Jump to content


Photo

Missing tray Icons, Norton Disabled, can't get to Network


  • This topic is locked This topic is locked
25 replies to this topic

#1 tcrumbly

tcrumbly

    Member

  • Members
  • 17 posts

Posted 29 May 2007 - 07:25 AM

My son's desktop started missing some icons in the system tray, related to Norton, and dial up internet. Some software stopped working all together. Now, when the ISP is dialed, We get a connection, but the homepage does not show up on the web browser.

Norton did report several viruses including Vundo, InfoStealer.....I'm on a not infected machine and don't have the log here. Can post later if I can get norton to come up. It sometimes starts, if we keep
restarting the PC. Here is a HiJack Log...

Logfile of HijackThis v1.99.1
Scan saved at 6:00:38 PM, on 5/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
D:\ProgramFiles\Norton AntiVirus\navapsvc.exe
D:\ProgramFiles\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\ISP.COM High Speed\slipcore.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
D:\ProgramFiles\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ISP.COM High Speed\slipgui.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle....bin/scraper.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.isp.com/members/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ProgramFiles\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IE 4.x-6.x BHO for Free Downloads Accelerator - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\0.999\fdahlp.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - D:\ProgramFiles\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\0.999\fdabar.dll
O3 - Toolbar: &Quero - {A411D7F4-8D11-43EF-BDE4-AA921666388A} - d:\PROGRA~1\QUEROT~1\Quero.dll
O3 - Toolbar: ISP.COM High Speed - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\ISP.COM High Speed\Toolband.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - D:\ProgramFiles\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ISP.COM High Speed\slipcore.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "d:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Anti Trojan Elite] D:\ProgramFiles\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - Global Startup: ISP.COM High Speed.lnk = C:\Program Files\ISP.COM High Speed\slipgui.exe
O4 - Global Startup: Microsoft Office.lnk = D:\ProgramFiles\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\0.999\fdaie.htm
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\ISP.COM High Speed\gui_resource.dll/327
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\ISP.COM High Speed\gui_resource.dll/328
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: www.bankofamerica.com
O15 - Trusted Zone: www.bonddesk.com
O15 - Trusted Zone: www.bullionvault.com
O15 - Trusted Zone: www.bulltrade.com
O15 - Trusted Zone: *.online.cardmemberservices.com
O15 - Trusted Zone: www.chase.com
O15 - Trusted Zone: www.chaseonline.chase.com
O15 - Trusted Zone: *.chase.com
O15 - Trusted Zone: www.continental.com
O15 - Trusted Zone: *.continental.com
O15 - Trusted Zone: *.daysinnlebanon.com
O15 - Trusted Zone: *.dpsoft.com
O15 - Trusted Zone: *.ericsson.net
O15 - Trusted Zone: *.esquotes.com
O15 - Trusted Zone: www.etrade.com
O15 - Trusted Zone: www.everbank.com
O15 - Trusted Zone: *.faa.gov
O15 - Trusted Zone: *.fatwallet.com
O15 - Trusted Zone: www.goldmoney.com
O15 - Trusted Zone: www.hotmail.com
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: *.https
O15 - Trusted Zone: *.investing-systems.com
O15 - Trusted Zone: *.irs.gov
O15 - Trusted Zone: http://www.isp.com
O15 - Trusted Zone: *.isp.com
O15 - Trusted Zone: virusscan.jotti.org
O15 - Trusted Zone: *.latindiscounters.com
O15 - Trusted Zone: *.lexmark.com
O15 - Trusted Zone: http://by122w.bay122.mail.live.com
O15 - Trusted Zone: http://onecare.live.com
O15 - Trusted Zone: *.mapquest.com
O15 - Trusted Zone: *.marvell.com
O15 - Trusted Zone: *.motorola.com
O15 - Trusted Zone: http://by109fd.bay109.hotmail.msn.com
O15 - Trusted Zone: http://by114fd.bay114.hotmail.msn.com
O15 - Trusted Zone: http://by135fd.bay135.hotmail.msn.com
O15 - Trusted Zone: http://by19fd.bay19.hotmail.msn.com
O15 - Trusted Zone: www.hotmail.msn.com
O15 - Trusted Zone: *.netfaqs.com
O15 - Trusted Zone: *.nhti.edu
O15 - Trusted Zone: *.nmfn.com
O15 - Trusted Zone: *.northwesternmutual.com
O15 - Trusted Zone: http://*.stockcharts.com
O15 - Trusted Zone: *.stocksignalpro.com
O15 - Trusted Zone: *.symantec.com
O15 - Trusted Zone: www.t-mobile.com
O15 - Trusted Zone: *.t-mobile.com
O15 - Trusted Zone: www.techguy.org
O15 - Trusted Zone: *.techguy.org
O15 - Trusted Zone: *.thestreet.com
O15 - Trusted Zone: *.treasurydirect.gov
O15 - Trusted Zone: *.virustotal.com
O15 - Trusted Zone: www.etrade.wallst.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t....vex/hcImpl.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://rvi.us.erics....erSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E22BE2EE-E9C3-45C1-8359-5246381A93E1}: NameServer = 209.210.176.9 209.210.176.8
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - D:\ProgramFiles\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: 3Com DMI Agent (3ComDMIService) - - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\ProgramFiles\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\ProgramFiles\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - D:\ProgramFiles\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - D:\ProgramFiles\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Any help would be appreciated :thud:

#2 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 21,919 posts
  • Gender:Female


Posted 30 May 2007 - 10:16 AM

Hi and welcome

I see two active and running Firewalls?
Norton AntiVirus Firewall
Zone Labs Firewall

This can lead to major conflicts and issues which can leave a computer not running as it should, along with resources running the CPU to high useage.

Is your subscription to Norton valid and up to date?
One needs to be disabled or uninstalled. If you need to remove your Nortons package let me know and I can provide a removal tool and supply you with a list of free Antivirus and Firewall software if needed.



Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall


please post the ComboFix log and a new HJT log
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#3 tcrumbly

tcrumbly

    Member

  • Members
  • 17 posts

Posted 30 May 2007 - 12:32 PM

Hi Thanks, My Norton was going to expire. My plans were to switch over to Norton 360...but then I got hit by this trojan. Its going to expire any day now...so I might as well de-install it and install one of your recommended scanners. I loaded on Zone Alarm, because Norton failed to stop the trojan from accessing the internet. I can watch it working on the TaskMgr/Networking meter, and from TCPview. If I end up reformatting the drive, I'll load on Norton 360. If you can reply with your scan recommendation, I'll load it on. The computer is remote, so I can only get on it at night. I'll run combofix and "Hijack This" in non-"safemode"...right!? The reason I ask, is that the PC only runs stabile in safe-mode. Looks like only a matter of time where it won't boot outside of safe mode. Each time it boots, it takes longer, and longer before the ICONs come up. I can't use F8 (the advance menu won't come up) to enter safe mode, I have to use msconfig and the BOOT.INI/SAFEBOOT setting to get there. Any chance I can run Hijack This and combofix in safemode? I know the PC will come back up after it boots. :)

#4 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 21,919 posts
  • Gender:Female


Posted 30 May 2007 - 12:46 PM

Welcome back

Can you remember the name of the trojan?


