« previous next »
Pages: [1] 2

Author Topic: Malware attack  (Read 3228 times)

Offline soL309

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Malware attack
« on: July 16, 2006, 12:25:57 AM »
Hi there everyone, I've been searching the internet for awhile and finally found a post about a similiar problem ive encountered, i dont know much about this thing except that the screen turns black and on the bottom right hand corner it says "Your Computer is in Danger! Windows Security Center has detected spyware/adware infection! It is strongly recommended to use special antispyware tools to prevent data loss." also there is a red dot with an x in it   in the bottom right hand corner, I managed to find and delete that problem so thats not a problem that i know of anymore, i desperately need help as this program is destroying my computer, any help would be greatly appreciated! I scanned my computer with Hijack this and came up with this:

Logfile of HijackThis v1.99.1
Scan saved at 10:20:11 PM, on 7/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1128695648\ee\AOLSoftware.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\d037c73c.exe
C:\WINDOWS\system32\dxvwcmxf.exe
C:\windows\system32\_zskwrkni05chjdrhf`ugibhzuh.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
E:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
c:\program files\common files\aol\1128695648\ee\aim6.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Grem Fox\Desktop\hijackthis(2).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe                                                                                                    

"C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1

\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program

Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O2 - BHO: (no name) - {980d2642-10c3-4184-9cd3-862328ec3fe1} - C:\WINDOWS\system32

\aut029.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128695648

\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe"

/SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -

osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [d037c73c.exe] C:\WINDOWS\system32\d037c73c.exe
O4 - HKLM\..\Run: [Explorer 2238] C:\WINDOWS\system32\dxvwcmxf.exe
O4 - HKLM\..\Run: [ÿ_zskhuzhbigu`fhrdjhc50inkrwksz_] c:\windows\system32

\_zskwrkni05chjdrhf`ugibhzuh.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [ÿ_zskhuzhbigu`fhrdjhc50inkrwksz_] c:\windows\system32

\_zskwrkni05chjdrhf`ugibhzuh.exe
O4 - HKLM\..\RunServices: [ÿ_zskhuzhbigu`fhrdjhc50inkrwksz_] c:\windows\system32

\_zskwrkni05chjdrhf`ugibhzuh.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en

-US ee://aol/imApp
O4 - HKCU\..\Run: [d037c73c.exe] C:\Documents and Settings\Grem Fox\Local Settings\Application

Data\d037c73c.exe
O4 - HKCU\..\RunServices: [AtiDisplayDrv] atidrvxx.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM

Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0

\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program

files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program

files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program

Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -

http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-

games.com.my/com/EGamesPlugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) -

http://launch.gamespyarcade.com/software/launch/alaunch.cab
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All

Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: aut029 - C:\WINDOWS\SYSTEM32\aut029.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} -

C:\WINDOWS\system32\dxvwcmxf.exe
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} -

C:\WINDOWS\system32\2236_27.dll
O21 - SSODL: LeXnm - {9CFF98C3-3655-3269-E61E-D5F69815CF33} - C:\WINDOWS\system32

\lk.dll
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} -

C:\WINDOWS\system32\dxvwcmxf.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32

\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program

Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32

\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program

Files\Sygate\SPF\smc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\Security Center\SymWSC.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Malware attack
« Reply #1 on: July 16, 2006, 12:30:26 AM »
It's too hard to read this log with all the spaces
Can you do a fresh Scan and save logfile with Hijackthis
When the log opens in notepad
Click FORMAT at the top and uncheck WORD WRAP
Then copy>>Paste back here a fresh log please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline soL309

