24 replies to this topic

[lemartines]

I have an old Vaio laptop running Windows 2000 that is now infected and running so slow I can't even find words to describe. The laptop cannot come to a complete start, as it goes into an endless loop of restarts. Can't even start it in "safe mode." It is possible, however, to start it in "Directory Services Restore Mode." Also, my Norton antivirus program keeps notifying me of the following infection: C:\winnt\system32\adir.dll, but can't do anything to get rid of it.

I followed the CCleaner Forum Malware Removal Guide. Nevertheless, I was absolutelly not able to run a complete system scan with SuperAntispyware without my computer shutting off by itself about 30 minutes into the process as it was beginninjg to scan my files. I tried it in the nomal start up mode and in the "Directory Services Restore Mode" several times. What I ended up doing was a custom scan of the Memory Items, Registry Items, Startup Locations and Cookies. This log, as well as the others requested are below.

Even after all this, the present problems remain: continuous restart, computer awfully slow, and antivirus program notification of the infection C:\winnt\system32\adir.dll

I can't even begin to express my frustration with my computer being in this state. Please help.

Thank you very much indeed.

BITDEFENDER
BitDefender Online Scanner - Real Time Virus Report
Generated at: Wed, Jan 31, 2007 - 22:28:09

Scan Info
Scanned Files 333385
Infected Files 44
Virus Detected
Trojan.Mirchack.A 1
MemScan:Trojan.Dropper.EP 1
MemScan:Trojan.Peed.AF 4
Trojan.Peed.Gen 35
MemScan:Trojan.Peed.U 1
Trojan.PWS.Ras.A 2


SUPERANTISPYWARE
CUSTOM SCAN MEMORY ITEMS, REGISTRY ITEMS, COOKIES, STARTUP LOCATIONS
SUPERAntiSpyware Scan Log
Application Version : 3.5.1016
Core Rules Database Version : 3176
Trace Rules Database Version: 1185
Scan type : Custom Scan
Total Scan Time : 00:29:00

Memory items scanned : 289
Memory threats detected : 0
Registry items scanned : 4956
Registry threats detected : 65
File items scanned : 0
File threats detected : 0

Trojan.Media-Codec
HKCR\650ef38e.axb8
HKCR\650ef38e.axb8\CLSID
HKCR\650ef38f.ds45
HKCR\650ef38f.ds45\CLSID
HKCR\6fa10094.vcsd
HKCR\6fa10094.vcsd\CLSID
HKCR\767960fa.ccas
HKCR\767960fa.ccas\CLSID
HKCR\767960fb.2345
HKCR\767960fb.2345\CLSID
HKCR\7fe62cc2.bctp
HKCR\7fe62cc2.bctp\CLSID
HKCR\877faba2.2dfh
HKCR\877faba2.2dfh\CLSID
HKCR\8dcb614a.afbs
HKCR\8dcb614a.afbs\CLSID
HKCR\94ad4b18.3hpo
HKCR\94ad4b18.3hpo\CLSID
HKCR\BprintingHost.Serv
HKCR\BprintingHost.Serv\CLSID
HKCR\BprintingHost.Serv\CLSID\{38ca2fcd-7d7e-11db-96a0-00e08161165f}
HKCR\c5621605.dhcp
HKCR\c5621605.dhcp\CLSID
HKCR\Svshost1.dhcp
HKCR\Svshost1.dhcp\CLSID
HKCR\Svshost10.3hpo
HKCR\Svshost10.3hpo\CLSID
HKCR\Svshost11.cs35
HKCR\Svshost11.cs35\CLSID
HKCR\Svshost12.varh
HKCR\Svshost12.varh\CLSID
HKCR\Svshost13.fpol
HKCR\Svshost13.fpol\CLSID
HKCR\Svshost14.knbs
HKCR\Svshost14.knbs\CLSID
HKCR\Svshost15.kbns
HKCR\Svshost15.kbns\CLSID
HKCR\Svshost2.axb8
HKCR\Svshost2.axb8\CLSID
HKCR\Svshost3.ds45
HKCR\Svshost3.ds45\CLSID
HKCR\Svshost4.vcsd
HKCR\Svshost4.vcsd\CLSID
HKCR\Svshost5.ccas
HKCR\Svshost5.ccas\CLSID
HKCR\Svshost6.2345
HKCR\Svshost6.2345\CLSID
HKCR\Svshost7.bctp
HKCR\Svshost7.bctp\CLSID
HKCR\Svshost8.2dfh
HKCR\Svshost8.2dfh\CLSID
HKCR\Svshost9.afbs
HKCR\Svshost9.afbs\CLSID
HKCR\Svshostt.arty
HKCR\Svshostt.arty\CLSID
HKCR\Svshostt.arty\CLSID#d1
HKCR\Svshostt.arty\CLSID#d2