If things can only be run in safe mode for the time being thats what we will have to do.

What I suggest now is
Download to desktop an Antivirus.....don't install yet
You already have the Firewall


AVG,
Avira
Avast!
Clamwin's Free AntiVirus
Are good free Antivirus, Never install more than one antivirus scanner or on your system.






Download the Norton uninstall tool to desktop...don't use it yet.

To fully remove Norton AntiVirus, you should go here before uninstalling and download the files and print the instructions for removal, and follow them after uninstalling NAV:
How to uninstall Norton AntiVirus 2004/2005/2006
(note: this removes ALL Norton 2004/2005/2006 products from your computer, and also uninstalls Norton Ghost 10.0/9.0/2003)
How to uninstall Norton AntiVirus 2003 or Norton AntiVirus 2003 Professional Edition
How to uninstall Norton AntiVirus 2000/2001/2002

You can also add this article/tutorial in the removal instructions in case there are additional problems after/during removing Norton:
http://basconotw.mvps.org/SymRem.htm
uninstalling Symantec applications


Disconnect your computer from the internet...via cable or DSL so no connection is open.

Go to Add/Remove programs and uninstall what you can there first....
Go to desktop and run the Nortons removal tool....

Next install the Antivirus you downloaded to desktop and install.
Connect back to the internet and check for virus definition updates then run a complete scan.
Allow it to delete or quarantine anything it finds.


Then continue with the ComboFix scan.
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#5 tcrumbly

tcrumbly

    Member

  • Members
  • 17 posts

Posted 30 May 2007 - 06:44 PM

Hi , I've got the log files. unfortunately, my son's user name is in some of the paths of the log files
so I've replaced them with xxxx xxxxx.....just so you know.

so, I've removed Norton and then used the removal tool as you said.

Then I installed AVG and ran a scan. I guess Norton removed the infection to a point where
AVG couldn't detect any infection.

Then I ran Combo fix...



Norton follows....
Norton Quarantine and Restore Report
Created: Wednesday, May 30, 2007 6:10:26 PM
------------------------------------------------------------------------------

File Name
Location
Status Size Risk Name
User Name Machine Name Domain
Date Quarantined
Submitted to Symantec

------------------------------------------------------------------------------

noname.htm
D:\Temp\Tools04-CD1\DVDTools\DvdEdit
Backup 7.11 KB Adware.Istbar
-DESKTOP WIN
Thursday, May 17, 2007 9:44:05 PM
Not submitted

------------------------------------------------------------------------------

win1B0.tmp.exe
C:\WINDOWS\Temp
Backup of an infected file 69.5 KB Downloader.Trojan
-DESKTOP WIN
Sunday, May 20, 2007 8:54:00 PM
Not submitted

------------------------------------------------------------------------------

win1A5.tmp.exe
C:\WINDOWS\Temp
Quarantined 26.0 KB Trojan Horse
-DESKTOP WIN
Monday, May 21, 2007 6:14:53 PM
Not submitted

------------------------------------------------------------------------------

DUMMY_FILE

Backup of an infected file 0 bytes Unknown (DUMMY_FILE)
-DESKTOP WIN
Monday, May 21, 2007 6:42:14 PM
Not submitted

------------------------------------------------------------------------------

stopinst.exe
C:\Program Files\Free Downloads Accelerator\0.999
Backup 38.1 KB SecurityRisk.Downldr
-DESKTOP WIN
Thursday, May 17, 2007 8:59:27 PM
Not submitted

------------------------------------------------------------------------------

AVICodecPackLite3.exe
D:\Temp
Backup 1.38 MB Adware.WebDir
-DESKTOP WIN
Thursday, May 17, 2007 9:31:06 PM
Not submitted

------------------------------------------------------------------------------

STRBRUIR.DLL
C:\Documents and Settings\ \My Documents\RegRun2\quarantine
Backup of an infected file 48.0 KB Trojan.Vundo
-DESKTOP WIN
Monday, May 21, 2007 6:01:56 PM
Not submitted

------------------------------------------------------------------------------

mst1AF.tmp
C:\WINDOWS\Temp
Quarantined 91.5 KB Trojan Horse
-DESKTOP WIN
Sunday, May 20, 2007 8:53:58 PM
Not submitted

------------------------------------------------------------------------------

yazzle1162oinadmin.exe
c:\program files\common files
Backup 143 KB Adware.Purityscan
-DESKTOP WIN
Monday, May 21, 2007 6:17:29 PM
Not submitted

------------------------------------------------------------------------------

yaequfkm.dll
c:\WINDOWS\system32
Backup 59.5 KB Adware.Purityscan
-DESKTOP WIN
Sunday, May 20, 2007 9:23:12 PM
Not submitted

------------------------------------------------------------------------------

drvdof.dll
C:\WINDOWS\system32
Quarantined 91.5 KB Trojan Horse
-DESKTOP WIN
Sunday, May 20, 2007 8:52:46 PM
Not submitted

------------------------------------------------------------------------------

DUMMY_FILE

Backup 0 bytes Unknown (DUMMY_FILE)
-DESKTOP WIN
Thursday, May 17, 2007 9:44:12 PM
Not submitted

------------------------------------------------------------------------------

oiuninstaller.exe
i:
Backup 107 KB Adware.MediaTicket
-DESKTOP WIN
Monday, May 21, 2007 6:43:09 PM
Not submitted

------------------------------------------------------------------------------

k.exe

Backup 34.0 KB Adware.VirtuMonde
-DESKTOP -DESKTOP
Friday, May 25, 2007 6:24:08 PM
Not submitted

------------------------------------------------------------------------------

Then ComboFix
"xxxx xxxx" - 2007-05-30 19:06:22 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\xxxx xxxx\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



-- Purity Folders:

C:\WINDOWS\system32\YMANTE~1



((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-30 ))))))))))))))))))))))))))))))))))


2007-05-30 18:05 <DIR> d-------- C:\ScanUtils5_22
2007-05-29 20:07 86,016 --a------ C:\WINDOWS\system32\sliprt.dll
2007-05-29 20:07 <DIR> d-------- C:\Program Files\ISP.COM High Speed
2007-05-29 20:01 <DIR> d-------- C:\Program Files\LookInMyPC
2007-05-22 17:04 <DIR> d-------- C:\DOCUME~1\XXXXXX~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-22 17:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-22 14:56 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-22 13:03 3,374 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-22 00:07 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-05-22 00:07 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-05-22 00:07 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-05-22 00:07 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-05-21 20:07 <DIR> d-------- C:\!KillBox
2007-05-21 18:57 <DIR> d-------- C:\DOCUME~1\XXXXXX~1\APPLIC~1\Lavasoft
2007-05-21 18:36 <DIR> d-------- C:\Documents and Settings\XXXXXX~1\DoctorWeb
2007-05-21 18:36 <DIR> d-------- C:\DOCUME~1\XXXXXX~1\DoctorWeb
2007-05-21 17:41 <DIR> d-------- C:\VundoFix Backups
2007-05-21 00:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-05-21 00:03 77,312 --a------ C:\WINDOWS\ua2.dll
2007-05-20 21:46 19,456 --a------ C:\WINDOWS\system32\Partizan.exe
2007-05-20 21:34 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys
2007-05-20 21:34 (2) -rahs-ot- C:\WINDOWS\winstart.bat
2007-05-20 21:30 <DIR> d-------- C:\Program Files\Greatis
2007-05-20 13:39 <DIR> d-------- C:\Program Files\Common Files\Ódobe
2007-05-19 16:02 <DIR> d-------- C:\Program Files\ISP.COM Internet Services
2007-05-17 18:53 10,344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-05-16 19:31 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Help
2007-05-16 19:23 10,223,616 --a------ C:\Documents and Settings\XXXXXX~1\ntuser.dat
2007-05-16 19:23 10,223,616 --a------ C:\DOCUME~1\XXXXXX~1\ntuser.dat
2007-05-13 21:15 <DIR> d-------- C:\DOCUME~1\XXXXXX~1\APPLIC~1\Thunderbird
2007-05-13 12:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-20 20:12 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-04-20 20:11 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-04-14 17:12 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Juniper Networks
2007-04-11 18:14 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Juniper Networks
2007-04-11 18:03 <DIR> d-------- C:\Program Files\Neoteris
2007-04-11 17:55 <DIR> d-------- C:\DOCUME~1\XXXXXX~1\APPLIC~1\Juniper Networks


