IE redirect and pop ups on laptop

Question

zeon 0 Newbie Poster

17 Years Ago

Ok so heres the seperate thread for laptop problem ... same as my pc, random redirects and pop ups.

Logs:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 21:55:43 08/02/2007
+ Scan result:

HKLM\SOFTWARE\Classes\Interface\{81CDDAE8-3B92-4F0D-86C1-8DD5DB6A8471} -> Adware.Generic : No action taken.
HKLM\SOFTWARE\Classes\TypeLib\{EFA1EC0F-8359-41B7-A178-7DD6805A0C79} -> Adware.Generic : No action taken.
HKU\S-1-5-21-4247219848-3744751695-398315518-1005\Software\TrustIn -> Adware.Generic : No action taken.
HKU\S-1-5-21-4247219848-3744751695-398315518-1005\Software\TrustIn\Weekly Executer -> Adware.Generic : No action taken.
HKU\S-1-5-21-4247219848-3744751695-398315518-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} -> Adware.TrustCleaner : No action taken.
C:\System Volume Information\_restore{1BA85EF5-6C2B-4F0D-B72F-50D3F1AF44F9}\RP47\A0011093.exe -> Adware.Trymedia : No action taken.
C:\WINDOWS\system32\oobe\ISPSoftware\BTYahoo\BroadbandFromBT.exe/webcontrol\btwebcontrol.dll -> Dialer.Small : No action taken.
C:\System Volume Information\_restore{1BA85EF5-6C2B-4F0D-B72F-50D3F1AF44F9}\RP19\A0005172.exe -> Downloader.Small.ddp : No action taken.
C:\System Volume Information\_restore{1BA85EF5-6C2B-4F0D-B72F-50D3F1AF44F9}\RP52\A0013323.dll -> Downloader.Small.ddp : No action taken.
C:\Documents and Settings\Sarah\Cookies\sarah@2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Sarah\Cookies\sarah@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : No action taken.
C:\Documents and Settings\Sarah\Cookies\sarah@adjuggler[2].txt -> TrackingCookie.Adjuggler : No action taken.
C:\Documents and Settings\Sarah\Cookies\sarah@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : No action taken.
C:\Documents and Settings\Sarah\Cookies\sarah@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Sarah\Cookies\sarah@burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Sarah\Cookies\sarah@www.burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Sarah\Cookies\sarah@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Sarah\Cookies\sarah@mediaplex[2].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Sarah\Cookies\sarah@perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Sarah\Cookies\sarah@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Sarah\Cookies\sarah@serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Sarah\Cookies\sarah@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Sarah\Cookies\sarah@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : No action taken.
C:\Documents and Settings\Sarah\Cookies\sarah@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : No action taken.

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 21:28:58, on 08/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toucan.com/jump/redir.asp?id=205
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C3338E8-986F-4033-B0EC-2309FE31F0FF}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{4991818F-6A07-42D3-8039-877D8E3C3C06}: NameServer = 212.139.132.42 212.139.132.41
O17 - HKLM\System\CCS\Services\Tcpip\..\{5737BCEC-DDD7-4816-A4F5-EE3812D97D77}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C419E89-D305-4BBD-8803-5F2BF0356C4A}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9FC85F3-B83B-45FF-9F0E-88D6A42A8001}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD96CEFC-6E83-48E6-B7E1-A72A27DAC0E0}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

"Sarah" - 07-02-09 13:18:06 Service Pack 2
ComboFix 07-02-07 - Running from: "C:\Documents and Settings\Sarah\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2007-01-09 to 2007-02-09 ))))))))))))))))))))))))))))))))))