Unclassified.Unknown Origin
HKCR\CLSID\{1FE8243E-0A3A-41B9-B9CE-EFFEE51974D3}
HKCR\CLSID\{1FE8243E-0A3A-41B9-B9CE-EFFEE51974D3}#AppID
HKCR\CLSID\{1FE8243E-0A3A-41B9-B9CE-EFFEE51974D3}\InprocServer32
HKCR\CLSID\{1FE8243E-0A3A-41B9-B9CE-EFFEE51974D3}\InprocServer32#ThreadingModel
HKCR\CLSID\{1FE8243E-0A3A-41B9-B9CE-EFFEE51974D3}\ProgID
HKCR\CLSID\{1FE8243E-0A3A-41B9-B9CE-EFFEE51974D3}\Programmable
HKCR\CLSID\{1FE8243E-0A3A-41B9-B9CE-EFFEE51974D3}\TypeLib
HKCR\CLSID\{1FE8243E-0A3A-41B9-B9CE-EFFEE51974D3}\VersionIndependentProgID

Adware.Tracking Cookie
C:\Documents and Settings\Dr. Luis E Martines\cookies\dr. luis e martines@tacoda[2].txt
C:\Documents and Settings\Dr. Luis E Martines\cookies\dr. luis e martines@burstnet[2].txt
C:\Documents and Settings\Dr. Luis E Martines\cookies\dr. luis e martines@www.burstnet[1].txt
C:\Documents and Settings\Dr. Luis E Martines\cookies\dr. luis e martines@www.burstbeacon[1].txt



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 6:20:07 PM 2/1/2007
+ Scan result:

C:\Documents and Settings\Dr. Luis E Martines\Cookies\dr. luis e martines@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Dr. Luis E Martines\Cookies\dr. luis e martines@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Dr. Luis E Martines\Cookies\dr. luis e martines@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Dr. Luis E Martines\Cookies\dr. luis e martines@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\WINNT\system32\wintsu.exe -> Trojan.Small : Cleaned with backup (quarantined).


HIJACK THIS
Logfile of HijackThis v1.99.1
Scan saved at 9:42:29 PM, on 2/1/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\iVasion\WinPoET\WrOS.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Dr. Luis E Martines\Desktop\CleanUp\hijackthis\HijackThis.exe

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] "C:\Program Files\NavNT\vptray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Adobe\Photoshop5\Calibrat\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...ads/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200112...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121840709408
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121840626869
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{293E84A4-6B5D-4BFB-8042-35DCB97BEA3C}: Domain = virtua.com.br
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\iVasion\WinPoET\WrOS.EXE

UPDATE
=====

I just ran BitDefender again (12 hours after posting the logs above) and it only found one infection.
Infected with: Trojan.Peed.Gen
File infected: C:\winnt\system32\abc.exe
Disinfection failed
File deleted.

[rridgely]

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

--------------

Download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall


Post both logs in your next reply.

[lemartines]

Here we go.

SmitFraudFix v2.70

Scan done at 8:13:11.39, Fri 02/02/2007
Run from C:\Documents and Settings\Dr. Luis E Martines\Desktop\CleanUp\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

C:\WINNT\system32\zlbw.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dr. Luis E Martines\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DR11CD~1.LUI\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



COMBOFIX
The combofix log was completelly uneventful (nothing was found).
NOTE: why is the combofix log not posted exactly as it was generated --> Once the log was generated I looked at it, but when I tried to save it, my laptop shutdown. I tried running combofix two more times, but the laptop shutdown before the scanning was completed.

Thank you

[rridgely]

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, a menu with options should appear;
  
• Select the first option, to run Windows in Safe Mode, then press "Enter".
  
• Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.

-------

I also want you to run combofix again and try to get the log again. Post that as well as the smitfraud report and a new hijackthis log.