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Malware attack
« Reply #2 on: July 16, 2006, 01:24:16 AM »
Here ya go http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Logfile of HijackThis v1.99.1
Scan saved at 10:20:11 PM, on 7/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1128695648\ee\AOLSoftware.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\d037c73c.exe
C:\WINDOWS\system32\dxvwcmxf.exe
C:\windows\system32\_zskwrkni05chjdrhf`ugibhzuh.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
E:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
c:\program files\common files\aol\1128695648\ee\aim6.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Grem Fox\Desktop\hijackthis(2).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe                                                                                                    "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O2 - BHO: (no name) - {980d2642-10c3-4184-9cd3-862328ec3fe1} - C:\WINDOWS\system32\aut029.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128695648\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [d037c73c.exe] C:\WINDOWS\system32\d037c73c.exe
O4 - HKLM\..\Run: [Explorer 2238] C:\WINDOWS\system32\dxvwcmxf.exe
O4 - HKLM\..\Run: [ÿ_zskhuzhbigu`fhrdjhc50inkrwksz_] c:\windows\system32\_zskwrkni05chjdrhf`ugibhzuh.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [ÿ_zskhuzhbigu`fhrdjhc50inkrwksz_] c:\windows\system32\_zskwrkni05chjdrhf`ugibhzuh.exe
O4 - HKLM\..\RunServices: [ÿ_zskhuzhbigu`fhrdjhc50inkrwksz_] c:\windows\system32\_zskwrkni05chjdrhf`ugibhzuh.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [d037c73c.exe] C:\Documents and Settings\Grem Fox\Local Settings\Application Data\d037c73c.exe
O4 - HKCU\..\RunServices: [AtiDisplayDrv] atidrvxx.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: aut029 - C:\WINDOWS\SYSTEM32\aut029.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINDOWS\system32\dxvwcmxf.exe
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\2236_27.dll
O21 - SSODL: LeXnm - {9CFF98C3-3655-3269-E61E-D5F69815CF33} - C:\WINDOWS\system32\lk.dll
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINDOWS\system32\dxvwcmxf.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Malware attack
« Reply #3 on: July 16, 2006, 01:36:34 PM »
Let's try and do some cleaning and see how your log looks afterwards

I need you too download a few tools please
==Download the Killbox by Option^Explicit.
* Save it to a folder or desktop
We will need it later

==Download and install Windows CleanUp! 4.5.2
Don't run a scan yet

CleanUp! attempts to delete files from various temporary directories (including download directories/caches),
as well as emptying the Recycle Bins.
If you make a habit of saving files that you wish to keep in any of these places,  they will be deleted when CleanUp! is run.
Please move them too a different location before we run this tool if the above is true
Note: It is generally considered poor practice to use temporary folders or the Recycle Bin to store files you intend to keep.

==Download [color=\"red\"]SmitfraudFix[/color][/url] (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.
We will need this later

==Download, install, and update  Ewido anti-spyware[list=1]
  • Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Close Ewido. Do not run it yet.
Save the rest of these instructions to a text file saved to desktop or somewhere you will remember
We will need them for use in safe mode>>Without Internet connection

Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.

=Open Killbox.exe
Copy the path to the file name below and paste it to the Full path of file to delete in Killbox

C:\WINDOWS\system32\ntos.exe
Then click the Red Circle with the White X
Allow to delete the file and make backup

Do the same with the rest of these
Don't worry about any file not found messages
==================================
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe
C:\WINDOWS\system32\aut029.dll
C:\WINDOWS\system32\d037c73c.exe
C:\WINDOWS\system32\dxvwcmxf.exe
c:\windows\system32\_zskwrkni05chjdrhf`ugibhzuh.exe
C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
C:\WINDOWS\system32\2236_27.dll
C:\WINDOWS\system32\lk.dll

=================================
Exit Kiilbox

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done>>Click Close
DECLINE to Log off or Restart the computer
NOTE: The first time you run CleanUp! it may prompt to run in Demonstration mode
Deny this, we want to run the actual cleanup!!

==Open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process.  A text file will appear onscreen, with results from the cleaning process
I'll need to see these later, by default they are also saved at C:\rapport.txt

If a reboot was required, reboot back to safe mode
If it wasn't required, remain in safe mode

Ewido Scan
  • Then run Ewido and click on the Scanner tab at the top and then click on Complete System Scan.  This scan can take quite a while to run, so be prepared.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As".  This will create a text file.  Make sure you know where to find this file again (like on the Desktop).
Do a "System scan only" with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O2 - BHO: (no name) - {980d2642-10c3-4184-9cd3-862328ec3fe1} - C:\WINDOWS\system32\aut029.dll

O4 - HKLM\..\Run: [d037c73c.exe] C:\WINDOWS\system32\d037c73c.exe
O4 - HKLM\..\Run: [Explorer 2238] C:\WINDOWS\system32\dxvwcmxf.exe
O4 - HKLM\..\Run: [ÿ_zskhuzhbigu`fhrdjhc50inkrwksz_] c:\windows\system32\_zskwrkni05chjdrhf`ugibhzuh.exe