2007-02-09 03:31 <DIR> d-------- C:\4d5f43340c34e8b320ae0bdeb970
2007-02-09 03:18 <DIR> d-------- C:\VundoFix Backups
2007-02-09 03:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-02-09 03:02 <DIR> d-------- C:\9146e9fb82a2f646cd1c
2007-02-08 21:28 <DIR> d-------- C:\HJT
2007-02-08 20:57 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-08 20:57 <DIR> d-------- C:\Program Files\Grisoft
2007-02-08 20:34 <DIR> d--h----- C:\DOCUME~1\Sarah\Application Data\yahoo!
2007-02-08 19:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\yahoo!
2007-02-08 19:40 <DIR> d-------- C:\Program Files\Yahoo!
2007-02-08 18:36 23,040 --------- C:\WINDOWS\kb913800.exe
2007-02-08 18:20 <DIR> d-------- C:\Program Files\MSN Messenger
2007-02-08 18:18 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-02-08 18:07 <DIR> d---s---- C:\DOCUME~1\Sarah\UserData
2007-02-08 17:53 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-02-08 17:46 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-02-08 17:45 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-02-08 17:45 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-02-08 17:39 70,688 --a------ C:\WINDOWS\system32\drivers\alcaudsl.sys
2007-02-08 17:39 53,600 --a------ C:\WINDOWS\system32\drivers\alcan5wn.sys
2007-02-08 17:39 5,606 --a------ C:\WINDOWS\system32\stci.dll
2007-02-08 17:39 5,280 --a------ C:\WINDOWS\system32\drivers\alcawh.sys
2007-02-08 17:39 3,968 --a------ C:\WINDOWS\system32\drivers\alcacr.sys
2007-02-08 17:39 <DIR> d-------- C:\Program Files\Thomson
2007-02-05 03:04 <DIR> d-------- C:\WINDOWS\Performance
2007-02-05 03:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Microsoft Corporation
2007-02-05 02:52 <DIR> d-------- C:\Program Files\Encore
2007-02-04 02:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Trymedia
2007-02-03 20:02 <DIR> d-------- C:\Downloads
2007-02-03 03:17 <DIR> d-------- C:\SIERRA
2007-02-03 03:07 <DIR> d-------- C:\DOCUME~1\Sarah\WINDOWS
2007-02-01 23:49 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-02-01 15:07 104 --a------ C:\WINDOWS\system32\attfd42.dll
2007-02-01 14:42 <DIR> d-------- C:\WINDOWS\Profiles
2007-02-01 00:13 <DIR> d-------- C:\DOCUME~1\Sarah\Application Data\Ahead
2007-02-01 00:12 89,184 -ra------ C:\WINDOWS\system32\drivers\imagedrv.sys
2007-02-01 00:11 569,344 -ra------ C:\WINDOWS\system32\imagr5.dll
2007-02-01 00:11 544,768 -ra------ C:\WINDOWS\system32\imagx5.dll
2007-02-01 00:11 38,912 -ra------ C:\WINDOWS\system32\picn20.dll
2007-02-01 00:11 283,920 -ra------ C:\WINDOWS\system32\ImagXpr5.dll
2007-02-01 00:10 155,648 -ra------ C:\WINDOWS\system32\NeroCheck.exe
2007-02-01 00:10 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-02-01 00:10 <DIR> d-------- C:\Program Files\Ahead
2007-01-31 11:42 0 --a------ C:\DOCUME~1\Sarah\Application Data\wklnhst.dat
2007-01-31 11:42 <DIR> d-------- C:\DOCUME~1\Sarah\Application Data\Template
2007-01-30 12:51 <DIR> d-------- C:\DOCUME~1\Sarah\Application Data\AdobeUM
2007-01-25 12:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-01-24 19:37 <DIR> d-------- C:\Program Files\Atari
2007-01-22 18:28 <DIR> d-------- C:\DOCUME~1\Sarah\Application Data\Logitech
2007-01-22 18:25 13,440 --a------ C:\WINDOWS\system32\drivers\L8042Kbd.SYS
2007-01-22 18:25 <DIR> d-------- C:\Program Files\MUSICMATCH
2007-01-22 18:24 68,864 --a------ C:\WINDOWS\system32\drivers\LMouKE.Sys
2007-01-22 18:24 55,040 --a------ C:\WINDOWS\system32\drivers\L8042MOU.SYS
2007-01-22 18:24 28,160 --a------ C:\WINDOWS\KHALMNPR.Exe
2007-01-22 18:24 26,112 --a------ C:\WINDOWS\system32\drivers\LHidKE.Sys
2007-01-22 18:24 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2007-01-22 18:24 <DIR> d-------- C:\Program Files\Logitech
2007-01-22 18:24 <DIR> d-------- C:\Program Files\Common Files\Logitech
2007-01-22 18:19 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-01-12 18:01 276,792 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-01-12 18:01 25,400 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-01-12 18:01 247,608 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-01-12 13:13 <DIR> d-------- C:\Program Files\KONAMI
2007-01-12 12:37 <DIR> d-------- C:\Program Files\Game Graphic Studio
2007-01-10 13:49 <DIR> d-------- C:\WINDOWS\Downloaded Installations

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-02-09 03:14 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-02-08 19:55 -------- d-------- C:\DOCUME~1\Sarah\Application Data\macromedia
2007-02-08 18:21 -------- d---s---- C:\DOCUME~1\Sarah\Application Data\microsoft
2007-02-08 18:00 -------- d-------- C:\Program Files\symantec
2007-02-08 17:39 -------- d--h----- C:\Program Files\installshield installation information
2007-02-04 03:05 -------- d-------- C:\Program Files\dkz studio
2007-01-08 02:10 -------- d-------- C:\Program Files\sports interactive
2007-01-05 12:36 21840 --a----t- C:\WINDOWS\system32\sintfnt.dll
2007-01-05 12:36 17212 --a----t- C:\WINDOWS\system32\sintf32.dll
2007-01-05 12:36 12067 --a----t- C:\WINDOWS\system32\sintf16.dll
2007-01-04 11:41 -------- d-------- C:\Program Files\winuha
2007-01-03 19:37 -------- d-------- C:\Program Files\7-zip
2007-01-01 13:06 737280 --a------ C:\WINDOWS\iun6002.exe
2006-12-27 23:17 -------- d-------- C:\Program Files\fox
2006-12-27 13:39 98304 --a------ C:\WINDOWS\system32\cmdlineext.dll
2006-12-27 13:36 -------- d-------- C:\Program Files\vid_0e8f&pid_0003
2006-12-26 15:08 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-12-25 20:20 -------- d-------- C:\DOCUME~1\Sarah\Application Data\intervideo
2006-12-21 11:40 -------- d-------- C:\Program Files\ea games
2006-12-15 11:11 21275 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2006-12-15 11:11 -------- d-------- C:\Program Files\intel
2006-12-15 11:11 -------- d-------- C:\DOCUME~1\Sarah\Application Data\intel
2006-12-07 04:14 2330624 --a------ C:\WINDOWS\system32\wmvcore.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"TOSCDSPD"="C:\\Program Files\\TOSHIBA\\TOSCDSPD\\toscdspd.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"nwiz"="nwiz.exe /installquiet"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Toshiba Hotkey Utility"="\"C:\\Program Files\\Toshiba\\Windows Utilities\\Hotkey.exe\" /lang en"
"SmoothView"="C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="kdxca.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVGASCLN
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ERASERUTILREBOOTDRV

