TechSpot

Disturbed by TrojanDownloader.XS popup

By onerazan
Apr 18, 2008
  1. Hello TechSpot Experts,

    I'm badly in need of your expoert help in getting rid of this pop-up windows always popping up on my windows. I tried all Spyware and Malware removers and have Spybot and Spyblaster intalled but still cannot get rid of this malware.

    Please kindly help me:

    Window 1:

    Alert details: File - C:\WINDOWS\wml.exe
    | Threat: Abebot
    | "Possible Spyware infection has been detected on your computer by Security
    | System."
    | "To remove detected threat you need to update our PC-Antispyware protection."
    | "Click here to visit PC-Antispyware website"(link)

    Window 2:
    Window titled: System Integrity Scan Wizard
    |
    | Warning: Your computer may have critical errors in Windows registry and file
    | system!
    |
    | The registry and file system errors lead to computer freezes; system crashes
    | and slowdowns; corrumption of files and documents.
    |
    | Immediate system integrity scan and repair is strongly recommended.
    |
    | To scan your computer for errors please click the "next" button below.

    I tried to consult our office Techsupport his solution is ghosting my drive, but I have important data and softwares installed already in my laptop.

    Please I need you valuable help.

    Thank you very much in advance.

    I've read some threads similar to this problem are the soutions the same?
    Please advise.

    Onerazan
     
  2. kritius

    kritius TS Guru Posts: 2,084

    Download and Run Malwarebytes' Anti-Malware
    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please Attach the log into your next reply.
    • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    Download and Install SuperAntiSpyware Free
    • Launch SuperAntiSpyware
    • Click Check for Updates and update to the latest definitions.
    • Click Scan your Computer
      • Check all boxes in the Scan Location box.
      • Check the Complete Scan radio button.
      • Click Scanning Preferences/Control Centre button.
        • Uncheck Ignore files larger than 4MB (recommended)
        • Check Scan Alternate Data Streams.
        • Click Close.
      • Click Next
    • SuperAntiSpyware will now scan your computer for infection. (This could take in excess of an hour depending on the number of files scanned)
    • When finished it will present you with a summary of its findings.
    • Click OK.
    • The Removal Screen will open.
      • Check the items in the list to mark them for Quarantine.
      • Click Next and SAS will Quarantine them.
    Please send me the log.
    • Click the Preferences button.
      • Click the Statistics/Logs tab.
        • Logs are listed by date and time, click on the latest one to highlight it (at the top).
        • Click View log.
      • This will open a log page.
      • Attach it here please.
    CAUTION: SuperAntiSpyware comes with a programme called Bootsafe, do not for any reason use this programme, if used on an infected computer it could render it UNBOOTABLE.
    Download and Run ComboFix
    • Download this file to your desktop from either of the two below listed places :

      HERE or HERE
    • Then double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Attach that log in your next reply
    WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    HighjackThis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in its own folder, usually C:\Program Files\Trend Micro\HijackThis. Please don't change the directory as it is necessary to create backups.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete attach the log into your reply.
    Do not attempt to fix any item yet.
    Do not add anything to the ignore list.
    Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.
     
  3. onerazan

    onerazan TS Rookie Topic Starter Posts: 16

    Hello Kritius,

    Good day.

    I failed to mention that there was red box popup also with message:
    Alert Details
    File: C:\WINDOWS\wml.exe

    Threat:Abebot
    appearing on my screen, and a yellow triangle on my system tray.

    Am running now the initial instructions you told me will get back to you as soon as I finished them.

    thanks!
    Onerazan
     
  4. onerazan

    onerazan TS Rookie Topic Starter Posts: 16

    Logfiles from Initial Instructions

    Hello Kritius,

    I have consolidated all the logs as attached.

    Hope this is okay.

    thanks!

    Onerazan
     
  5. kritius

    kritius TS Guru Posts: 2,084

    Ill look over them as soon as I get a chance, hopefully within the next few hours
     
  6. kritius

    kritius TS Guru Posts: 2,084

    Did you set this domain?
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = crazyjohns.com.au

    You also have more than one antivirus program running,
    Avast!
    Norton


    Two antivirus programs does not equal twice the protection, unistall one now. Preferably Norton.