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-30 22:35:40 -------- d-----w C:\DOCUME~1\XXXXXX~1\APPLIC~1\Symantec
2007-05-30 22:33:57 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-30 00:05:54 -------- d-----w C:\DOCUME~1\XXXXXX~1\APPLIC~1\SlipStream
2007-05-22 21:03:57 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-21 01:25:19 -------- d-----w C:\Program Files\Common Files\?dobe
2007-05-20 17:09:36 -------- d-----w C:\Program Files\Lx_cats
2007-05-16 23:31:14 -------- d-----w C:\DOCUME~1\XXXXXX~1\APPLIC~1\FaxCtr
2007-05-16 23:31:07 -------- d-----w C:\Program Files\NCH Swift Sound
2007-05-13 15:47:01 1 ---ha-w C:\WINDOWS\system32\m3.dll
2007-05-08 00:56:08 -------- d-----w C:\DOCUME~1\XXXXXX~1\APPLIC~1\VideoReDoPlus
2007-04-26 23:31:14 -------- d-----w C:\Program Files\Lexmark Fax Solutions
2007-04-01 20:15:24 10,022 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-01 10:37:42 -------- d-----w C:\DOCUME~1\XXXXXX~1\APPLIC~1\Skype
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 00:20:48 87,608 ----a-w C:\DOCUME~1\XXXXXX~1\APPLIC~1\ezpinst.exe
2007-03-15 00:20:48 47,360 ----a-w C:\DOCUME~1\XXXXXX~1\APPLIC~1\pcouffin.sys
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=D:\ProgramFiles\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 02:56]
{4115122B-85FF-4DD3-9515-F075BEDE5EB5}=C:\Program Files\ISP.COM High Speed\PBHelper.dll [2006-11-30 13:51]
{53707962-6F74-2D53-2644-206D7942484F}=D:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2003-02-07 01:03]
{98DE779A-2364-4293-AB71-2B97C61C4640}=C:\PROGRA~1\FREEDO~1\0.999\fdahlp.dll [2003-08-29 09:37]
{AE7CD045-E861-484f-8273-0445EE161910}=D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 03:13]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 20:28]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2003-05-30 13:42]
"nwiz"="nwiz.exe" []
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 05:36]
"Acrobat Assistant 7.0"="D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 03:12]
"lxcemon.exe"="C:\Program Files\Lexmark 4300 Series\lxcemon.exe" [2005-08-02 13:45]
"EzPrint"="C:\Program Files\Lexmark 4300 Series\ezprint.exe" [2005-07-26 08:17]
"ZoneAlarm Client"="d:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"Anti Trojan Elite"="D:\ProgramFiles\Anti Trojan Elite\TJEnder.exe" []
"SlipStream"="C:\Program Files\ISP.COM High Speed\slipcore.exe" [2006-11-30 13:51]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-30 18:39]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{24A42960-A7F8-11CF-8121-0020AFB5213D}"="d:\PROGRA~1\MKSTOO~1\XVision\SYSTEM\zonehook.dll" [1999-01-13 20:39]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="D:\ProgramFiles\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\ProgramFiles\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\Documents and Settings\All Users\Start Menu\Programs\Quicken\Billminder.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^palstart.exe]
backup=C:\WINDOWS\pss\palstart.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Vision Services.lnk]
backup=C:\WINDOWS\pss\Vision Services.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZoneAlarm.lnk]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NuTCSetupEnviron]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"LmHosts"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

*Newly Created Service* - AVG7ALRT
*Newly Created Service* - AVG7CORE
*Newly Created Service* - AVG7RSW
*Newly Created Service* - AVG7RSXP
*Newly Created Service* - AVG7UPDSVC
*Newly Created Service* - AVGCLEAN
*Newly Created Service* - AVGEMS
*Newly Created Service* - AVGTDI

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-30 19:07:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = ????????????

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-30 19:08:03
C:\ComboFix-quarantined-files.txt ... 2007-05-30 19:07
C:\ComboFix2.txt ... 2007-05-22 19:14

And HijackThis...
Scan saved at 7:22:54 PM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
D:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ISP.COM High Speed\slipcore.exe
C:\Program Files\ISP.COM High Speed\slipgui.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Xxxxx Xxxxx\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle....bin/scraper.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy1:8081/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ProgramFiles\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ISP.COM High Speed\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IE 4.x-6.x BHO for Free Downloads Accelerator - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\0.999\fdahlp.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\0.999\fdabar.dll
O3 - Toolbar: &Quero - {A411D7F4-8D11-43EF-BDE4-AA921666388A} - d:\PROGRA~1\QUEROT~1\Quero.dll
O3 - Toolbar: ISP.COM High Speed - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\ISP.COM High Speed\Toolband.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "d:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Anti Trojan Elite] D:\ProgramFiles\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ISP.COM High Speed\slipcore.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - Global Startup: ISP.COM High Speed.lnk = C:\Program Files\ISP.COM High Speed\slipgui.exe
O4 - Global Startup: Microsoft Office.lnk = D:\ProgramFiles\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\0.999\fdaie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: www.bankofamerica.com
O15 - Trusted Zone: www.bullionvault.com
O15 - Trusted Zone: www.bulltrade.com
O15 - Trusted Zone: www.continental.com
O15 - Trusted Zone: *.continental.com
O15 - Trusted Zone: *.ericsson.net
O15 - Trusted Zone: *.esquotes.com
O15 - Trusted Zone: www.etrade.com
O15 - Trusted Zone: www.everbank.com
O15 - Trusted Zone: *.faa.gov
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: *.investing-systems.com
O15 - Trusted Zone: *.irs.gov
O15 - Trusted Zone: http://www.isp.com
O15 - Trusted Zone: *.isp.com
O15 - Trusted Zone: virusscan.jotti.org
O15 - Trusted Zone: *.latindiscounters.com
O15 - Trusted Zone: *.lexmark.com
O15 - Trusted Zone: http://by122w.bay122.mail.live.com
O15 - Trusted Zone: http://onecare.live.com
O15 - Trusted Zone: *.motorola.com
O15 - Trusted Zone: www.hotmail.msn.com
O15 - Trusted Zone: *.netfaqs.com
O15 - Trusted Zone: *.northwesternmutual.com
O15 - Trusted Zone: http://*.stockcharts.com
O15 - Trusted Zone: *.stocksignalpro.com
O15 - Trusted Zone: *.symantec.com
O15 - Trusted Zone: www.t-mobile.com
O15 - Trusted Zone: *.t-mobile.com
O15 - Trusted Zone: www.techguy.org
O15 - Trusted Zone: *.thestreet.com
O15 - Trusted Zone: *.treasurydirect.gov
O15 - Trusted Zone: *.virustotal.com
O15 - Trusted Zone: www.etrade.wallst.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://rvi.us.erics...perSetupSP1.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - D:\ProgramFiles\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: 3Com DMI Agent (3ComDMIService) - - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - D:\ProgramFiles\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Just to let you know, The PC can connect to the ISP, but the web browser can't bring up a home page or cannot be used to surf the internet. I do see activity still over the internet from the infection.