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Sarah.job

********************************************************************
catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
detected NTDLL code modification:
ZwQueryDirectoryFile
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\kdxca.exe 65536 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1
********************************************************************
Completion time: 07-02-09 13:20:13

Thanks again :mrgreen:

windows-virus

2 Contributors
7 Replies
245 Views
4 Days Discussion Span
Latest Post 17 Years Ago Latest Post by PhilliePhan

PhilliePhan 171 Central Scrutinizer

17 Years Ago

Hi Sarah,

There are a few "iffy" items in the combofix log - we'll figure them out later.

First, these steps need to be run - pretty much same as before ;)

You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
When your system reboots, follow the prompts.
Afterwards, HijackThis will launch (If Hijackthis does not launch then please start it yourself).

Please Scan with HJT, and check the boxes for the following items:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C3338E8-986F-4033-B0EC-2309FE31F0FF}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{5737BCEC-DDD7-4816-A4F5-EE3812D97D77}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C419E89-D305-4BBD-8803-5F2BF0356C4A}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9FC85F3-B83B-45FF-9F0E-88D6A42A8001}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD96CEFC-6E83-48E6-B7E1-A72A27DAC0E0}: NameServer = 85.255.114.90,85.255.112.92
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.90 85.255.112.92
Be sure All Browser Windows are Closed and then Click Fix Checked.

NEXT:
Click Start > Run > type CMD > Enter
Type or Copy&Paste: ipconfig /flushdns > Press Enter
(Be sure to leave the space between the g and the / )

NEXT:
Please Update your Java here ---> http://www.java.com/en
Then, look in Add/Remove Programs and Remove ALL traces of any older Java versions! (your HJT shows jre1.5.0_04 - dump that...)
If you do not uninstall ALL older versions, you may remain at risk for a number of baddies, such as that VUNDO that was on your other machine!

THEN:
Download ATF-Cleaner.exe by Atribune to your Desktop.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option (if you don’t want it to clean cookies, set it accordingly)
-- Click Empty Selected > OK > EXIT
This will flush TEMP files, etc... as well as clean the Java Cache.

NEXT:
Open AVG AntiSpyware.
Click Run online update and allow it to run until you see the Update Successful message.

NOW, run a full scan:

-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine.
-- AFTER clicking Apply all actions, Click on Save Report and select Save the report to your Desktop where you can find it easily. Again, be sure to Apply All Actions Before saving the Log!

LASTLY: Please locate c:\fixwareout\report.txt and post it here along with Fresh HijackThis Scanlog and the AVG Anti-Spyware Log and we'll go from there.

Cheers :)
PP

PhilliePhan 171 Central Scrutinizer

17 Years Ago

The IP address in those items you told me to remove from HJT was the same one that was saved on my pc before i changed the dns back to automatic ... is this what is causing part of the problem?

That is part of it - along with the hidden Trojan that Fixwareout removed.

Do i need to contact my isp to change the IP?

That is not necessary. Just take proper precautions to prevent reinfection. See my linky below!
If your Norton doesn't come with a Firewall, I suggest you install ZoneAlarm. Also, Spyware Blaster (in the linky).
Better yet, when your subscription to Norton runs out, I suggest an upgrade....
You might have a look at Kaspersky Internet Security 6.0
Easily the best Security Suite option for the money....

Found another Trojan on the AVG scan ... any reason this wouldnt have been in the avg scan i did yesterday?

That is probably the same one - Trojan.DNSChanger.hk
Only this one is in System Restore. Usually, after a battle with malware, it is advisable to flush your System Restore points because some malware can be preserved along with the legitimate stuff. In this case, it looks like AVG was able to clean the baddies....

Thanks, Sarah :)

You're welcome! Happy to help :)

-- I would still like to see a Fresh Combofix log. If I remember correctly, there were some "iffy" items to look at...

PP :)

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

zeon 0 Newbie Poster · Answer 1 · 2007-02-11T03:42:35+00:00

The IP address in those items you told me to remove from HJT was the same one that was saved on my pc before i changed the dns back to automatic ... is this what is causing part of the problem?
Do i need to contact my isp to change the IP?

Found another Trojan on the AVG scan ... any reason this wouldnt have been in the avg scan i did yesterday?

Here are the logs:

Fixwareout
Last edited 1/30/2007
Post this report in the forums please
...
Prerun check
»»»»» HKLM run and Winlogon System values
C:\WINDOWS\System32\kdxca.exe will be moved to C:\WINDOWS\temp\kdxca.ren at reboot.
»»»»» System restarted
Reg Entries that were deleted
...
Random Runs removed from HKLM
...