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

    Disable Teatimer
    Please disable Teatimer as it may interfere with the fix.
    First:
    • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    • Choose Exit Spybot S&D Resident
    Second:
    • Open Spybot S&D
    • Click Mode, check Advanced Mode
    • Go To Left Panel, Click Tools, then also in left panel, click Resident
    • If your firewall raises a question, say OK
    • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    • Use File, Exit to terminate Spybot
    • Reboot your machine for the changes to take effect.
    Once your log is clean you can re-enable those settings in TeaTimer.

    COMBOFIX-Script

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      File::
      C:\WINDOWS\system32\luncxidw.exe
      C:\Documents and Settings\All Users\Application Data\unuronmd\qxivohar.exe
      
      Folder::
      C:\Documents and Settings\All Users\Application Data\unuronmd
      
      Registry::
      [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4EA7D5B-654C-48A4-8F86-308B0634D1E1}]
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "nxkqooov"=-
      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
      "bMkEuHHoOu"=-
          
      
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below(if still present)
    O2 - BHO: (no name) - {D4EA7D5B-654C-48A4-8F86-308B0634D1E1} - (no file)
    O4 - HKCU\..\Run: [nxkqooov] C:\WINDOWS\system32\luncxidw.exe
    O4 - HKCU\..\Policies\Explorer\Run: [bMkEuHHoOu] C:\Documents and Settings\All Users\Application Data\unuronmd\qxivohar.exe
    O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://purtona2.purtona.local/qcbin/Spider90.ocx
    O20 - Winlogon Notify: __c00ABA40 - __c00ABA40.dat (file missing)


    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Rename HijackThis.exe to onerazan.exe by doing the following;

    • Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
    • Right-click on the HijackThis.exe
    • Choose from the pull-down menu; "Rename"
    • And now Rename HijackThis.exe to onerazan.exe
    • When you've renamed HijackThis, open HijackThis again.
    • Take a fresh HijackThis log (click Do a system scan and save a log file)
     
  7. onerazan

    onerazan TS Rookie Topic Starter Posts: 16

    Log from 2nd wave intructions part 1

    Hello Kritius,

    Good day.

    I can't seem to attach file now for this post, sorry but i have to attach the log text here.

    Awaiting your next valuable instructions and when can I activate all online protectors:

    ComboFixLog2

    ComboFix 08-04-17.1 - rnazaren 2008-04-19 10:23:11.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1364 [GMT 10:00]
    Running from: C:\Documents and Settings\rnazaren\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\rnazaren\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\Documents and Settings\All Users\Application Data\unuronmd\qxivohar.exe
    C:\WINDOWS\system32\luncxidw.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\unuronmd
    C:\WINDOWS\system32\fNWwGfhk.ini
    C:\WINDOWS\system32\fNWwGfhk.ini2

    .
    ((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
    .