[lemartines]

SmitFraudFix v2.70

Scan done at 9:37:54.70, Fri 2007-02-02
Run from C:\Documents and Settings\Dr. Luis E Martines\Desktop\CleanUp\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINNT\system32\zlbw.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


NOTE 1: ***I was not prompted to replace any infected files***

NOTE 2:
After SmitfraudFix, I tried to restart the laptop in the normal mode but that process did not complete. The computer automatically restarts, checks "one of my disks" for consistency, tries to start Windows, then a blue screen comes up for a fraction of a second (can't tell what it says) and a new restart ensues. It can stay in that cycle continuously unless the computer is shut down.

After shut down, the computer did start in normal mode with the warning: "Microsoft Windows has experienced an unexpected error. As a precaution, your Active Desktop has been turned off. To restore the Active Desktop, use the following troubleshooting tips..." Then I ran COMBOFIX, but the computer shut down on its own 2 minutes after the scan started.

I tried to restart the computer in the "safe mode," but it could not complete the start up procedures. The only way to start it was using the "Directory Services Restore Mode." After one of my disks is checked for consistency, I receive a warning stating that "Windows is running in safe mode." I clicked ok. One more time I ran COMBOFIX, and here's that log:

"Dr. Luis E Martines" - Fri 2007-02-02 10:33:20 Service Pack 4
ComboFix 07.01.31 - Running from: "C:\Documents and Settings\Dr. Luis E Martines\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


c:\command.com
C:\INSTALL.LOG
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\WINNT\system32\ICROSO~1


((((((((((((((((((((((((((((((( Files Created from 2007-01-02 to 2007-02-02 ))))))))))))))))))))))))))))))))))


2007-02-02 09:18 <DIR> d-------- C:\FOUND.012
2007-02-02 09:11 <DIR> d-------- C:\FOUND.011
2007-02-02 08:14 <DIR> d-------- C:\rename_this_folder_back_to_sUBs_
2007-02-02 02:36 54,194 --a------ C:\WINNT\system32\abc.exe
2007-02-01 20:32 <DIR> d-------- C:\FOUND.010
2007-01-31 23:18 <DIR> d-------- C:\FOUND.009
2007-01-31 22:41 3,968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2007-01-31 22:41 <DIR> d-------- C:\Program Files\Grisoft
2007-01-31 22:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SUPERAntiSpyware.com
2007-01-31 22:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-01-31 22:31 <DIR> d-------- C:\DOCUME~1\DR11CD~1.LUI\Application Data\SUPERAntiSpyware.com
2007-01-31 19:33 <DIR> d-------- C:\WINNT\BDOSCAN8
2007-01-30 23:44 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-01-30 23:28 21,312 --a------ C:\WINNT\choice.exe
2007-01-30 21:39 <DIR> d-------- C:\!KillBox
2007-01-30 21:19 <DIR> d-------- C:\FOUND.008
2007-01-30 19:47 <DIR> d-------- C:\FOUND.007
2007-01-30 19:04 21,056 --a------ C:\WINNT\system32\drivers\sskbfd.sys
2007-01-30 07:41 <DIR> d-------- C:\FOUND.006
2007-01-30 00:26 <DIR> d-------- C:\FOUND.005
2007-01-30 00:09 <DIR> d-------- C:\FOUND.004
2007-01-30 00:01 <DIR> d-------- C:\FOUND.003
2007-01-29 23:53 <DIR> d-------- C:\FOUND.002
2007-01-29 23:43 <DIR> d-------- C:\FOUND.001
2007-01-29 23:35 <DIR> d-------- C:\FOUND.000
2007-01-14 13:07 81,920 --a------ C:\WINNT\system32\eSellerateControl350.dll
2007-01-14 13:07 75,264 --a------ C:\WINNT\system32\ztvunacev2.dll
2007-01-14 13:07 65,536 --a------ C:\WINNT\system32\ztvcabinet.dll
2007-01-14 13:07 58,904 --a------ C:\WINNT\system32\sysfolderazipcnt.dll
2007-01-14 13:07 58,904 --a------ C:\WINNT\system32\azipcontmn.dll
2007-01-14 13:07 356,352 --a------ C:\WINNT\system32\eSellerateEngine.dll
2007-01-14 13:07 156,160 --a------ C:\WINNT\system32\ztvunrar3.dll
2007-01-14 13:06 <DIR> d-------- C:\Program Files\AlphaZIP
2007-01-05 05:53 <DIR> d-------- C:\Program Files\iTunes
2007-01-05 05:45 <DIR> d-------- C:\Program Files\Apple Software Update