»»»»» Misc files.

»»»»» Checking for older varients.

»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
"system"=""
»»»»»

PLEASE NOTE, There CAN be LEGITIMATE FILES LISTED IN THIS SECTION.

This WILL/CAN also list Legit Files, Submit them at Virustotal
Search five digit cs, dm kd and jb files.
»»»»»
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"nwiz"="nwiz.exe /installquiet"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Toshiba Hotkey Utility"="\"C:\\Program Files\\Toshiba\\Windows Utilities\\Hotkey.exe\" /lang en"
"SmoothView"="C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\\Program Files\\TOSHIBA\\TOSCDSPD\\toscdspd.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
Hosts file was reset, If you use a custom hosts file please replace it

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 21:25:06 10/02/2007
+ Scan result:

C:\System Volume Information\_restore{1BA85EF5-6C2B-4F0D-B72F-50D3F1AF44F9}\RP47\A0011138.exe -> Trojan.DNSChanger.hk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1BA85EF5-6C2B-4F0D-B72F-50D3F1AF44F9}\RP47\A0011141.exe -> Trojan.DNSChanger.hk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1BA85EF5-6C2B-4F0D-B72F-50D3F1AF44F9}\RP49\A0011678.exe -> Trojan.DNSChanger.hk : Cleaned with backup (quarantined).

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 21:26:53, on 10/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4991818F-6A07-42D3-8039-877D8E3C3C06}: NameServer = 212.139.132.6 212.139.132.7
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

Thanks, Sarah :)

zeon 0 Newbie Poster · Answer 2 · 2007-02-12T20:17:58+00:00

The thread your link directs to is amazingly helpful ... thanks!
I've downloaded a few of the applications and already Zone Alarm has blocked things trying to access my pc that Norton didnt see ... silly that a free programme works better than the £50 one *rolls eyes*

Here's the combofix log:

"Sarah" - 07-02-12 1:44:50 Service Pack 2
ComboFix 07-02-07 - Running from: "C:\Documents and Settings\Sarah\Desktop\Tools"

((((((((((((((((((((((((((((((( Files Created from 2007-01-12 to 2007-02-12 ))))))))))))))))))))))))))))))))))