#6 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 21,919 posts
  • Gender:Female


Posted 30 May 2007 - 09:01 PM

Welcome back


You have homework to do here.

Print out or save to notepad these instructions, safe mode will be used and you'll have no connection to this page for viewing.


Go to the Start menu, and click on Control Panel. Choose Add/Remove Programs and remove any of the following that are listed:

ClickSpring
Cowabanga by OIN
ipwindows / ipwins
MediaTickets
MediaTickets by OIN
OIN
Outer Info Network
PurityScan
PurityScan by OIN
Snowball Wars by OIN
TizzleTalk
TizzleTalk by OIN
Yazzle by OIN
Yazzle ActiveX by OIN
Yazzle Cowabanga by OIN
Yazzle Kobe :filtered:! By OIN
Yazzle Picster by OIN
Yazzle Snowball Wars by OIN
Yazzle Sudoku by OIN
Zolero Translator

(Anything else with the word "OIN" or "Outer Info Network" or "Yazzle" in them)
If not listed, download and run this uninstaller:
http://www.outerinfo...Uninstaller.exe
Tutorial for the uninstaller if needed
http://www.outerinfo.com/howto.html

I also see Paltalk is installed here. I do not recommend Paltalk since it has a questionable reputation, so I suggest you uninstall it.
A better/safer alternative is Skype


Using windows explorer search for and if found, delete these files/folders in bold
C:\Program Files\PurityScan <-folder
D:\Temp\Tools04-CD1\DVDTools
C:\WINDOWS\Temp\win1B0.tmp.exe
C:\WINDOWS\system32\tmp.reg
C:\VundoFix Backups

Reboot, let me know if some of these files and folders would not delete.


Open HJT and click scan only, place a check by these entries

O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
O15 - Trusted Zone: www.bankofamerica.com
O15 - Trusted Zone: www.bullionvault.com
O15 - Trusted Zone: www.bulltrade.com
O15 - Trusted Zone: www.continental.com
O15 - Trusted Zone: *.continental.com
O15 - Trusted Zone: *.ericsson.net
O15 - Trusted Zone: *.esquotes.com
O15 - Trusted Zone: www.etrade.com
O15 - Trusted Zone: www.everbank.com
O15 - Trusted Zone: *.faa.gov
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: *.investing-systems.com
O15 - Trusted Zone: *.irs.gov
O15 - Trusted Zone: http://www.isp.com
O15 - Trusted Zone: *.isp.com
O15 - Trusted Zone: virusscan.jotti.org
O15 - Trusted Zone: *.latindiscounters.com
O15 - Trusted Zone: *.lexmark.com
O15 - Trusted Zone: http://by122w.bay122.mail.live.com
O15 - Trusted Zone: http://onecare.live.com
O15 - Trusted Zone: *.motorola.com
O15 - Trusted Zone: www.hotmail.msn.com
O15 - Trusted Zone: *.netfaqs.com
O15 - Trusted Zone: *.northwesternmutual.com
O15 - Trusted Zone: http://*.stockcharts.com
O15 - Trusted Zone: *.stocksignalpro.com
O15 - Trusted Zone: *.symantec.com
O15 - Trusted Zone: www.t-mobile.com
O15 - Trusted Zone: *.t-mobile.com
O15 - Trusted Zone: www.techguy.org
O15 - Trusted Zone: *.thestreet.com
O15 - Trusted Zone: *.treasurydirect.gov
O15 - Trusted Zone: *.virustotal.com
O15 - Trusted Zone: www.etrade.wallst.com

Close all windows and browsers except HJT and click fix checked


Please download VundoFix.exe
to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.



Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log



Sometimes a bad DNS entry is cached
To get rid of it, go to Start > Run, and in the Open area type in: cmd

At the command prompt, copy/paste the following:

ipconfig /flushdns

Type: Exit to go out of the command prompt.



Now lets check some settings on your system.
Enter your Control Panel and double-click on Network Connections
Then right click on your Default Connection
Usually Local Area Connection for Cable and DSL
Left click on Properties
Double-Click on the Internet Protocol (TCP/IP) item
Select the radio dial that says Obtain DNS Servers Automatically
Press OK twice to get out of the properties screen and reboot if it asks.


Please download ATF Cleaner by Atribune and save it to your desktop.




Download AVG Anti-Spyware 7.5 from Here
And save that file to your desktop.
[*]Once you have downloaded AVG anti-spyware, locate the icon on the your desk top and double-click it to launch the set up program.
[*]Once the setup is complete you will need run AVG Anti-Spyware 7.5 and definition files.
[*]On the main screen select the icon "Update then select the"Update Now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
*Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
*Once in the Settings screen click on "Recommended Actions" and then select "Quarantine". <--VERY IMPORTANT"
*Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"


Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.



Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.



Important.. Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning proccess:
  • Launch AVG Anti-Spyware 7.5 by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan"tab then click on "Complete Scan".
  • AVG will now begin the scanning process, be patient this may take a little time to complete.
Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system, (Make sure to remember where you have saved the file, this is important.
  • Close AVG Anti-Spyware 7.5 and reboot your system back into Normal Mode
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.


In your reply please post
C:\vundofix.txt
SDFix Report.txt
AVG Anti-Spyware log
New HJT log

Comments on internet connection and browsing
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#7 tcrumbly

tcrumbly

    Member

  • Members
  • 17 posts

Posted 31 May 2007 - 07:02 PM

Didn't find anything in Add/Remove programs from the list you gave me.

I couldn't find that PalTalk was installed. I had deinstalled that months ago.

I could not update avg or avg spyware because I cannot get an internet connection. My ISP connects, but the web browser comes up with a failed connection. I played with my windows firewall to try to get it going and i get

"Windows cannot start the windows firewall, internet connection sharing server (ICS)" ...something to that effect.


So I effectively have not intenet connection...logs follow..

I tried a scan using vundo fix a while ago...and it did find some files...

I did notice, that even though I don't have internet access...there is absolutely no activity from the trojan. I see no network activity at all....dead

VundoFix V6.3.23

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 5:41:08 PM 5/21/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 7:25:06 PM 5/21/2007

Listing files found while scanning....