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-16 20:11 32256 --a------ C:\WINNT\system32\xqpdrd.dll
2006-12-07 00:04 2071368 --a------ C:\WINNT\system32\wmvcore.dll
2006-12-06 23:47 -------- d-------- C:\Program Files\camfrog
2006-11-06 12:47 596480 --a------ C:\WINNT\system32\inetcomm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"SUPERAntiSpyware"="\"C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\BtcMaestro]
"ModelName"="8188"
"Version"="2.5.4-73AU"
"Language"=dword:00000000
"KeyboardID"=dword:00000000
"MouseID"=dword:00000000
"KeyboardSID"=dword:00000000
"MouseSID"=dword:00000000
"RMenuSel"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\BtcMaestro\Config]
"DisplayLabel"=dword:00000001
"TaskbarIcon"=dword:00000000
"Autoplay"=dword:00000001
"L067"="Paint"
"L066"="Mouse Middle Button"
"L065"=""
"L064"=""
"L063"="Eject/Close 2"
"L062"=""
"L061"=""
"L060"=""
"L059"=""
"L058"=""
"L057"=""
"L056"=""
"L055"=""
"L054"=""
"L053"=""
"L052"=""
"L051"=""
"L050"=""
"L049"=""
"L048"=""
"L047"=""
"L046"=""
"L045"=""
"L044"="Calendar"
"L043"="Power Point"
"L042"="Excel"
"L041"="Word"
"L040"="Scroll Down"
"L039"="Scroll Up"
"L038"="Configure"
"L037"="Keyboard and Mouse Battery Low"
"L036"="Mouse Battery Low"
"L035"="Keyboard Battery Low"
"L034"=""
"L033"="Wake Up"
"L032"="Sleep"
"L031"="Power Off"
"L030"=""
"L029"=""
"L028"=""
"L027"=""
"L026"=""
"L025"="www Refresh"
"L024"=""
"L023"="Notepad"
"L022"="Explorer"
"L021"="Mediaplayer"
"L020"="My Documents"
"L019"="Calculator"
"L018"="KeyMaestro Help"
"L017"="OS Help"
"L016"="www Favorite"
"L015"="www Search"
"L014"="www Forward"
"L013"="www Back"
"L012"="www Stop"
"L011"="www"
"L010"="Email"
"L009"="Eject/Close"
"L008"="Previous Track"
"L007"="Next Track"
"L006"="Stop"
"L005"="Play/Pause"
"L004"="Volume Down"
"L003"="Volume Up"
"L002"="Mute"
"L001"="None"
"F067"="0C:paint"
"F066"="0B;mouse middle button"
"F065"="0A;europe dollar(OF)"
"F064"="0-;reply all(OF)"
"F063"="09;eject 2"
"F062"="08:help(OF)"
"F061"="07;redo(OF)"
"F060"="06;undo(OF)"
"F059"="05;task pane(OF)"
"F058"="04;send(OF)"
"F057"="03;f'ward(OF)"
"F056"="02;reply(OF)"
"F055"="01;bullets(OF)"
"F054"="00;spell(OF)"
"F053"="z;bold(OF)"
"F052"="y;replace(OF)"
"F051"="x;save(OF)"
"F050"="w;open(OF)"
"F049"="v;new(OF)"
"F048"="u;copy(OF)"
"F047"="t;cut(OF)"
"F046"="s;mark(OF)"
"F045"="r;paste(OF)"
"F044"="q;calendar(OF)"
"F043"="p;power point(OF)"
"F042"="o;excel(OF)"
"F041"="n;word(OF)"
"F040"="m;scroll down"
"F039"="l;scroll up"
"F038"="k;Configure"
"F037"="j;keyboard and mouse battery low"
"F036"="i;mouse battery low"
"F035"="h;keyboard battery low"
"F034"="g;keyboard and mouse battery OK"
"F033"="f:wake up"
"F032"="e:sleep"
"F031"="d;power off"
"F030"="c;mf"
"F029"="b;app. close"
"F028"="a;app. switch"
"F027"="Z;log off"
"F026"="Y;my computer"
"F025"="X;refresh(AC)"
"F024"="W;print(OF)"
"F023"="V;notepad"
"F022"="U;explorer"
"F021"="T;mediaplayer"
"F020"="S;my documents"
"F019"="R;calculator"
"F018"="Q;help(manual)"
"F017"="P;help(OS)"
"F016"="O;favorite(AC)"
"F015"="N;search(AC)"
"F014"="M;forward(AC)"
"F013"="L;back(AC)"
"F012"="K;stop(AC)"
"F011"="J;www(AC)"
"F010"="I;email(AL)"
"F009"="H;eject"
"F008"="G;previous track"
"F007"="F;next track"
"F006"="E;stop"
"F005"="D;play"
"F004"="C;volume down"
"F003"="B;volume up"
"F002"="A;mute"
"F001"="-;none"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"vptray"="\"C:\\Program Files\\NavNT\\vptray.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\
BITSgroup REG_MULTI_SZ BITS\
wugroup REG_MULTI_SZ wuauserv\