2007-02-12 01:41 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-02-12 01:24 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-02-12 01:23 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-02-12 01:23 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-02-12 01:23 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-02-12 01:23 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-02-12 01:22 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-02-12 01:17 <DIR> d-------- C:\Program Files\Windows Defender
2007-02-12 01:17 <DIR> d-------- C:\c58930f38af91c528bd17fd98596
2007-02-12 01:11 <DIR> d-------- C:\fdaece98d2545f4a96d51c3c021f
2007-02-12 01:09 <DIR> d-------- C:\e4921abaf5aedb7fbea089a357
2007-02-12 01:00 0 --a------ C:\WINDOWS\nsreg.dat
2007-02-12 00:59 <DIR> d-------- C:\Program Files\Mozilla Firefox
2007-02-12 00:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Windows Genuine Advantage
2007-02-12 00:39 <DIR> d-------- C:\c564f63a9ea55401b21fe240afe2
2007-02-11 03:00 <DIR> d-------- C:\8e81fadbf7e0f8bf22d93104ad7055
2007-02-10 23:10 <DIR> d-------- C:\7c652e128e8e716b536d907205
2007-02-10 20:02 <DIR> d-------- C:\fixwareout
2007-02-10 03:32 <DIR> d-------- C:\d6c62d58e7cfc427e8a9c890af9263
2007-02-10 03:00 <DIR> d-------- C:\8d384b3b473eb6b49490036e6b57
2007-02-09 20:46 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-02-09 20:45 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-02-09 20:45 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-02-09 20:43 <DIR> d-------- C:\Program Files\Symantec
2007-02-09 03:31 <DIR> d-------- C:\4d5f43340c34e8b320ae0bdeb970
2007-02-09 03:18 <DIR> d-------- C:\VundoFix Backups
2007-02-09 03:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-02-09 03:02 <DIR> d-------- C:\9146e9fb82a2f646cd1c
2007-02-08 21:28 <DIR> d-------- C:\HJT
2007-02-08 20:57 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-08 20:57 <DIR> d-------- C:\Program Files\Grisoft
2007-02-08 20:34 <DIR> d--h----- C:\DOCUME~1\Sarah\Application Data\yahoo!
2007-02-08 19:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\yahoo!
2007-02-08 19:40 <DIR> d-------- C:\Program Files\Yahoo!
2007-02-08 18:36 23,040 --------- C:\WINDOWS\kb913800.exe
2007-02-08 18:20 <DIR> d-------- C:\Program Files\MSN Messenger
2007-02-08 18:18 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-02-08 18:07 <DIR> d---s---- C:\DOCUME~1\Sarah\UserData
2007-02-08 17:53 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-02-08 17:39 70,688 --a------ C:\WINDOWS\system32\drivers\alcaudsl.sys
2007-02-08 17:39 53,600 --a------ C:\WINDOWS\system32\drivers\alcan5wn.sys
2007-02-08 17:39 5,606 --a------ C:\WINDOWS\system32\stci.dll
2007-02-08 17:39 5,280 --a------ C:\WINDOWS\system32\drivers\alcawh.sys
2007-02-08 17:39 3,968 --a------ C:\WINDOWS\system32\drivers\alcacr.sys
2007-02-08 17:39 <DIR> d-------- C:\Program Files\Thomson
2007-02-05 03:04 <DIR> d-------- C:\WINDOWS\Performance
2007-02-05 03:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Microsoft Corporation
2007-02-05 02:52 <DIR> d-------- C:\Program Files\Encore
2007-02-04 02:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Trymedia
2007-02-03 20:02 <DIR> d-------- C:\Downloads
2007-02-03 03:17 <DIR> d-------- C:\SIERRA
2007-02-03 03:07 <DIR> d-------- C:\DOCUME~1\Sarah\WINDOWS
2007-02-01 23:49 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-02-01 15:07 104 --a------ C:\WINDOWS\system32\attfd42.dll
2007-02-01 14:42 <DIR> d-------- C:\WINDOWS\Profiles
2007-02-01 00:13 <DIR> d-------- C:\DOCUME~1\Sarah\Application Data\Ahead
2007-02-01 00:12 89,184 -ra------ C:\WINDOWS\system32\drivers\imagedrv.sys
2007-02-01 00:11 569,344 -ra------ C:\WINDOWS\system32\imagr5.dll
2007-02-01 00:11 544,768 -ra------ C:\WINDOWS\system32\imagx5.dll
2007-02-01 00:11 38,912 -ra------ C:\WINDOWS\system32\picn20.dll
2007-02-01 00:11 283,920 -ra------ C:\WINDOWS\system32\ImagXpr5.dll
2007-02-01 00:10 155,648 -ra------ C:\WINDOWS\system32\NeroCheck.exe
2007-02-01 00:10 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-02-01 00:10 <DIR> d-------- C:\Program Files\Ahead
2007-01-31 11:42 0 --a------ C:\DOCUME~1\Sarah\Application Data\wklnhst.dat
2007-01-31 11:42 <DIR> d-------- C:\DOCUME~1\Sarah\Application Data\Template
2007-01-30 12:51 <DIR> d-------- C:\DOCUME~1\Sarah\Application Data\AdobeUM
2007-01-25 12:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-01-24 19:37 <DIR> d-------- C:\Program Files\Atari
2007-01-22 18:28 <DIR> d-------- C:\DOCUME~1\Sarah\Application Data\Logitech
2007-01-22 18:25 13,440 --a------ C:\WINDOWS\system32\drivers\L8042Kbd.SYS
2007-01-22 18:25 <DIR> d-------- C:\Program Files\MUSICMATCH
2007-01-22 18:24 68,864 --a------ C:\WINDOWS\system32\drivers\LMouKE.Sys
2007-01-22 18:24 55,040 --a------ C:\WINDOWS\system32\drivers\L8042MOU.SYS
2007-01-22 18:24 28,160 --a------ C:\WINDOWS\KHALMNPR.Exe
2007-01-22 18:24 26,112 --a------ C:\WINDOWS\system32\drivers\LHidKE.Sys
2007-01-22 18:24 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2007-01-22 18:24 <DIR> d-------- C:\Program Files\Logitech
2007-01-22 18:24 <DIR> d-------- C:\Program Files\Common Files\Logitech
2007-01-22 18:19 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-01-12 18:01 276,792 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-01-12 18:01 25,400 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-01-12 18:01 247,608 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-01-12 13:13 <DIR> d-------- C:\Program Files\KONAMI
2007-01-12 12:37 <DIR> d-------- C:\Program Files\Game Graphic Studio

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-02-12 01:48 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-02-12 01:00 -------- d-------- C:\DOCUME~1\Sarah\Application Data\mozilla
2007-02-10 20:26 -------- d-------- C:\Program Files\java
2007-02-08 19:55 -------- d-------- C:\DOCUME~1\Sarah\Application Data\macromedia
2007-02-08 18:21 -------- d---s---- C:\DOCUME~1\Sarah\Application Data\microsoft
2007-02-08 17:39 -------- d--h----- C:\Program Files\installshield installation information
2007-02-04 03:05 -------- d-------- C:\Program Files\dkz studio
2007-01-08 02:10 -------- d-------- C:\Program Files\sports interactive
2007-01-05 12:36 21840 --a----t- C:\WINDOWS\system32\sintfnt.dll
2007-01-05 12:36 17212 --a----t- C:\WINDOWS\system32\sintf32.dll
2007-01-05 12:36 12067 --a----t- C:\WINDOWS\system32\sintf16.dll
2007-01-04 11:41 -------- d-------- C:\Program Files\winuha
2007-01-03 19:37 -------- d-------- C:\Program Files\7-zip
2007-01-01 13:06 737280 --a------ C:\WINDOWS\iun6002.exe
2006-12-27 23:17 -------- d-------- C:\Program Files\fox
2006-12-27 13:39 98304 --a------ C:\WINDOWS\system32\cmdlineext.dll
2006-12-27 13:36 -------- d-------- C:\Program Files\vid_0e8f&pid_0003
2006-12-26 15:08 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-12-25 20:20 -------- d-------- C:\DOCUME~1\Sarah\Application Data\intervideo
2006-12-21 11:40 -------- d-------- C:\Program Files\ea games
2006-12-15 11:11 21275 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2006-12-15 11:11 -------- d-------- C:\Program Files\intel
2006-12-15 11:11 -------- d-------- C:\DOCUME~1\Sarah\Application Data\intel
2006-12-07 04:14 2330624 --a------ C:\WINDOWS\system32\wmvcore.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"TOSCDSPD"="C:\\Program Files\\TOSHIBA\\TOSCDSPD\\toscdspd.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"nwiz"="nwiz.exe /installquiet"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Toshiba Hotkey Utility"="\"C:\\Program Files\\Toshiba\\Windows Utilities\\Hotkey.exe\" /lang en"
"SmoothView"="C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_SRESCAN
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_VSMON