C:\WINDOWS\system32\strbruir.dll
C:\WINDOWS\system32\tuvvtqq.dll
C:\WINDOWS\system32\tuvvvtu.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tuvvvtu.dll
C:\WINDOWS\system32\tuvvvtu.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 8:20:31 PM 5/21/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 10:40:59 PM 5/21/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 12:42:13 PM 5/22/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 10:43:00 PM 5/22/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 6:24:38 PM 5/25/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 6:08:52 PM 5/31/2007

Listing files found while scanning....

No infected files were found.



==========
SDFIX
==========
Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------


Checking For Files with Hidden Attributes:

C:\Documents and Settings\Xxxx Xxxxx\NetHood\isp.com\Desktop.ini
C:\Documents and Settings\Xxxx Xxxxx\NetHood\users.isp.com\Desktop.ini
C:\WINDOWS\system32\m3.dll
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2f352a821695fbd87c50ccc2b4807dbe\BIT3E.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BIT1E.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\bb5c3edd4ebcf72602f3f9ef3df7c5ca\BIT16.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished


=========
HijackThis
=========
Logfile of HijackThis v1.99.1
Scan saved at 6:51:29 PM, on 5/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
D:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Xxxx Xxxxx\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle....bin/scraper.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ProgramFiles\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ISP.COM High Speed\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IE 4.x-6.x BHO for Free Downloads Accelerator - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\0.999\fdahlp.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\0.999\fdabar.dll
O3 - Toolbar: &Quero - {A411D7F4-8D11-43EF-BDE4-AA921666388A} - d:\PROGRA~1\QUEROT~1\Quero.dll
O3 - Toolbar: ISP.COM High Speed - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\ISP.COM High Speed\Toolband.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "d:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Anti Trojan Elite] D:\ProgramFiles\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ISP.COM High Speed\slipcore.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: ISP.COM High Speed.lnk = C:\Program Files\ISP.COM High Speed\slipgui.exe
O4 - Global Startup: Microsoft Office.lnk = D:\ProgramFiles\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\0.999\fdaie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://rvi.us.erics...perSetupSP1.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - D:\ProgramFiles\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: 3Com DMI Agent (3ComDMIService) - - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - D:\ProgramFiles\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 tcrumbly

tcrumbly

    Member

  • Members
  • 17 posts

Posted 31 May 2007 - 07:02 PM

Didn't find anything in Add/Remove programs from the list you gave me.

I couldn't find that PalTalk was installed. I had deinstalled that months ago.

I could not update avg or avg spyware because I cannot get an internet connection. My ISP connects, but the web browser comes up with a failed connection. I played with my windows firewall to try to get it going and i get

"Windows cannot start the windows firewall, internet connection sharing server (ICS)" ...something to that effect.
So I effectively have not intenet connection...logs follow..

I tried a scan using vundo fix a while ago...and it did find some files...

I did notice, that even though I don't have internet access...there is absolutely no activity from the trojan. I see no network activity at all....dead

VundoFix V6.3.23

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 5:41:08 PM 5/21/2007

Listing files found while scanning....

No infected files were found.
Beginning removal...

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 7:25:06 PM 5/21/2007

Listing files found while scanning....

C:\WINDOWS\system32\strbruir.dll
C:\WINDOWS\system32\tuvvtqq.dll
C:\WINDOWS\system32\tuvvvtu.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tuvvvtu.dll
C:\WINDOWS\system32\tuvvvtu.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 8:20:31 PM 5/21/2007

Listing files found while scanning....

No infected files were found.
Beginning removal...

VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 10:40:59 PM 5/21/2007

Listing files found while scanning....

No infected files were found.
Beginning removal...

VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 12:42:13 PM 5/22/2007

Listing files found while scanning....

No infected files were found.
Beginning removal...

VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 10:43:00 PM 5/22/2007

Listing files found while scanning....

No infected files were found.
VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 6:24:38 PM 5/25/2007

Listing files found while scanning....

No infected files were found.
VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 6:08:52 PM 5/31/2007

Listing files found while scanning....

No infected files were found.
==========
SDFIX
==========
Rebooting...
Normal Mode:
Checking Files:

No Trojan Files Found
Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Final Check:

Remaining Services:
------------------
Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------
Checking For Files with Hidden Attributes:

C:\Documents and Settings\Xxxx Xxxxx\NetHood\isp.com\Desktop.ini
C:\Documents and Settings\Xxxx Xxxxx\NetHood\users.isp.com\Desktop.ini
C:\WINDOWS\system32\m3.dll
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2f352a821695fbd87c50ccc2b4807dbe\BIT3E.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BIT1E.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\bb5c3edd4ebcf72602f3f9ef3df7c5ca\BIT16.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished
=========
HijackThis
=========
Logfile of HijackThis v1.99.1
Scan saved at 6:51:29 PM, on 5/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
D:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Xxxx Xxxxx\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle....bin/scraper.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ProgramFiles\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ISP.COM High Speed\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IE 4.x-6.x BHO for Free Downloads Accelerator - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\0.999\fdahlp.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\0.999\fdabar.dll
O3 - Toolbar: &Quero - {A411D7F4-8D11-43EF-BDE4-AA921666388A} - d:\PROGRA~1\QUEROT~1\Quero.dll
O3 - Toolbar: ISP.COM High Speed - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\ISP.COM High Speed\Toolband.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "d:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Anti Trojan Elite] D:\ProgramFiles\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ISP.COM High Speed\slipcore.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: ISP.COM High Speed.lnk = C:\Program Files\ISP.COM High Speed\slipgui.exe
O4 - Global Startup: Microsoft Office.lnk = D:\ProgramFiles\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\0.999\fdaie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://rvi.us.erics...perSetupSP1.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - D:\ProgramFiles\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: 3Com DMI Agent (3ComDMIService) - - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - D:\ProgramFiles\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



#9 tcrumbly

tcrumbly

    Member

  • Members
  • 17 posts

Posted 31 May 2007 - 07:05 PM

Sorry, I forgot to add the AVG anti-spywre log. It did not find anything. I am currently travelling and missed it from the group of log files I grabbed from the pc.

#10 tcrumbly

tcrumbly

    Member

  • Members
  • 17 posts

Posted 31 May 2007 - 07:10 PM

Welcome back
You have homework to do here.

Print out or save to notepad these instructions, safe mode will be used and you'll have no connection to this page for viewing.
Go to the Start menu, and click on Control Panel. Choose Add/Remove Programs and remove any of the following that are listed:

ClickSpring
Cowabanga by OIN
ipwindows / ipwins
MediaTickets
MediaTickets by OIN
OIN
Outer Info Network
PurityScan
PurityScan by OIN
Snowball Wars by OIN
TizzleTalk
TizzleTalk by OIN
Yazzle by OIN
Yazzle ActiveX by OIN
Yazzle Cowabanga by OIN
Yazzle Kobe :filtered:! By OIN
Yazzle Picster by OIN
Yazzle Snowball Wars by OIN
Yazzle Sudoku by OIN
Zolero Translator

(Anything else with the word "OIN" or "Outer Info Network" or "Yazzle" in them)
If not listed, download and run this uninstaller:
http://www.outerinfo...Uninstaller.exe
Tutorial for the uninstaller if needed
http://www.outerinfo.com/howto.html