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
WmdmPmSN



Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\Symantec NetDetect.job
C:\WINNT\tasks\MP Scheduled Scan.job
C:\WINNT\tasks\AppleSoftwareUpdate.job

Completion time: Fri 2007-02-02 10:36:51
C:\ComboFix2.txt ... 07-02-02 08:16

[rridgely]

Can you get the computer to boot into normal mode now?
I've been in contact with AndyManchesta about your log and we both agreed that reformatting this computer is the best solution for this computer if you cant get it to boot.

If you can get into normal mode let me know, or if you just can't reformat let me know that as well(if you don't have a windows/recovery disc or whatever).

[lemartines]

Thank you so much for your patience on this issue.

> Can you get the computer to boot into normal mode now?

Yes, BUT I receive the warning: "Microsoft Windows has experienced an unexpected error. As a precaution, your Active Desktop has been turned off. To restore the Active Desktop, use the following troubleshooting tips..."

After an excruciatingly slow start up, the computer does not seem stable as it shuts down when I try yo run Lavasoft's Ad-Aware for example.

> I've been in contact with AndyManchesta about your log and we both agreed that reformatting this computer is the best solution for this computer if you cant get it to boot.

I hear you. I have just backed up all my important files.

> If you can get into normal mode let me know, or if you just can't reformat let me know that as well(if you don't have a windows/recovery disc or whatever).

I can't reformat since I do not have those discs anymore :-( Therefore, if you want me to try something else - even if drastic - let me know.

Again, thank you very much again, and please extend my thank you to Andy as well.

Luis

[rridgely]

Ok, active desktop shouldn't be a big deal. Just ignore that for now.(Active desktop is just when you get your desktop picture from the internet. Its better to just download whatever picture and use that. But thats the least of your problems for now right. )

So boot your computer up into normal mode and we will get started.

Please download the Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

Please copy the following lines into the Step 1: Paste Text window:

C:\WINNT\choice.exe
C:\WINNT\system32\xqpdrd.dll
C:\WINNT\system32\abc.exe

then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab

Next please visit SpyKillers forum here

http://www.thespykil...x.php?board=1.0

Read the instructions for uploading files which is the first topic on the forum then start a new Topic named 'Files For AndyManchesta' , please then post a link to this thread and upload the requested files.cab archive from your desktop.
----

After uploading those files for andy at the other forum I need you to run some scanners.

Download GMER from Here
Unzip it and start GMER.exe. Click the rootkit-tab and click scan.
Once done, click the Copy button. This will copy the results to clipboard.
You can then right click into a notepad file or straight back on here and choose Paste to post the results back.

Warning ! Please, do not select the "Show all" checkbox during the scan. If you have problems with running GMER.exe, try it in safe mode.
------

Finally download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.


In your next reply at this forum post the the logs for blacklight, gmer, and a new hijackthis log.
At the other forum upload those files for andy. Good luck.

[lemartines]

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-02-02 15:32:59
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.12 ----

SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwClose
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwCreateKey
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteKey
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteValueKey
SSDT \??\C:\WINNT\system32\wincom32.sys ZwEnumerateKey <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\wincom32.sys ZwEnumerateValueKey <-- ROOTKIT !!!
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwFlushKey
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwOpenKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\WINNT\system32\wincom32.sys ZwQueryDirectoryFile <-- ROOTKIT !!!
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwSetValueKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

.text ntdll.dll!NtClose 77F881F8 5 Bytes JMP 72033FAA
.text ntdll.dll!NtCreateProcess 77F88308 5 Bytes JMP 72034135
.text ntdll.dll!NtCreateSection 77F88328 5 Bytes JMP 72033FC8

---- Services - GMER 1.0.12 ----

Service C:\WINNT\system32\wincom32.sys (*** hidden *** ) [AUTO] wincom32 <-- ROOTKIT !!!