    2008-04-18 22:27 . 2008-04-18 22:27 <DIR> d-------- C:\Program Files\Trend Micro
    2008-04-18 20:52 . 2008-04-18 20:52 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-04-18 20:52 . 2008-04-18 20:52 <DIR> d-------- C:\Documents and Settings\rnazaren\Application Data\SUPERAntiSpyware.com
    2008-04-18 20:52 . 2008-04-18 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-04-18 19:51 . 2008-04-18 19:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-04-18 19:51 . 2008-04-18 19:51 <DIR> d-------- C:\Documents and Settings\rnazaren\Application Data\Malwarebytes
    2008-04-18 19:51 . 2008-04-18 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-04-18 15:58 . 2008-04-18 15:58 <DIR> d-------- C:\Program Files\Panicware
    2008-04-17 13:57 . 2008-04-17 13:57 <DIR> d-------- C:\Program Files\Alwil Software
    2008-04-17 10:39 . 2008-04-17 10:39 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
    2008-04-17 10:39 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
    2008-04-17 10:39 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
    2008-04-17 10:39 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
    2008-04-17 10:39 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
    2008-04-17 10:38 . 2008-04-17 10:38 <DIR> d-------- C:\Program Files\Webroot
    2008-04-17 10:38 . 2008-04-17 10:38 <DIR> d-------- C:\Documents and Settings\rnazaren\Application Data\Webroot
    2008-04-17 10:38 . 2008-04-17 10:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
    2008-04-17 10:38 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
    2008-04-17 10:34 . 2008-04-17 22:39 164 --a------ C:\install.dat
    2008-04-16 21:13 . 2008-04-16 21:18 <DIR> d-------- C:\Program Files\Trojan Killer
    2008-04-16 19:14 . 2008-04-16 19:14 <DIR> d-------- C:\Program Files\Wisdom-soft ScreenHunter 5 Free
    2008-04-16 14:57 . 2008-04-16 14:57 <DIR> d-------- C:\Documents and Settings\rnazaren\Application Data\PCToolsFirewallPlus
    2008-04-16 05:47 . 2008-04-18 20:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-04-16 01:17 . 2008-04-16 01:17 294 --ahs---- C:\WINDOWS\system32\vaewmsih.ini
    2008-04-07 20:32 . 2008-04-07 20:32 <DIR> d-------- C:\Documents and Settings\rnazaren\Application Data\Nokia Multimedia Player
    2008-04-03 11:36 . 2008-04-03 11:36 <DIR> d-------- C:\Program Files\Common Files\PCSuite
    2008-04-03 11:36 . 2008-04-03 11:36 <DIR> d-------- C:\Program Files\Common Files\Nokia
    2008-04-03 11:35 . 2008-04-03 11:35 <DIR> d-------- C:\Program Files\PC Connectivity Solution
    2008-04-03 11:32 . 2008-04-03 11:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
    2008-04-03 11:31 . 2008-04-03 11:31 <DIR> d-------- C:\Program Files\DIFX
    2008-04-03 11:31 . 2008-04-03 11:32 <DIR> d-------- C:\Documents and Settings\rnazaren\Application Data\PC Suite
    2008-04-03 11:31 . 2008-04-03 11:32 <DIR> d-------- C:\Documents and Settings\rnazaren\Application Data\Nokia
    2008-04-03 11:30 . 2008-04-03 11:36 <DIR> d-------- C:\Program Files\Nokia
    2008-04-03 11:30 . 2008-04-03 11:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
    2008-04-03 11:30 . 2007-02-22 09:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
    2008-04-03 09:46 . 2008-04-15 14:20 <DIR> d-------- C:\totalcmd
    2008-04-03 09:46 . 2007-09-14 06:02 545 --a------ C:\WINDOWS\UC.PIF
    2008-04-03 09:46 . 2007-09-14 06:02 545 --a------ C:\WINDOWS\RAR.PIF
    2008-04-03 09:46 . 2007-09-14 06:02 545 --a------ C:\WINDOWS\PKZIP.PIF
    2008-04-03 09:46 . 2007-09-14 06:02 545 --a------ C:\WINDOWS\PKUNZIP.PIF
    2008-04-03 09:46 . 2007-09-14 06:02 545 --a------ C:\WINDOWS\NOCLOSE.PIF
    2008-04-03 09:46 . 2007-09-14 06:02 545 --a------ C:\WINDOWS\LHA.PIF