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Sarah.job

********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-12 1:50:28
C:\ComboFix2.txt ... 07-02-09 13:48

Thanks! :)

PhilliePhan 171 Central Scrutinizer Team Colleague · Answer 3 · 2007-02-13T04:06:57+00:00

The thread your link directs to is amazingly helpful ... thanks!
I've downloaded a few of the applications and already Zone Alarm has blocked things trying to access my pc that Norton didnt see ... silly that a free programme works better than the £50 one *rolls eyes*

Happy to help!

I still need to rework my recommendations page and update it a bit, but the basics are still valid.
It is good to have a software firewall (even if you are behind a hardware firewall) such as ZA because, unlike the built-in Windows Firewall, it monitors both incoming and OUTGOING traffic. So, if a baddie somehow makes it onto your machine and then decides to try to "phone home," ZA will pop up and ask if you want to allow it.....
Of course, it will take a few days until ZA "learns" what you want to allow and what you want to block.
I imagine you found their flash tutorial helpful?

Spyware Blaster is my favorite anti-malware tool - it is wicked in its simplicity. It uses zero system resources - just adds what it calls a "kill bit" to the registry for all the bad CLSIDs in its database, thus blocking those nasty ActiveX downloads. Excellent! Just remember to Online Update its DataBase every 10 days or so...

Anyhoo, the logs look OK, except for the following. I do not know what they are:
2007-02-12 01:17 <DIR> d-------- C:\c58930f38af91c528bd17fd98596
2007-02-12 01:11 <DIR> d-------- C:\fdaece98d2545f4a96d51c3c021f
2007-02-12 01:09 <DIR> d-------- C:\e4921abaf5aedb7fbea089a357
2007-02-12 00:39 <DIR> d-------- C:\c564f63a9ea55401b21fe240afe2
2007-02-11 03:00 <DIR> d-------- C:\8e81fadbf7e0f8bf22d93104ad7055
2007-02-10 23:10 <DIR> d-------- C:\7c652e128e8e716b536d907205
2007-02-10 03:32 <DIR> d-------- C:\d6c62d58e7cfc427e8a9c890af9263
2007-02-10 03:00 <DIR> d-------- C:\8d384b3b473eb6b49490036e6b57
2007-02-09 03:31 <DIR> d-------- C:\4d5f43340c34e8b320ae0bdeb970
2007-02-09 03:02 <DIR> d-------- C:\9146e9fb82a2f646cd1c

Are they still on your machine? Can you tell what they are or what is in the folders?

Also, how are things working now? Any issues?

Best :)
PP

Let me know.

zeon 0 Newbie Poster · Answer 4 · 2007-02-14T03:03:28+00:00

It is good to have a software firewall (even if you are behind a hardware firewall) such as ZA because, unlike the built-in Windows Firewall, it monitors both incoming and OUTGOING traffic.

Yeah i noticed it monitored the outgoing too, MUCH better ... and i dont mind the frequent ZA pop ups because at least i know whats coming and going.

I imagine you found their flash tutorial helpful?

Very much so ...again thanks for the reccomendation its a great piece of software.

Spyware Blaster is my favorite anti-malware tool - it is wicked in its simplicity.

It is brilliant, but i did want to ask ... it doesnt seem to be running in the tool bar or anything, is this something that runs in the background?

** Anyhoo, the logs look OK, except for the following. I do not know what they are:**
2007-02-12 01:17 <DIR> d-------- C:\c58930f38af91c528bd17fd98596
2007-02-12 01:11 <DIR> d-------- C:\fdaece98d2545f4a96d51c3c021f
2007-02-12 01:09 <DIR> d-------- C:\e4921abaf5aedb7fbea089a357
2007-02-12 00:39 <DIR> d-------- C:\c564f63a9ea55401b21fe240afe2
2007-02-11 03:00 <DIR> d-------- C:\8e81fadbf7e0f8bf22d93104ad7055
2007-02-10 23:10 <DIR> d-------- C:\7c652e128e8e716b536d907205
2007-02-10 03:32 <DIR> d-------- C:\d6c62d58e7cfc427e8a9c890af9263
2007-02-10 03:00 <DIR> d-------- C:\8d384b3b473eb6b49490036e6b57
2007-02-09 03:31 <DIR> d-------- C:\4d5f43340c34e8b320ae0bdeb970
2007-02-09 03:02 <DIR> d-------- C:\9146e9fb82a2f646cd1c
Are they still on your machine? Can you tell what they are or what is in the folders?

Also, how are things working now? Any issues?