---- EOF - GMER 1.0.12 ----


fsbl-20070202233521.log

02/02/07 15:35:21 [Info]: BlackLight Engine 1.0.55 initialized
02/02/07 15:35:21 [Info]: OS: 5.0 build 2195 (Service Pack 4)
02/02/07 15:35:21 [Note]: 7019 4
02/02/07 15:35:21 [Note]: 7005 0
02/02/07 15:35:28 [Note]: 7006 0
02/02/07 15:35:28 [Note]: 7011 1692
02/02/07 15:35:29 [Note]: 7026 0
02/02/07 15:35:29 [Note]: 7026 0
02/02/07 15:36:05 [Note]: FSRAW library version 1.7.1021
02/02/07 15:37:10 [Info]: Hidden file: c:\WINNT\SYSTEM32\WINCOM32.SYS
02/02/07 15:37:13 [Info]: Hidden file: c:\WINNT\SYSTEM32\WINCOM32.INI
02/02/07 15:37:19 [Note]: 2000 1012
02/02/07 15:37:19 [Note]: 2000 1012
02/02/07 15:39:46 [Note]: 7007 0


THANK YOU

[rridgely]

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  
• Press any Key and it will restart the PC.
  
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

[AndyManchesta]

Hi Luis

Can you also repeat the Suspicious File Packer steps, its attempted to pack these

Requests:
C:\WINNT\choice.exe
C:\system32\xqpdrd.dll
C:\system32\abc.exe

so only choice.exe was included, could you delete the requestedfiles.cab from your desktop then try it again by copy and pasting this into the step 1 paste text window


C:\WINNT\system32\xqpdrd.dll
C:\WINNT\system32\abc.exe

Let us know if there's any problems and please upload the requested files.cab at the same topic on spykillers forum,

Thanks

[lemartines]

SDFix: Version 1.63

Fri 02/02/2007 - 17:05:30.37

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
wincom32
WINDRIVER

Path:
\??\C:\WINNT\system32\wincom32.sys
\??\C:\WINNT\system32\wincom32.sys
\SystemRoot\System32\drivers\WINDRVR.SYS

wincom32 Deleted
WINDRIVER Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINNT\system32\wincom32.ini - Deleted
C:\WINNT\system32\wincom32.sys - Deleted



ADS Check:

C:\WINNT\system32
No streams found.

Final Check:

Remaining Services:
------------------


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\Program Files\Uninstall Information\IE40.Comctl32\AINF0000
C:\Documents and Settings\Dr. Luis E Martines\NetHood\sndrag7-Public on idisk.mac.com\Desktop.ini
C:\Program Files\Accessories\mspcx32.dll
C:\Program Files\Accessories\HyperTerminal\hypertrm.dll
C:\Program Files\Accessories\HyperTerminal\hticons.dll
C:\Program Files\Uninstall Information\mshtml.DllReg\AINF0000
C:\WINNT\system32\dllcache\webhits.dll.tmp
C:\WINNT\system32\dllcache\query.dll.tmp
C:\WINNT\system32\dllcache\idq.dll.tmp
C:\WINNT\system32\dllcache\asycfilt.dll.tmp
C:\CONFIG.SYS
C:\LOGO.SYS
C:\hiberfil.sys
C:\WINNT\system32\dllcache\webhits.dll.tmp
C:\WINNT\system32\dllcache\query.dll.tmp
C:\WINNT\system32\dllcache\idq.dll.tmp
C:\WINNT\system32\dllcache\asycfilt.dll.tmp
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\b324dcfeab33a167e65854040271c6ef\BIT6.tmp
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\d80956160a0d352f7391d2e9979dd8bf\BITA.tmp
C:\Documents and Settings\Dr. Luis E Martines\My Documents\Communications\~WRL4069.TMP
C:\Documents and Settings\Dr. Luis E Martines\My Documents\Professional\~WRL3230.tmp
C:\Documents and Settings\Dr. Luis E Martines\My Documents\Trivela\~WRL0005.tmp
C:\Documents and Settings\Dr. Luis E Martines\My Documents\Trivela\~WRL3288.tmp
C:\Documents and Settings\Dr. Luis E Martines\My Documents\Trivela\~WRL0083.tmp
C:\Documents and Settings\Dr. Luis E Martines\My Documents\Trivela\~WRL2527.tmp
C:\Documents and Settings\Dr. Luis E Martines\My Documents\Trivela\~WRL0654.tmp
C:\Documents and Settings\Dr. Luis E Martines\My Documents\Trivela\~WRL1024.tmp
C:\Documents and Settings\Dr. Luis E Martines\My Documents\Trivela\~WRL0954.tmp
C:\Documents and Settings\Dr. Luis E Martines\My Documents\Trivela\~WRL4038.tmp
C:\Documents and Settings\Dr. Luis E Martines\My Documents\Trivela\~WRL3348.tmp
C:\Documents and Settings\Dr. Luis E Martines\My Documents\Trivela\~WRL4005.tmp
C:\Documents and Settings\Dr. Luis E Martines\My Documents\Trivela\~WRL2790.tmp
C:\Documents and Settings\Dr. Luis E Martines\Application Data\Microsoft\Word\~WRL2803.tmp
C:\Documents and Settings\Dr. Luis E Martines\Application Data\Microsoft\Word\~WRL2598.tmp
C:\Documents and Settings\Dr. Luis E Martines\Application Data\Microsoft\Word\~WRL1017.tmp
C:\Documents and Settings\Dr. Luis E Martines\Application Data\Microsoft\Word\~WRL0005.tmp
C:\Documents and Settings\Dr. Luis E Martines\Application Data\Microsoft\Word\~WRL3142.tmp
C:\Documents and Settings\Dr. Luis E Martines\Application Data\Microsoft\Word\~WRL0346.tmp
C:\Documents and Settings\Dr. Luis E Martines\Application Data\Microsoft\Word\~WRL3428.tmp
C:\Documents and Settings\Dr. Luis E Martines\Application Data\Microsoft\Word\~WRL3554.tmp