    2008-04-03 09:46 . 2007-09-14 06:02 545 --a------ C:\WINDOWS\ARJ.PIF
    2008-04-03 09:46 . 2008-04-15 14:19 337 --a------ C:\WINDOWS\wincmd.ini
    2008-04-02 20:43 . 2008-04-11 16:06 <DIR> d-------- C:\Documents and Settings\rnazaren\Application Data\skypePM
    2008-04-02 20:43 . 2008-04-02 20:43 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
    2008-04-02 20:41 . 2008-04-02 20:41 <DIR> d-------- C:\Program Files\Skype
    2008-04-02 20:41 . 2008-04-02 20:41 <DIR> d-------- C:\Program Files\Common Files\Skype
    2008-04-02 20:41 . 2008-04-11 08:26 <DIR> d-------- C:\Documents and Settings\rnazaren\Application Data\Skype
    2008-04-01 10:43 . 2008-04-01 10:45 <DIR> d-------- C:\VP-EYE
    2008-04-01 10:43 . 2008-04-01 10:45 32,096 --a------ C:\WINDOWS\unvpeye.ini
    2008-04-01 10:30 . 2008-04-03 20:32 230,424 --a------ C:\snp2sxp-001.raw
    2008-04-01 10:28 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
    2008-04-01 10:28 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\dllcache\kswdmcap.ax
    2008-04-01 10:28 . 2004-08-04 00:56 61,952 --a------ C:\WINDOWS\system32\kstvtune.ax
    2008-04-01 10:28 . 2004-08-04 00:56 61,952 --a------ C:\WINDOWS\system32\dllcache\kstvtune.ax
    2008-04-01 10:28 . 2004-08-04 00:56 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
    2008-04-01 10:28 . 2004-08-04 00:56 53,760 --a------ C:\WINDOWS\system32\dllcache\vfwwdm32.dll
    2008-04-01 10:28 . 2004-08-04 00:56 43,008 --a------ C:\WINDOWS\system32\ksxbar.ax
    2008-04-01 10:28 . 2004-08-04 00:56 43,008 --a------ C:\WINDOWS\system32\dllcache\ksxbar.ax
    2008-04-01 10:28 . 2004-08-04 00:56 28,672 --a------ C:\WINDOWS\system32\vidcap.ax
    2008-04-01 10:28 . 2004-08-04 00:56 28,672 --a------ C:\WINDOWS\system32\dllcache\vidcap.ax
    2008-04-01 10:25 . 2008-04-01 10:25 <DIR> d-------- C:\Program Files\Common Files\snp2std
    2008-04-01 10:25 . 2006-05-13 13:57 10,305,664 --a------ C:\WINDOWS\system32\drivers\snp2sxp.sys
    2008-04-01 10:25 . 2005-01-26 14:45 349,472 --a------ C:\WINDOWS\WindowsXP-KB822603-x86.exe
    2008-04-01 10:25 . 2006-01-06 12:57 344,064 --a------ C:\WINDOWS\vsnp2std.exe
    2008-04-01 10:25 . 2005-12-21 13:06 147,456 --a------ C:\WINDOWS\rsnp2std.dll
    2008-04-01 10:25 . 2006-01-06 16:39 110,592 --a------ C:\WINDOWS\tsnp2std.exe
    2008-04-01 10:25 . 2006-01-03 18:04 61,440 --a------ C:\WINDOWS\vsnp2std.dll
    2008-04-01 10:25 . 2005-11-23 12:55 53,248 --a------ C:\WINDOWS\system32\csnp2std.dll
    2008-04-01 10:25 . 2005-11-11 15:46 24,960 --a------ C:\WINDOWS\system32\drivers\sncamd.sys
    2008-04-01 10:25 . 2004-12-09 16:23 15,497 --a------ C:\WINDOWS\snp2std.ini
    2008-04-01 10:25 . 2004-12-09 16:23 13,022 --a------ C:\WINDOWS\snp2std.src
    2008-04-01 07:25 . 2008-04-01 07:25 831,488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
    2008-04-01 07:25 . 2008-04-01 07:25 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
    2008-04-01 07:25 . 2008-04-01 07:25 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
    2008-04-01 07:25 . 2008-04-01 07:25 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
    2008-04-01 07:25 . 2008-04-01 07:25 682,496 --a------ C:\WINDOWS\system32\DivX.dll
    2008-04-01 07:25 . 2008-04-01 07:25 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
    2008-03-22 06:30 . 2008-03-22 06:30 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
    2008-03-22 06:30 . 2008-03-22 06:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
    2008-03-22 06:30 . 2008-03-22 06:30 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
    2008-03-22 06:30 . 2008-03-22 06:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
    2008-03-22 06:30 . 2008-03-22 06:30 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
     