I also see Paltalk is installed here. I do not recommend Paltalk since it has a questionable reputation, so I suggest you uninstall it.
A better/safer alternative is Skype
Using windows explorer search for and if found, delete these files/folders in bold
C:\Program Files\PurityScan <-folder
D:\Temp\Tools04-CD1\DVDTools
C:\WINDOWS\Temp\win1B0.tmp.exe
C:\WINDOWS\system32\tmp.reg
C:\VundoFix Backups

Reboot, let me know if some of these files and folders would not delete.
Open HJT and click scan only, place a check by these entries

O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
O15 - Trusted Zone: www.bankofamerica.com
O15 - Trusted Zone: www.bullionvault.com
O15 - Trusted Zone: www.bulltrade.com
O15 - Trusted Zone: www.continental.com
O15 - Trusted Zone: *.continental.com
O15 - Trusted Zone: *.ericsson.net
O15 - Trusted Zone: *.esquotes.com
O15 - Trusted Zone: www.etrade.com
O15 - Trusted Zone: www.everbank.com
O15 - Trusted Zone: *.faa.gov
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: *.investing-systems.com
O15 - Trusted Zone: *.irs.gov
O15 - Trusted Zone: http://www.isp.com
O15 - Trusted Zone: *.isp.com
O15 - Trusted Zone: virusscan.jotti.org
O15 - Trusted Zone: *.latindiscounters.com
O15 - Trusted Zone: *.lexmark.com
O15 - Trusted Zone: http://by122w.bay122.mail.live.com
O15 - Trusted Zone: http://onecare.live.com
O15 - Trusted Zone: *.motorola.com
O15 - Trusted Zone: www.hotmail.msn.com
O15 - Trusted Zone: *.netfaqs.com
O15 - Trusted Zone: *.northwesternmutual.com
O15 - Trusted Zone: http://*.stockcharts.com
O15 - Trusted Zone: *.stocksignalpro.com
O15 - Trusted Zone: *.symantec.com
O15 - Trusted Zone: www.t-mobile.com
O15 - Trusted Zone: *.t-mobile.com
O15 - Trusted Zone: www.techguy.org
O15 - Trusted Zone: *.thestreet.com
O15 - Trusted Zone: *.treasurydirect.gov
O15 - Trusted Zone: *.virustotal.com
O15 - Trusted Zone: www.etrade.wallst.com

Close all windows and browsers except HJT and click fix checked
Please download VundoFix.exe
to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Sometimes a bad DNS entry is cached
To get rid of it, go to Start > Run, and in the Open area type in: cmd

At the command prompt, copy/paste the following:

ipconfig /flushdns

Type: Exit to go out of the command prompt.
Now lets check some settings on your system.
Enter your Control Panel and double-click on Network Connections
Then right click on your Default Connection
Usually Local Area Connection for Cable and DSL
Left click on Properties
Double-Click on the Internet Protocol (TCP/IP) item
Select the radio dial that says Obtain DNS Servers Automatically
Press OK twice to get out of the properties screen and reboot if it asks.
Please download ATF Cleaner by Atribune and save it to your desktop.
Download AVG Anti-Spyware 7.5 from Here
And save that file to your desktop.
[*]Once you have downloaded AVG anti-spyware, locate the icon on the your desk top and double-click it to launch the set up program.
[*]Once the setup is complete you will need run AVG Anti-Spyware 7.5 and definition files.
[*]On the main screen select the icon "Update then select the"Update Now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
*Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
*Once in the Settings screen click on "Recommended Actions" and then select "Quarantine". <--VERY IMPORTANT"
*Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.
Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Important.. Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning proccess:
  • Launch AVG Anti-Spyware 7.5 by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan"tab then click on "Complete Scan".
  • AVG will now begin the scanning process, be patient this may take a little time to complete.
Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system, (Make sure to remember where you have saved the file, this is important.
  • Close AVG Anti-Spyware 7.5 and reboot your system back into Normal Mode
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.
In your reply please post
C:\vundofix.txt
SDFix Report.txt
AVG Anti-Spyware log
New HJT log

Comments on internet connection and browsing



#11 tcrumbly

tcrumbly

    Member

  • Members
  • 17 posts

Posted 31 May 2007 - 07:20 PM

Having trouble replying...I've entered a reply..then it doesn't show up on the forum when I close...

anyway..

try again..

None of the programs from the Add/Remove software section existed.

I could not find the PalTalk install. It was removed months ago.

I cannot get an internet connection. I can connect to the ISP. One thing I noticed that was different after these scans is that there is absolutely no network activity from the trojan anymore...its dead.

I am travelling, so I missed getting the AVG anti-spyware log. It did not find anything. I grabbed the log files as I was leaving and missed this one. I could not update virus scan or anti-spyware due to no internet connection.

The windows firewall isn't working anymore. I get a question about asking to turn it on and when I do I get
"Windows cannot start the windows firewall internet connection sharing service (ICS)"

log files follow....you'll notice I've run vundo fix before...and it did find something


VundoFix V6.3.23

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 5:41:08 PM 5/21/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 7:25:06 PM 5/21/2007

Listing files found while scanning....

C:\WINDOWS\system32\strbruir.dll
C:\WINDOWS\system32\tuvvtqq.dll
C:\WINDOWS\system32\tuvvvtu.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tuvvvtu.dll
C:\WINDOWS\system32\tuvvvtu.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 8:20:31 PM 5/21/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 10:40:59 PM 5/21/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 12:42:13 PM 5/22/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 10:43:00 PM 5/22/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 6:24:38 PM 5/25/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 6:08:52 PM 5/31/2007

Listing files found while scanning....

No infected files were found.


=================

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------


Checking For Files with Hidden Attributes:

C:\Documents and Settings\Xxxx Xxxxx\NetHood\isp.com\Desktop.ini
C:\Documents and Settings\Xxxx Xxxxx\NetHood\users.isp.com\Desktop.ini
C:\WINDOWS\system32\m3.dll
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2f352a821695fbd87c50ccc2b4807dbe\BIT3E.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BIT1E.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\bb5c3edd4ebcf72602f3f9ef3df7c5ca\BIT16.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished

===========
Logfile of HijackThis v1.99.1
Scan saved at 6:51:29 PM, on 5/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
D:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Xxxx Xxxxx\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle....bin/scraper.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ProgramFiles\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ISP.COM High Speed\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IE 4.x-6.x BHO for Free Downloads Accelerator - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\0.999\fdahlp.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\0.999\fdabar.dll
O3 - Toolbar: &Quero - {A411D7F4-8D11-43EF-BDE4-AA921666388A} - d:\PROGRA~1\QUEROT~1\Quero.dll
O3 - Toolbar: ISP.COM High Speed - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\ISP.COM High Speed\Toolband.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "d:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Anti Trojan Elite] D:\ProgramFiles\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ISP.COM High Speed\slipcore.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: ISP.COM High Speed.lnk = C:\Program Files\ISP.COM High Speed\slipgui.exe
O4 - Global Startup: Microsoft Office.lnk = D:\ProgramFiles\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\0.999\fdaie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://rvi.us.erics...perSetupSP1.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - D:\ProgramFiles\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: 3Com DMI Agent (3ComDMIService) - - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - D:\ProgramFiles\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#12 tcrumbly

tcrumbly

    Member

  • Members
  • 17 posts

Posted 31 May 2007 - 07:23 PM

I'm getting some weird behaviour when trying to post replies... just noticed it posted twice...