Finished


HIJACKTHIS

Logfile of HijackThis v1.99.1
Scan saved at 5:42:59 PM, on 2/2/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\iVasion\WinPoET\WrOS.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Documents and Settings\Dr. Luis E Martines\Desktop\CleanUp\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] "C:\Program Files\NavNT\vptray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Adobe\Photoshop5\Calibrat\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...ads/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200112...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121840709408
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121840626869
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{293E84A4-6B5D-4BFB-8042-35DCB97BEA3C}: Domain = virtua.com.br
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\iVasion\WinPoET\WrOS.EXE

THANK YOU

[AndyManchesta]

Sorry for keep jumping in RRidgely

The Requested Files.cab you have uploaded is the same file as you uploaded the first time which was the reason I suggested you delete the first file before repeating the steps, it shows the time in the filename so the requested-files[2007-02-02_15_27].cab is the one that should be deleted as its not packed the files correctly, if you repeat the steps after its been removed then it should create a new .cab archive which will have the current time showing in the filename, this is the one that should be uploaded,

If there's a problem then please upload these files but you may need to enable hidden files and folders to locate them,

C:\WINNT\system32\xqpdrd.dll
C:\WINNT\system32\abc.exe

The choice.exe is fine and a legit file but the two above files are likely malware but I cannot say either way until I see the files,

SDFix removed the Trojan service and file but its also removed another service that looks legit, its name is used by a backdoor trojan but as its also used by a legit service I'll remove it from the script, its created backups so we can restore it without any problems, when you upload the new .cab archive or the above files can you also upload the sdfix backups

Open the C:\SDFix folder , you will then see another folder named backups, inside this folder it two zipped folders , one named backups.zip (which contains the trojan files) and another named backupreg.zip (contains reg exports before the tool removed anything) please upload both the backups.zip and the backupreg.zip to spykillers,

If you have any problems please let me know, can you also let us know if your still having problems with it rebooting,

Andy

[lemartines]

Andy,

requested-files[2007-02-02_18_54].cab
backups.zip
backupreg.zip

All uploaded to spykillers,

Thank you.

[AndyManchesta]

Thanks Luis

Ive attached a zipped file to restore the Windriver Service, please download it and extract the file, then open the RestoreWinDriver folder and double click RunThis.bat, it will only take a couple of seconds to run and will then display 'Service has been restored' on screen, you can then delete the RestoreWinDriver folder as its not needed,

I'll check the files and reply again

[AndyManchesta]

Hi again

xqpdrd.dll is fine,

C:\WINNT\system32\abc.exe is a trojan dropper, add's multiple files and the wincom32 service, they would of been removed by SDFix if they were still on your system as shown in the log taken from my machine below:

Quote

SDFix: Version 1.63

03/02/2007 - 4:07:06.95

Microsoft Windows XP [Version 5.1.2600]Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
wincom32