Best :)
PP

I think these files are something to do with a windows update thats gone a bit wrong.
I've tried to update it about 6 or 7 times and it says its done but when i restart its right back there again saying it needs to update!
I even went to the update site and tried to do it through there but its still not working.

The update created a folder in my programme files called MSXML 4.0 which is empty.
The files in my c drive seem to be some sort of log and all begin with MSXML4 ... heres an extract from one of them, i wont post the whole thing as its far too long:

=== Verbose logging started: 09/02/2007  03:31:38  Build type: SHIP UNICODE 3.01.4000.2435  Calling process: C:\WINDOWS\system32\msiexec.exe ===
MSI (c) (20:D0) [03:31:38:781]: Resetting cached policy values
MSI (c) (20:D0) [03:31:38:781]: Machine policy value 'Debug' is 0
MSI (c) (20:D0) [03:31:38:781]: ******* RunEngine:
           ******* Product: c:\4d5f43340c34e8b320ae0bdeb970\msxml.msi
           ******* Action: 
           ******* CommandLine: **********
MSI (c) (20:D0) [03:31:38:781]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (20:D0) [03:31:38:781]: Grabbed execution mutex.
MSI (c) (20:D0) [03:31:38:843]: Cloaking enabled.
MSI (c) (20:D0) [03:31:38:843]: Attempting to enable all disabled priveleges before calling Install on Server
MSI (c) (20:D0) [03:31:38:859]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (68:C8) [03:31:38:875]: Grabbed execution mutex.
MSI (s) (68:80) [03:31:38:875]: Resetting cached policy values
MSI (s) (68:80) [03:31:38:875]: Machine policy value 'Debug' is 0
MSI (s) (68:80) [03:31:38:875]: ******* RunEngine:
           ******* Product: c:\4d5f43340c34e8b320ae0bdeb970\msxml.msi
           ******* Action: 
           ******* CommandLine: **********
MSI (s) (68:80) [03:31:38:875]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (68:80) [03:31:38:875]: End dialog not enabled
MSI (s) (68:80) [03:31:38:875]: Original package ==> c:\4d5f43340c34e8b320ae0bdeb970\msxml.msi
MSI (s) (68:80) [03:31:38:875]: Package we're running from ==> c:\WINDOWS\Installer\1e252b1.msi
MSI (s) (68:80) [03:31:38:890]: APPCOMPAT: looking for appcompat database entry with ProductCode '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'.
MSI (s) (68:80) [03:31:38:890]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (68:80) [03:31:38:890]: MSCOREE not loaded loading copy from system32
MSI (s) (68:80) [03:31:38:890]: Machine policy value 'DisablePatch' is 0
MSI (s) (68:80) [03:31:38:890]: Machine policy value 'AllowLockdownPatch' is 0
MSI (s) (68:80) [03:31:38:890]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (68:80) [03:31:38:890]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (s) (68:80) [03:31:38:890]: APPCOMPAT: looking for appcompat database entry with ProductCode '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'.
MSI (s) (68:80) [03:31:38:890]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (68:80) [03:31:38:890]: Transforms are not secure.
MSI (s) (68:80) [03:31:38:890]: Command Line: REBOOT=ReallySuppress CURRENTDIRECTORY=c:\4d5f43340c34e8b320ae0bdeb970 CLIENTUILEVEL=3 CLIENTPROCESSID=2848 
MSI (s) (68:80) [03:31:38:890]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{2B27DCD9-53FA-4885-B6CD-698623819F4C}'.
MSI (s) (68:80) [03:31:38:890]: Product Code passed to Engine.Initialize:           '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'
MSI (s) (68:80) [03:31:38:890]: Product Code from property table before transforms: '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'
MSI (s) (68:80) [03:31:38:890]: Product Code from property table after transforms:  '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'
MSI (s) (68:80) [03:31:38:890]: Product registered: entering maintenance mode
MSI (s) (68:80) [03:31:38:890]: PROPERTY CHANGE: Adding ProductState property. Its value is '5'.
MSI (s) (68:80) [03:31:38:890]: PROPERTY CHANGE: Adding ProductToBeRegistered property. Its value is '1'.
MSI (s) (68:80) [03:31:38:890]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (s) (68:80) [03:31:38:890]: Specifed source is not already in a list.
MSI (s) (68:80) [03:31:38:890]: User policy value 'SearchOrder' is 'nmu'
MSI (s) (68:80) [03:31:38:890]: Machine policy value 'DisableBrowse' is 0
MSI (s) (68:80) [03:31:38:890]: Machine policy value 'AllowLockdownBrowse' is 0
MSI (s) (68:80) [03:31:38:890]: Adding new sources is allowed.
MSI (s) (68:80) [03:31:38:890]: Package name retrieved from configuration data: 'msxml.msi'
MSI (s) (68:80) [03:31:38:890]: Determined that existing product (either this product or the product being upgraded with a patch) is installed per-machine.
MSI (s) (68:80) [03:31:38:890]: Note: 1: 2729 
MSI (s) (68:80) [03:31:38:921]: Note: 1: 2729 
MSI (s) (68:80) [03:31:38:921]: Note: 1: 2262 2: AdminProperties 3: -2147287038 
MSI (s) (68:80) [03:31:38:921]: Machine policy value 'DisableMsi' is 0
MSI (s) (68:80) [03:31:38:921]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (68:80) [03:31:38:921]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (68:80) [03:31:38:921]: Product {37477865-A3F1-4772-AD43-AAFC6BCFF99F} is admin assigned: LocalSystem owns the publish key.
MSI (s) (68:80) [03:31:38:921]: Product {37477865-A3F1-4772-AD43-AAFC6BCFF99F} is managed.
MSI (s) (68:80) [03:31:38:921]: Running product '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}' with elevated privileges: Product is assigned.
MSI (s) (68:80) [03:31:38:921]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'.
MSI (s) (68:80) [03:31:38:921]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'c:\4d5f43340c34e8b320ae0bdeb970'.
MSI (s) (68:80) [03:31:38:921]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'.
MSI (s) (68:80) [03:31:38:921]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '2848'.
MSI (s) (68:80) [03:31:38:921]: TRANSFORMS property is now: 
MSI (s) (68:80) [03:31:38:921]: PROPERTY CHANGE: Adding PRODUCTLANGUAGE property. Its value is '1033'.
MSI (s) (68:80) [03:31:38:921]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'.
MSI (s) (68:80) [03:31:38:921]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Application Data
MSI (s) (68:80) [03:31:38:921]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Favorites
MSI (s) (68:80) [03:31:38:921]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\NetHood
MSI (s) (68:80) [03:31:38:921]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\My Documents
MSI (s) (68:80) [03:31:38:921]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\PrintHood
MSI (s) (68:80) [03:31:38:937]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Recent
MSI (s) (68:80) [03:31:38:937]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\SendTo
MSI (s) (68:80) [03:31:38:937]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Templates
MSI (s) (68:80) [03:31:38:937]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Application Data
MSI (s) (68:80) [03:31:38:937]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data
MSI (s) (68:80) [03:31:38:937]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures
MSI (s) (68:80) [03:31:38:937]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
MSI (s) (68:80) [03:31:38:937]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs\Startup
MSI (s) (68:80) [03:31:38:937]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs
MSI (s) (68:80) [03:31:38:937]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu
MSI (s) (68:80) [03:31:38:937]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Desktop
MSI (s) (68:80) [03:31:38:937]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Administrative Tools
MSI (s) (68:80) [03:31:38:953]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup
MSI (s) (68:80) [03:31:38:953]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs
MSI (s) (68:80) [03:31:38:953]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu
MSI (s) (68:80) [03:31:38:953]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Desktop
MSI (s) (68:80) [03:31:38:953]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Templates
MSI (s) (68:80) [03:31:38:953]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\Fonts
MSI (s) (68:80) [03:31:38:953]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16 
MSI (s) (68:80) [03:31:38:953]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (s) (68:80) [03:31:38:953]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'Sarah'.
MSI (s) (68:80) [03:31:38:953]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 
MSI (s) (68:80) [03:31:38:953]: PROPERTY CHANGE: Adding Installed property. Its value is '00:00:00'.
MSI (s) (68:80) [03:31:38:953]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'c:\WINDOWS\Installer\1e252b1.msi'.
MSI (s) (68:80) [03:31:38:953]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'c:\4d5f43340c34e8b320ae0bdeb970\msxml.msi'.
MSI (s) (68:80) [03:31:38:953]: Note: 1: 2205 2:  3: PatchPackage 
MSI (s) (68:80) [03:31:38:953]: Machine policy value 'DisableRollback' is 0
MSI (s) (68:80) [03:31:38:953]: User policy value 'DisableRollback' is 0
MSI (s) (68:80) [03:31:38:953]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'.