O4 - HKLM\..\RunServices: [ÿ_zskhuzhbigu`fhrdjhc50inkrwksz_] c:\windows\system32\_zskwrkni05chjdrhf`ugibhzuh.exe
O4 - HKLM\..\RunServices: [ÿ_zskhuzhbigu`fhrdjhc50inkrwksz_] c:\windows\system32\_zskwrkni05chjdrhf`ugibhzuh.exe
O4 - HKCU\..\Run: [d037c73c.exe] C:\Documents and Settings\Grem Fox\Local Settings\Application Data\d037c73c.exe
O4 - HKCU\..\RunServices: [AtiDisplayDrv] atidrvxx.exe

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: aut029 - C:\WINDOWS\SYSTEM32\aut029.dll
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINDOWS\system32\dxvwcmxf.exe
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\2236_27.dll
O21 - SSODL: LeXnm - {9CFF98C3-3655-3269-E61E-D5F69815CF33} - C:\WINDOWS\system32\lk.dll
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINDOWS\system32\dxvwcmxf.exe


After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot back to Normal mode
Back in Windows

Post back the following please
1. Run Hijackthis again and post back a fresh log
2. Post the whole report from Ewido's
3. Post the report from Smitfraudfix located here>>C:\rapport.txt
Again, ensure that word wrap is unchecked before copying any of the above logs
« Last Edit: July 16, 2006, 03:02:26 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline soL309

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Malware attack
« Reply #4 on: July 16, 2006, 03:53:41 PM »
I have a small problem guestolo when i boot it in safemode  none of the programs that you told me to download appear, i try and do search and run for them ie: run: killbox.exe but nothing comes up, do you know why this is or how i can fix it so the programs show in safe mode?
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Malware attack
« Reply #5 on: July 16, 2006, 04:22:48 PM »
Sign into safe mode with the same username your using now
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline soL309

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Malware attack
« Reply #6 on: July 16, 2006, 07:39:46 PM »
I just put the programs in my shared documents and that seemed to work, anyways i followed your steps to the t and here are the reports (before i give you the reports though i should show you that there was 1 thing that could not be deleted via Killbox, that are: C:\WINDOWS\system32\ntos.exe

also i have no control over my desktop wallpaper, when i go into properties to change it, it is completely frozen.
and my task manager is still disabled, saying "Task Manager has been disabled by your Administrator"



Logfile of HijackThis v1.99.1
Scan saved at 5:30:48 PM, on 7/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1128695648\ee\AOLSoftware.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\Grem Fox\Local Settings\Application Data\d037c73c.exe
E:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1128695648\ee\aim6.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Grem Fox\Desktop\hijackthis(2).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128695648\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [d037c73c.exe] C:\WINDOWS\system32\d037c73c.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [d037c73c.exe] C:\Documents and Settings\Grem Fox\Local Settings\Application Data\d037c73c.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - HKCU\..\Run: [ÿ_zskhuzhbigu`fhrdjhc50inkrwksz_] c:\windows\system32\_zskwrkni05chjdrhf`ugibhzuh.exe
O4 - HKCU\..\RunServices: [AtiDisplayDrv] atidrvxx.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




Ewido Scan Report

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

 + Created at:   5:11:10 PM 7/16/2006

 + Scan result:   