Path:
\??\C:\WINDOWS\system32\wincom32.sys

wincom32 Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\adir.dll - Deleted
C:\WINDOWS\system32\adirss.exe - Deleted
C:\WINDOWS\system32\game1.exe - Deleted
C:\WINDOWS\system32\game2.exe - Deleted
C:\WINDOWS\system32\game3.exe - Deleted
C:\WINDOWS\system32\game4.exe - Deleted
C:\WINDOWS\system32\lnwin.exe - Deleted
C:\WINDOWS\system32\taskdir.exe - Deleted
C:\WINDOWS\system32\wincom32.ini - Deleted
C:\WINDOWS\system32\wincom32.sys - Deleted
C:\WINDOWS\system32\zlbw.dll - Deleted

Please delete the C:\WINNT\system32\abc.exe file & let RRidgely know if there's any remaining problems

Thanks RR

Andy

[lemartines]

Andy,

Just executed the actions you suggested. As of now, things seem to be fine (unbelieveable!). Let me give it a day or two before opening the champagne and toasting to RRidgely and you! You guys were/are awesome with this task! Thank you!!

Cheers,

Luis

[lemartines]

A couple more questions for you guys:

1. How do I re-allow ActiveX?

2. From all these programs I downloaded, installed and ran, which ones should I keep or which ones should I donload and have in my computer to minimize my risks of another event like the one you guys helped me with? I know there's a long list of programs that can be used,but in your opinion, what is the best and how should I use them?

Thanks again,

Luis

[AndyManchesta]

Hi Luis,

You can delete all the tools (Blacklight, GMER, Combofix & SDFix) as they can be downloaded again if they are needed anytime, regarding the ActiveX question this should be enabled by default (set to prompt for signed ActiveX controls and set to disable for unsigned ActiveX controls)

To Reset them incase they have been changed goto Start Menu > Settings > Control Panel > Internet Options

Click the Security Tab then the Internet Icon, click Custom Level then at the bottom of the screen there is an option to reset the settings, set it to Medium then click Reset, click Yes at the Prompt then click ok and finally click Apply and OK to close the Internet Properties screen

For protection, consider installing the MVPS Hosts file which will block access to alot of the sites that spread this junk, you can find details here

http://www.mvps.org/...p2002/hosts.htm

Also install SpywareBlaster, it will add malicious sites to the restricted zone of IE to prevent them causing damage if you visit them by mistake anytime and it also sets killbits in the registry to stop malicious ActiveX controls being used so again it can help stop malware getting onto your system, details here

http://www.javacools...areblaster.html


Please also do an online scan with Kaspersky WebScanner.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
  
• Once the files have been downloaded click on NEXT
  
  
• Now click on Scan Settings
  
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
  
• Now under select a target to scan:
  Select My Computer
• This program will start and scan your system.
  
• The scan will take a while so be patient and let it run.
  
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
  
• Copy and paste that information in your next post.

Cheers

Andy

[lemartines]

Hi Andy,

The computer seemsto be running well, but the log below shows there are still active infections.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 03, 2007 2:25:46 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 3/02/2007
Kaspersky Anti-Virus database records: 264597
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 52592
Number of viruses found: 5
Number of infected objects: 8 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:50:50

Infected Object Name / Virus Name / Last Action
C:\sti.log Object is locked skipped
C:\Program Files\iVasion\WinPoET\WrOS.EventLog.txt Object is locked skipped
C:\mIRC\backup\mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.591 skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_3ac.dat Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\CSC000001 Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{79B28D31-74ED-46D6-9C1B-80365CDC5E62}.bin Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine57C0000.VBN Infected: Trojan-Downloader.Win32.Zlob.we skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine7D00000.VBN Infected: Packed.Win32.Klone.g skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine6240000.VBN Infected: Packed.Win32.Klone.g skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine54C0000.VBN/backups/wincom32.sys Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine54C0000.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine54C0000.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\Dr. Luis E Martines\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Dr. Luis E Martines\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dr. Luis E Martines\Local Settings\History\History.IE5\MSHist012007020320070204\index.dat Object is locked skipped
C:\Documents and Settings\Dr. Luis E Martines\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dr. Luis E Martines\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dr. Luis E Martines\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dr. Luis E Martines\Desktop\CleanUp\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Dr. Luis E Martines\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dr. Luis E Martines\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Dr. Luis E Martines\UserData\index.dat Object is locked skipped

Scan process completed.