#13 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 21,919 posts
  • Gender:Female


Posted 31 May 2007 - 09:20 PM

Welcome back

Sorry for all the issues your having......

Your HJT log is clean.


absolutely no network activity from the trojan anymore...its dead

Thank goodness!


Two files that I didn't see VundoFix saying was deleted we need to search for

Use windows explorer and delete these if found

C:\WINDOWS\system32\strbruir.dll
C:\WINDOWS\system32\tuvvtqq.dll



I'm trying to find help for your Internet Connection

Start => Run => Type netsh winsock reset then click ok. Restart your computer then check windows firewall again


You cannot start the Windows Firewall service in Windows XP
No connection to the Internet is currently available


go to start
run
type in
sfc /scannow
Note the space between c /
Note you may be asked for your Windows XP CD if errors are found.


Double-click My Computer, and then right-click the hard disk that you want to check
Click Properties, and then click Tools.
Under Error-checking, click Check Now.
A dialog box that shows the Check disk options is displayed
Check both boxes

If one or more of the files on the hard disk are open, you will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, and then restart your computer to start the disk check.
Be patient this can take up to an hour


Let's check Device manager

Click the Start button and click Control Panel.
Click Performance and Maintenance and click System.
Click the Hardware tab and click Device Manager.
In the Device Manager list, check for devices that are incorrectly configured.
Incorrectly configured devices are indicated by a yellow exclamation point (!) or a red X if the device has been disabled.
Double-click any device marked with an exclamation point to display the Properties window.
The Device status area in the Properties window reports the devices that need to be re-configured.


Also we need to check event viewer
When in event viewer there are three log areas that record data

Application log
Security log
System log

In the left pane click on Application and the window to the right will show recorded logs
If an issue was recorded it will have a Red X by that entry
Right click on that entry , then properties, this should give an explaination to the event and hopefully Microsoft has a support link located at the bottom.


How to Repair or Return to Previous Internet Explorer Installation

1. Bring up windows task manager (cntrl-alt-delete)
2. Select Processes tab
3. Locate explorer.exe & select End Process
4. Select Applications tab
5. Select New Task
6. Type 'explorer' in create new task box & select ok.

When you end the explorer.exe process your task bar will likely disappear. Once you create the New Task your task bar should be back with all missing icons.

Right click the task bar and then select properties> click the Task bar then> Uncheck the Hide Inactive Icons button.
When you right click the task bar one option is to lock the taskbar do you have that checked?


Disable Universal Plug and Play

Disable the SSDP Discovery Service and the Universal Plug and Play Device Host. To do this, open Administrative Tools in Control Panel, and then open Services. Select "SSDP Discovery Service", right-click it and select Properties. Change the startup type to "Disabled" and then click OK. Repeat this for the "Universal Plug and Play Device Host."
Disabling Universal Plug and Play still may not work. However, people have found that the problem was solved by changing the startup options for the two services to "Automatic", instead of disabling them.


Got to your Control panel
Open Internet Options
On the Tools menu, click Internet Options
Click the General tab.
In the Address box, type the Web page address that you want for your home page.
Click Apply/OK

Post back and let me know if normal mode is working correct.

Edited by Juliet, 01 June 2007 - 07:54 AM.

Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#14 tcrumbly

tcrumbly

    Member

  • Members
  • 17 posts

Posted 02 June 2007 - 01:38 PM

Hi Juliet,
After following the instructions, I still can't get internet access. I can connect to my ISP, but when I bring
up a web browser, It can't get to the home page, or anywhere else that i type.

I cut the following from the services logs from the event viewer.....looks like there may be some missing files.

These errors occur in the event viewer at every boot up interval since the day I got the trojan. It appears, the trojan was caught by downloading a codec so that videos could be managed using an mp4 player. The codec seems to work fine, but the install appears to have had some "unfriendlies". The files
strbruir.dll and tuvvtqq.dll were deleted from a previous run of vundofix. Unfortunately, I don't have that
log.

The firewall service will not start on XP.

I'm at a loss on how to get the internet connection running. Because of it, I haven't been able to download updates to the spyware/anti-virus scanner.

Under system, there is a new hardware adapter I've never seen before, and it does not initialize correctly, has a big red "X" through it.... "Microsoft Tun Miniport Adaptor". I've tried to uninstall it but I get an error that the system needs it in order to reboot. It looks strange.

I did go to http://go.microsoft....link/events.asp to see if I could figure out what was going on. This is the link pointed to by the event viewer. Appears to be too many options. Any ideas on getting the internet connected would be appreciated. At this point I'm starting to consider re-installing the operating system. Uggh... I'm not going to say "uncle" until you think its a good idea.

The system does seem to be running very smoothly except for the internet connection though.

regards,



===============================


The Bluetooth LAN Access Server service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.

=================================
The Microsoft TV/Video Connection service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft....events.asp.====
==================================
The Microsoft TV/Video Connection service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
====================================
The Microsoft TV/Video Connection service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
===================================
The 3Com BCAITDI DMI TDI service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
======================================
The DS1410D service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
======================================
The 3Com DMI Agent service failed to start due to the following error:
The system cannot find the path specified.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
========================================
The HID Input Service service terminated with the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
=======================================

#15 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 21,919 posts
  • Gender:Female


Posted 02 June 2007 - 03:12 PM

Welcome back

I've tried to research these error messages and I feel they point to driver issues.
From this point I have to recommend you create a thread in our User to User forum where expert members can assist you better then I can.

http://forums.pcpits...php?showforum=3


If you could copy and paste the last post of information with the list of events found in Event Viewer I feel it would be helpful.

Wish I could had been more assistance for you.
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#16 tcrumbly

tcrumbly

    Member

  • Members
  • 17 posts

Posted 03 June 2007 - 03:42 PM

Hi Juliet,
I managed to get the internet working by downloading WinSockXpFix. I then ran the command you
told me to run before
netsh winsock reset.

My interenet worked and I downloaded AVG updates. AVG Spyware then caught two trojan entries

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:07:01 PM 6/3/2007

+ Scan result:



D:\System Volume Information\_restore{29847550-B1E3-4C54-B1FB-B696512E5488}\RP8\A0002523.exe -> Trojan.Small : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{29847550-B1E3-4C54-B1FB-B696512E5488}\RP8\A0002524.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end


My Event Log is here...
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7022
Date: 6/3/2007
Time: 4:11:03 PM
User: N/A
Computer: -DESKTOP
Description:
The IPv6 Helper Service service hung on starting.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 6/3/2007
Time: 4:09:39 PM
User: N/A
Computer: -DESKTOP
Description:
The HID Input Service service terminated with the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.



Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 6/3/2007
Time: 4:09:39 PM
User: N/A
Computer: -DESKTOP
Description:
The 3Com DMI Agent service failed to start due to the following error:
The system cannot find the path specified.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 6/3/2007
Time: 4:09:39 PM
User: N/A
Computer: -DESKTOP
Description:
The DS1410D service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 6/3/2007
Time: 4:09:39 PM
User: N/A
Computer: -DESKTOP
Description:
The 3Com BCAITDI DMI TDI service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 6/3/2007
Time: 4:09:39 PM
User: N/A
Computer: -DESKTOP
Description:
The VPN-1 SecureClient Adapter service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 6/3/2007
Time: 4:09:39 PM
User: N/A
Computer: -DESKTOP
Description:
The Microsoft TV/Video Connection service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 6/3/2007
Time: 4:09:39 PM
User: N/A
Computer: -DESKTOP
Description:
The Bluetooth LAN Access Server service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.