  8. onerazan

    onerazan TS Rookie Topic Starter Posts: 16

    Log from 2nd wave intructions part 2

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-19 00:21 --------- d-----w C:\Program Files\Symantec AntiVirus
    2008-04-19 00:08 --------- d-----w C:\Program Files\Java
    2008-04-18 14:41 --------- d-----w C:\Program Files\Yahoo!
    2008-04-18 14:39 --------- d-----w C:\Program Files\Google
    2008-04-18 06:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-04-18 04:33 --------- d-----w C:\Program Files\SpywareBlaster
    2008-04-18 04:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-04-18 04:19 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
    2008-04-16 08:38 --------- d-----w C:\Program Files\ScreenPrint32 v3
    2008-04-16 08:37 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
    2008-04-16 08:37 249,856 ------w C:\WINDOWS\Setup1.exe
    2008-04-16 08:29 --------- d-----w C:\Program Files\Sony Ericsson
    2008-04-16 08:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
    2008-04-14 10:40 --------- d-----w C:\Documents and Settings\rnazaren\Application Data\LimeWire
    2008-04-10 23:55 --------- d-----w C:\Program Files\DivX
    2008-04-05 03:33 --------- d-----w C:\Documents and Settings\rnazaren\Application Data\U3
    2008-04-03 01:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-04-02 10:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
    2008-03-27 22:24 --------- d-----w C:\Program Files\Winamp
    2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
    2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
    2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
    2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
    2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
    2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
    2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
    2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
    2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
    2008-03-05 21:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-03-05 05:03 --------- d-----w C:\Program Files\QuickTime
    2008-03-03 07:12 --------- d-----w C:\Documents and Settings\rnazaren\Application Data\MSNInstaller
    2008-02-28 22:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-02-23 07:09 --------- d-----w C:\Program Files\Common Files\LogiShared
    2008-02-23 07:09 --------- d-----w C:\Documents and Settings\rnazaren\Application Data\Logitech
    2008-02-23 07:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
    2008-02-23 07:07 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
    2008-02-23 07:07 --------- d-----w C:\Program Files\Common Files\Logitech
    2008-02-23 07:06 --------- d-----w C:\Program Files\Logitech
    2008-02-23 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4EA7D5B-654C-48A4-8F86-308B0634D1E1}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
    "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 06:40 218032]
    "MobileConnect.EXE"="C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.EXE" [ ]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 01:13 176128]
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 04:44 98304]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 04:41 77824]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 04:45 118784]
    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00 208952]
    "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 07:00 59392]
    "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
    "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
    "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 13:55 667718]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 13:56 602182]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 18:30 282624 C:\WINDOWS\stsystra.exe]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 22:29 49152]
    "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 07:20 122940]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 16:14 53408]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 00:40 124656]
    "ScreenPrint32"="C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe" [2003-05-15 20:36 446464]
    "Gct-Conv"="C:\Program Files\COMclient\bin\gct-conf.exe" [2005-10-07 13:18 45056]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 14:32 56080 C:\WINDOWS\KHALMNPR.Exe]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 22:13 385024]
    "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-03-27 16:35 36352]
    "tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2006-01-06 16:39 110592]
    "snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-01-06 12:57 344064]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 10:00 267064]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
    "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 16:35 1294336]

    C:\Documents and Settings\rnazaren\Start Menu\Programs\Startup\
    ScreenHunter 5.0 Free.lnk - C:\Program Files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe [2008-04-16 19:14:35 4874240]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    LaunchU3.exe.lnk - C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_2cd672ae.exe [2008-01-26 18:40:49 1078]
    Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-02-23 17:07:05 692224]
    Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-10-15 13:26:54 2080768]
    WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-10-12 11:04:15 106560]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "AvpVolume"= {794a53ca-dcd5-4ab5-a460-60f78165331f} - C:\WINDOWS\Resources\AvpVolume.dll [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00ABA40]
    __c00ABA40.dat

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\Hummingbird\\Connectivity\\7.00\\Exceed\\exceed.exe"=
    "C:\\Program Files\\COMclient\\jre\\bin\\javaw.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "24704:TCP"= 24704:TCP:BitComet 24704 TCP
    "24704:UDP"= 24704:UDP:BitComet 24704 UDP