I'm not getting the pop ups or redirect on my laptop now ... does this mean its safe to start using things like my online banking again?

I havnt checked my pc again yet ... but i will later on and post in my other thread.

Thanks, Sarah :cheesy:

Let me know.

PhilliePhan 171 Central Scrutinizer Team Colleague · Answer 5 · 2007-02-14T04:24:50+00:00

It is brilliant, but i did want to ask ... it doesnt seem to be running in the tool bar or anything, is this something that runs in the background?

That's the great thing about it..... It does not "run," per se. It just places entries in your registry that block known baddies from perpetrating unwanted ActiveX installs. It also blocks other malware threats as well as tracking cookies in this manner. You don't even know it is there..... 'course, you still have to remember to Update the DB! (or set it to auto)
I have a desktop Icon for it - I sometimes use its database to reference baddies.

I think these files are something to do with a windows update thats gone a bit wrong.
I've tried to update it about 6 or 7 times and it says its done but when i restart its right back there again saying it needs to update!
I even went to the update site and tried to do it through there but its still not working.

Thats what I figured.... Are you updating via IE or Firefox?
These errors are a pain to troubleshoot. Is it just this particular update? Are you able to install other "critical updates?"

I'm not getting the pop ups or redirect on my laptop now ... does this mean its safe to start using things like my online banking again?

I think so - I did not see any backdoors or keyloggers and the like in your scanlogs. Though, with the prevalence of rootkits these days, it is harder to tell any more.
But, I think you are OK. :)

I havnt checked my pc again yet ... but i will later on and post in my other thread.

AllRighty then!

Cheers :)
PP