 Service, aawservice, ""C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"" ["Lavasoft AB"]
Fax, Fax, "C:\WINDOWS\system32\fxssvc.exe" [MS]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 35 seconds, including 8 seconds for message boxes)

#27 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 18 July 2007 - 05:06 PM

No, just past remnants, but needed to be sure. I will need to review a bit on changes WinAd makes for now, as it was one that brought access altering changes.


Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

O4 - HKLM\..\Run: [SQInstaller] C:\Program Files\STC\SQ_3394_3222.exeSQInstaller.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe




And as it needs to be done, and including the slim (slim) possibility it is involved here in some way, Go to Add/Remove Programs in Control Panel and uninstall all versions Java/JRE (Sun Java Runtime Environment/J2SE Runtime Environment) and reboot. When you have done that, go here and download and install the latest version of Sun Java (Java Runtime Environment (JRE) 6u1). The current file name for that is jre-6u1-windows-i586-p.exe.

#28 Kevin G

Kevin G

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 19 July 2007 - 04:22 PM

Well I went ahead and deleted those Reg entries, and uninstalled and reinstaleld JAVA, still no browsing. Hope somthing comes up with your search on WINCTLAD.

#29 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 19 July 2007 - 05:26 PM

They were such older infection I can't help but wonder if all we saw of them has been remnants here. The modus operandi was ActiveX items, but these would have been picked up either by HijackThis of those subsequent scans. As there have been some issues with it, IF the access issues occurred at any time when this newer Ad-Aware was either installed or updated, best to uninstall that for now. But only if you know of a time relationship here.



Go here and download the free version of SUPERAntiSpyware and install it.

After installation accept any prompts to allow SUPERAntiSpyware to install the latest infection definition files. Next follow the prompts to complete the installation. For now, uncheck the option to have SUPERAntiSpyware "Automatically check for program and definition updates". Providing an email address and allowing the software to send diagnostic reports to it's research center are up to you. Do NOT allow SUPERAntiSpyware to Protect your Home Page settings.

Once the installation is complete open SUPERAntiSpyware and press the Preferences button. Under the General and Startup tab, uncheck the following (leaving all other settings as is).

Start-up Options:
*Start SUPERAntiSpyware when Windows starts

Automatic Updates:
*Check for program updates when the application starts.

Start-up Scanning:
*Check for updates before scanning on startup.

Then select Close. Don't scan just yet though.


===============================================

Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).


Open SUPERAntiSpyware and click the Scan your Computer button. Making sure that Fixed Drive (NTFS) is checked (typically the C Drive), check "Perform Complete Scan", then click Next. SUPERAntiSpyware will now complete a system scan.


SUPERAntiSpyware will now scan your computer and when its finished it will list all the infections it has found. Make sure that they all have a check next to them and click next. If prompted allow the reboot (or manually reboot at this time), and after the reboot open SUPERAntiSpyware again (double click the bug-shaped Taskbar icon).

Click Preferences, then under the Statistics/Logs tab, click to select the most recent Scan Log, then click View Log. Save the log to your desktop, and copy/paste the text from the log back here.



Also Download gmer.zip from here. Once downloaded, doubleclick on gmer.zip and unzip the file to its own folder

When you have done this, doubleclick on Gmer.exe to run it and click on Settings. Check the first five settings (see below)

System Protection and Tracing
Processes
Save created processes to the log
Drivers
Save loaded drivers to the log


You will be prompted to restart your computer. Please do so.

Run Gmer again and click on the Rootkit tab. Look at the righthand side (under Files) and uncheck all drives with the exception of your C drive and then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan). When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

#30 Kevin G

Kevin G

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 20 July 2007 - 07:27 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/19/2007 at 11:02 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:34:47

Memory items scanned : 194
Memory threats detected : 0
Registry items scanned : 4724
Registry threats detected : 0
File items scanned : 49186
File threats detected : 105

Adware.Tracking Cookie
C:\Documents and Settings\William Bosch\Cookies\william bosch@msnportal.112.2o7[1].txt

Adware.Zango Toolbar/Hb
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoOI\static
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoOI
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoOL\static
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoOL
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1000478.sdf
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\15907
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\17974
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\18019
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\18191
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\69781
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML\88609
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\TooltipXML
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\ustat
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\btntrans.idx
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\btntrans1.dat
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\buttondir.txt
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\components.cdf
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\default.cdf
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_511745-514279.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_bidzC_ZT_IE-ca.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_bidzC_ZT_IE-us.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_categorize.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_comparison.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_explorer-Mails.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_explorer-people.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_favorites.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_Games.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_Hide.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_hotbarcom.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_Hotmail.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_hsskin.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_jemster.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_jemsterie.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_jemsteruk.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_jobsearch.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_Mails.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_MobileSidewalk.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_new.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_premium.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_reun.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_ringtones.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_SearchBoxTrapper.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_searchfor.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_searchgo.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_weather.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Default_yellowpages.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_1000.res
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_2000.res
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_3000.res
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_bar.res
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_bbar1.res
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_logos.res
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\d_icons_buttons_other.res
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\email-def-511724-548964.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\email-def-511724-9595.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\email-t1-bg.res
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\icons2.res
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\keywords.idx
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\keywords1.dat
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\layout.cdf
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\linkpathlegal.txt
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\progress.res
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\sales_buttons.res
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\s_icons_buttons.res
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\t2_bg.res
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\theweb.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\top7.cdf
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\Top7_theweb.mnu
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\tsd_bg.res
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1\zango.res
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\1
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\BtnTrans.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\BtnTrans1.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\buttondir.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\default.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_1000.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_2000.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_3000.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_bar.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_bbar1.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_logos.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\d_icons_buttons_other.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\email-t1-bg.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\icons2.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\keywords.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\keywords1.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\layout.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\linkpathlegal.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\progress.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\sales_buttons.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\samplegroups2reg.txt
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\samplegroups2reg.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\s_icons_buttons.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\t2_bg.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\top7.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\tsd_bg.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad\zango.xip
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static\DownLoad
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar\static
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0\ZangoToolbar
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\v3.0
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar\zbar.log
C:\Documents and Settings\William Bosch\Application Data\ZangoToolbar



================================================================================
==============================
GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-07-19 23:56:44
Windows 5.1.2600 Service Pack 2


AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE [F7B80574] ATMhelpr.SYS
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CLOSE [F7B80574] ATMhelpr.SYS
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_READ [F7B80536] ATMhelpr.SYS
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_FLUSH_BUFFERS [F7B80574] ATMhelpr.SYS
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DEVICE_CONTROL [F7B80574] ATMhelpr.SYS
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CLEANUP [F7B80574] ATMhelpr.SYS
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CREATE [F7B80574] ATMhelpr.SYS
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CLOSE [F7B80574] ATMhelpr.SYS
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_READ [F7B80536] ATMhelpr.SYS
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_FLUSH_BUFFERS [F7B80574] ATMhelpr.SYS
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_DEVICE_CONTROL [F7B80574] ATMhelpr.SYS
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CLEANUP [F7B80574] ATMhelpr.SYS

Device \Driver\AFD \Device\Afd IRP_MJ_CREATE [BA459B50] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CLOSE [BA459B50] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_DEVICE_CONTROL [BA459B50] vsdatant.sys
Device \Driver\AFD \Device\Afd FastIoDeviceControl [BA459510] vsdatant.sys

---- EOF - GMER 1.0.13 ----

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users