    R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 13:22]
    S2 GctLauncher;GctLauncher;"C:\Program Files\COMclient\bin\JavaNTService.exe" inifile="C:\Program Files\COMclient\\bin\GctLauncher.ini" []
    S3 AlarmPrtSrv;AlarmPrtSrv;"C:\Program Files\COMclient\bin\srvany.exe" [2004-02-11 12:27]
    S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2006-05-13 13:57]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##mwcvhofp2#data]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-17 08:33:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-04-17 00:39:03 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
    - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
    - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
    - C:\
    .
    **************************************************************************
     
  9. onerazan

    onerazan TS Rookie Topic Starter Posts: 16

    Log from 2nd wave intructions part 3

    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-19 10:25:12
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-04-19 10:26:04
    ComboFix-quarantined-files.txt 2008-04-19 00:25:52
    ComboFix2.txt 2008-04-18 12:23:11

    Pre-Run: 9,857,183,744 bytes free
    Post-Run: 9,836,888,064 bytes free


    -----------------------------
    Hijackthis Log:



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:50, on 2008-04-19
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
    C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
    C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\tsnp2std.exe
    C:\WINDOWS\vsnp2std.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\3M\PSNLite\PsnLite.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe
    C:\PROGRA~1\3M\PSNLite\PSNGive.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\onerazan.exe.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.26.12.40:9880/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://wwwi.crazyjohns.com.au
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row-rel&channel=au&ibd=6061025
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.crazyjohns.com.au:80
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [ScreenPrint32] "C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe" -startup
    O4 - HKLM\..\Run: [Gct-Conv] "C:\Program Files\COMclient\bin\gct-conf.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
    O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [MobileConnect.EXE] C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.EXE
    O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
    O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
    O4 - Startup: ScreenHunter 5.0 Free.lnk = C:\Program Files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe
    O4 - Global Startup: LaunchU3.exe.lnk = ?
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
     
  10. onerazan

    onerazan TS Rookie Topic Starter Posts: 16

    Log from 2nd wave intructions part 4

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://wwwi.crazyjohns.com.au
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1185238315968
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = crazyjohns.com.au
    O17 - HKLM\Software\..\Telephony: DomainName = crazyjohns.com.au
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = crazyjohns.com.au
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = crazyjohns.com.au
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = crazyjohns.com.au
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O21 - SSODL: AvpVolume - {794a53ca-dcd5-4ab5-a460-60f78165331f} - C:\WINDOWS\Resources\AvpVolume.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AlarmPrtSrv - Unknown owner - C:\Program Files\COMclient\bin\srvany.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: GctLauncher - Siemens Corporation - C:\Program Files\COMclient\bin\JavaNTService.exe
    O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 13759 bytes

    ------------
    Thanks and sorry for the long post Kritius, dont know what happened that I can't attach file now on the reply window as before.
    Awaiting for the next steps from the Techspot guru ;-)

    Regards,
    Onerazan
     
  11. onerazan

    onerazan TS Rookie Topic Starter Posts: 16

    Hello Kritius,

    By the way yes the domain crazyjohns.com.au is the company domain we are using.

    Sorry again for the long logs, do you see any problem why the attachment button didn't work?

    Is my laptop now free of the menace??? Thanks. Appreciate much your help...

    Onerazan
     
  12. kritius

    kritius TS Guru Posts: 2,084

    In regards to the attachments if you go to "my profile" at the top of the page then go to attachments on the left hand side and delete all the previous attachments you should be able to attach from now on.

    I see you got rid of avast instead of Norton, pity.

    The HJT log is clean,

    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • Include the report in your next post.
     
  13. onerazan

    onerazan TS Rookie Topic Starter Posts: 16

    Hi Kritius,

    Norton was the "official" anti virus on the office, since this is not mine. But on my personal laptop I will install the Avast instead of the Norton, 60 days trial and I will not get registered one.