==========================
I want to post an image of the Networking tab of my task manager. The internet activity is back. When my pc is idle, there is about 50% of the link bandwidth being used for who knows what. I can't figure out how to attach the image file (.bmp)

I don't understand what this activity is that I'm seeing, but I'm using the infected desktop to talk with you now. That's major progress I think.

If you want me to, I can still go over to the driver forum, but wanted to see if you had any other ideas I could try to identify this activity I'm seeing. I at least wanted you to see the .bmp image of my task manager.

Another behaviour that reocurred is that at boot up, there is a 2 or 3 minute pause with the XP back ground before the icons appear.

maybe I can mail you the .bmp image?

#17 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 21,919 posts
  • Gender:Female


Posted 03 June 2007 - 04:57 PM

Welcome back
Thats good news!...wheww! that was hard work eh?

I still want to check for something lurking around in the background first.

The errors from event viewer still point to driver issues, after these last scans, if all is clear, then I need you to go to the User to User forum for that.



Download the trial version of Spy Sweeper from
Here


Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.
Click on Sweep and allow it to fully scan your system.
When the sweep has finished, click Remove. Click Select All and then Next
From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.
Exit Spy Sweeper.


Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-sec...light/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.


In your next post I need:
SpySweeper log
fsbl log from F-Secure
New HJT log

Comments on computer performance

Edited by Juliet, 03 June 2007 - 04:58 PM.

Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#18 tcrumbly

tcrumbly

    Member

  • Members
  • 17 posts

Posted 04 June 2007 - 06:34 PM

Hmm...after all the scanning...the other tools can't find the trojans....
Spy sweeper picked up 3

Black light didn't pick up anything...

7:05 PM: Traces Found: 3
7:05 PM: Full Sweep has completed. Elapsed time 00:20:42
7:05 PM: File Sweep Complete, Elapsed Time: 00:17:59
7:05 PM: Warning: TCompressedFile.GetStreams(1): Stream read error
7:05 PM: Warning: TCompressedFile.GetStreams(1): Stream read error
7:05 PM: Warning: TCompressedFile.GetStreams(1): Stream read error
6:59 PM: Warning: SweepDirectories: Cannot find directory "h:". This directory was not added to the list of paths to be scanned.
6:59 PM: Warning: SweepDirectories: Cannot find directory "g:". This directory was not added to the list of paths to be scanned.
6:59 PM: Warning: SweepDirectories: Cannot find directory "f:". This directory was not added to the list of paths to be scanned.
6:53 PM: Warning: Failed to open file "c:\documents and settings\xxxx xxxxx\application data\slipstream\ieproxy.bak". The operation completed successfully
6:47 PM: Starting File Sweep
6:47 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:47 PM: Starting Cookie Sweep
6:47 PM: Registry Sweep Complete, Elapsed Time:00:00:15
6:47 PM: HKU\S-1-5-21-3301898836-429115175-1203367206-1006\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\outerinfo\ (ID = 2062989)
6:47 PM: Found Adware: purityscan
6:47 PM: HKLM\software\microsoft\uniqdata\ (ID = 1997747)
6:47 PM: Found Adware: virtumonde
6:47 PM: HKLM\software\microsoft\windows\currentversion\urls\ (ID = 605127)
6:47 PM: Found Trojan Horse: trojan-downloader-ruin
6:47 PM: Starting Registry Sweep
6:47 PM: Memory Sweep Complete, Elapsed Time: 00:02:25
6:44 PM: Starting Memory Sweep
6:44 PM: Start Full Sweep
6:44 PM: Sweep initiated using definitions version 923
6:43 PM: Your spyware definitions have been updated.
6:28 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
6:27 PM: Messenger service has been disabled.
Keylogger: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: Off
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
6:27 PM: Shield States
6:27 PM: Spyware Definitions: 866
6:27 PM: Spy Sweeper 5.3.2.2361 started
6:27 PM: Spy Sweeper 5.3.2.2361 started
6:27 PM: | Start of Session, Monday, June 04, 2007 |
***************


HIJACKTHIS
Logfile of HijackThis v1.99.1
Scan saved at 7:26:56 PM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
d:\ProgramFiles\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
D:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ISP.COM High Speed\slipcore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ISP.COM High Speed\slipgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\xxxx xxxxx\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.isp.com/members/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle....bin/scraper.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ProgramFiles\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ISP.COM High Speed\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IE 4.x-6.x BHO for Free Downloads Accelerator - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\0.999\fdahlp.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\0.999\fdabar.dll
O3 - Toolbar: &Quero - {A411D7F4-8D11-43EF-BDE4-AA921666388A} - d:\PROGRA~1\QUEROT~1\Quero.dll
O3 - Toolbar: ISP.COM High Speed - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\ISP.COM High Speed\Toolband.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\ProgramFiles\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "d:\ProgramFiles\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Anti Trojan Elite] D:\ProgramFiles\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ISP.COM High Speed\slipcore.exe"
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ISP.COM High Speed.lnk = C:\Program Files\ISP.COM High Speed\slipgui.exe
O4 - Global Startup: Microsoft Office.lnk = D:\ProgramFiles\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\ProgramFiles\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\0.999\fdaie.htm
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\ISP.COM High Speed\gui_resource.dll/327
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\ISP.COM High Speed\gui_resource.dll/328
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://forums.pcpitstop.com
O15 - Trusted Zone: http://www.thestreet.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://rvi.us.erics...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E22BE2EE-E9C3-45C1-8359-5246381A93E1}: NameServer = 209.210.176.8 209.210.176.9
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - D:\ProgramFiles\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: 3Com DMI Agent (3ComDMIService) - - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - D:\ProgramFiles\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - d:\ProgramFiles\Webroot\Spy Sweeper\SpySweeper.exe

Uggh...can't seem to get these bad guys off the desktop...

#19 tcrumbly

tcrumbly

    Member

  • Members
  • 17 posts

Posted 04 June 2007 - 06:38 PM

Juliet, since the spysweeper scan, ...there hasn't been any internet activity from the trojan. But spysweeper, said that it wouldn't quarantine without a subscription. I've been watching it for some time now...

#20 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 21,919 posts
  • Gender:Female


Posted 04 June 2007 - 07:11 PM

Uggh...can't seem to get these bad guys off the desktop...

Tell me what is on desktop?

Delete the version of ComboFix you have now, and the folder C:\qoobox



You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.



Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall



download http://www.mvps.org/.../DelDomains.inf and place it on desktop
right click the file and select install, that will reset the zone settings that have been altered

and also

* Download: ResetProtocolDefaults.reg
http://www.mvps.org/...colDefaults.reg

Locate "ResetProtocolDefaults.reg"
Right-click and select: Merge (Ok the prompt)


Post the logs from
FixWareOut
New ComboFix log
New HJT log
And I hope good comments about the computer.
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users