    I will do now what you have instructed. Sorry to ruin your weekend, just the same have a great weekend :)

    regards,
    Onerazan
     
  14. kritius

    kritius TS Guru Posts: 2,084

    Thats ok, you havent ruined my weekend, I do this because I like it.
     
  15. onerazan

    onerazan TS Rookie Topic Starter Posts: 16

    Log for 3rd wave

    Hello Kritius,

    Attached are the logs from Kapersky, it seems there are still those nagging virus and trojans.

    Thanks for the much help. Awaiting your next intructions.

    regards,
    Onerazan
     
  16. kritius

    kritius TS Guru Posts: 2,084

    No logs attached.
     
  17. onerazan

    onerazan TS Rookie Topic Starter Posts: 16

    Kaspersky log

    Hello Kritius,

    Good evening.

    Sorry about that, I don't know what happened I know I have attached it. Anyway here it is.

    Thanks very much.

    regards,
    Onerazan
     
  18. kritius

    kritius TS Guru Posts: 2,084

    These are the files and folders that require action,

    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine<====Delete the contents of this folder but not the folder itself
    C:\Downloads\Some Other Things\vnc-4_1_2-x86_win32.exe<======Delete this file
    C:\Downloads\SW\rviewer3.exe<======Delete this file
    C:\Downloads\SW\tightvnc-1.2.9-setup.exe<======Delete this file
    C:\Program Files\Radmin Viewer 3.0\radmin.exe<======Delete this file
    C:\Program Files\RealVNC\VNC4<======Delete this folder
    C:\Program Files\UltraVNC<======Delete this folder

    Apart from that your all good,

    Please download the OTMoveIt2 by OldTimer.

    • Double-click OTMoveIt2.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes, if not delete it by yourself.

    Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt2 attempting to contact the internet, please allow it to do so.

    • Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

      You can find instructions on how to enable and re-enable system restore here:

      Windows XP System Restore Guide

      or

      Windows Vista System Restore Guide

    Re-enable system restore with instructions from tutorial above

    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.

    • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

      This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

      Instructions for Spybot S & D

    • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware

    • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    Here are some additional utilities that will enhance your safety

    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
      Using Winpatrol to protect your computer from malicious software

    Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

    Also, please read this great article by Tony Klein So How Did I Get Infected In First Place
     
  19. onerazan

    onerazan TS Rookie Topic Starter Posts: 16

    Master Kritius!!!

    How can I ever thank you for your patience and assistance. You save me a lot of hassles.

    BTW, how can I make the Firefox secured like what you recommended for IE?

    Have a great remainder of the weekend.

    Is there a voting for the most effective TechSpot conrtibutor? Coz I'll put 10 stars to you...;-)
     
  20. kritius

    kritius TS Guru Posts: 2,084

    Theres no voting, but I dont really go for the boostong of ego's thing anyway, but thank you very much, and im very glad that I could help you.

    HERE is some information for securing FireFox.

    If you have any further problems then let me know.
     
  21. onerazan

    onerazan TS Rookie Topic Starter Posts: 16

    Hi Kritius,

    Thanks anyway, I was glad that there are tech expert like you willing to spend time and help people like me having security trouble over the net and infected with malicious codes.

    More power to you and good health to you!

    Onerazan
     
  22. onerazan

    onerazan TS Rookie Topic Starter Posts: 16

    Hello Kritius,

    After I shutdown my computer after following the last instructions. I installed most of the recommended security programs. Then I left my laptop off, and go about my sunday chores :)

    Now I'm having a Sonic Update Manager popup, is this a new trojan or malware?

    Please advise.

    regards,
    Onerazan
     
  23. kritius

    kritius TS Guru Posts: 2,084

    Sonic Update Manager is to do with cd burning software, do you have Roxio or anything like that installed?
     
  24. onerazan

    onerazan TS Rookie Topic Starter Posts: 16

    Hello Kritius,

    Sorry for the bother, the problem was solved. I found a solution under Dell Support when I Googled. :)

    Thanks again. Great week ahead!

    Onerazan
     
  25. kritius

    kritius TS Guru Posts: 2,084

    Good stuff,

    happy surfing.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...