C:\WINDOWS\Downloaded Program Files\ClientAX.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
E:\Program Files\BearShare\BearShareZangoInstaller.exe/clientax.dll -> Adware.180Solutions : Error during cleaning.
HKLM\SOFTWARE\Classes\CLSID\{56F1D444-11BF-4879-A12B-79CF0177F038} -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller.1 -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CurVer -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56F1D444-11BF-4879-A12B-79CF0177F038} -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ISTbarISTbar -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\PerfectNav -> Adware.KeenValue : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Mozilla Firefox\plugins\npclntax.dll -> Adware.Zango : Cleaned with backup (quarantined).
C:\Program Files\Zango\zangohook.dll -> Adware.Zango : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent -> Adware.Zango : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent.1 -> Adware.Zango : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent\CLSID -> Adware.Zango : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent\CurVer -> Adware.Zango : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\zango -> Adware.Zango : Cleaned with backup (quarantined).
HKLM\SOFTWARE\zango -> Adware.Zango : Cleaned with backup (quarantined).
C:\!KillBox\2236_27.dll -> Backdoor.Agent.adr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwaani.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwatoo.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwbiqp.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwbqlx.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwdofx.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwecdp.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvweqvk.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwfctb.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwgfgn.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwguqx.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwhwga.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwidqj.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwjdtu.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwlaxy.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwlplr.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwmmib.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwnpsn.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwnqeq.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwpesn.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwqjwr.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwqqqd.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwtiuk.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwupaa.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwuqmt.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwvick.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwvnrs.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwvtuv.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwxivf.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERS_0001_N85M0906NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UERS_0001_N85M0906NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\pmkhg.exe -> Downloader.ConHook.ac : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nеtdde.exe -> Downloader.PurityScan.r : Cleaned with backup (quarantined).
C:\WINDOWS\system32\testtestt.exe -> Downloader.Small.cyb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\D0CE0C16B1.DLL -> Hijacker.Agent.dh : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N822M1605NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.j : Ignored.
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N822M1605NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.j : Ignored.
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D09M0706NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Ignored.
C:\Program Files\hix\scripts\IPLookup\portscan.exe -> Not-A-Virus.NetTool.Win32.Scan.12 : Ignored.
C:\!KillBox\lk.dll -> Proxy.Agent.df : Cleaned with backup (quarantined).
C:\!KillBox\_zskwrkni05chjdrhf`ugibhzuh.exe -> Proxy.Agent.km : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ipod.raw.exe -> Proxy.Lager.aq : Cleaned with backup (quarantined).
[240] C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll -> Trojan.Agent.oh : Error during cleaning.
C:\WINDOWS\system32\maxd641.exe -> Trojan.Dialer.pw : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UDC6_0001_D10M2905NetInstaller.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UDC6_0001_D10M2905NetInstaller.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.dll -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00006.dll -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00008.dll -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.dll -> Trojan.Sinowal.af : Cleaned with backup (quarantined).
C:\!KillBox\ibm00007.exe -> Trojan.Sinowal.v : Cleaned with backup (quarantined).


::Report end




Rapport.txt

SmitFraudFix v2.72

Scan done at 14:11:19.93, Sun 07/16/2006
Run from C:\Documents and Settings\All Users\Documents\SmitfraudFix0
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

[HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2236}\InProcServer32]
@="C:\WINDOWS\system32\2236_27.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2236}\InProcServer32]
@="C:\WINDOWS\system32\2236_27.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}"="OLE Automation Module"

[HKEY_CLASSES_ROOT\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]
@="C:\WINDOWS\system32\mscdaux.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]
@="C:\WINDOWS\system32\mscdaux.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2238}"="DCOM Server 2238"

[HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2238}\InProcServer32]
@="C:\WINDOWS\system32\dxvwcmxf.exe"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2238}\InProcServer32]
@="C:\WINDOWS\system32\dxvwcmxf.exe"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\2236_27.dll -> Missing File

C:\WINDOWS\system32\2236_27.dll -> Missing File

C:\WINDOWS\system32\lk.dll -> Missing File


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\desktop.html Deleted
C:\WINDOWS\xpupdate.exe Deleted
C:\WINDOWS\system32\dlh9jkdq?.exe Deleted
C:\WINDOWS\system32\kernels8.exe Deleted
C:\WINDOWS\system32\qvxgamet?.exe Deleted
C:\WINDOWS\system32\taskdir.dll Deleted
C:\WINDOWS\system32\taskdir~.exe Deleted
C:\WINDOWS\system32\TheMatrixHasYou.exe Deleted
C:\WINDOWS\system32\vxgame?.exe Deleted
C:\WINDOWS\system32\vxgamet?.exe Deleted
C:\WINDOWS\system32\zlbw.dll Deleted
C:\Program Files\BraveSentry\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

[HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2236}\InProcServer32]
@="C:\WINDOWS\system32\2236_27.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2236}\InProcServer32]
@="C:\WINDOWS\system32\2236_27.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}"="OLE Automation Module"

[HKEY_CLASSES_ROOT\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]
@="C:\WINDOWS\system32\mscdaux.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]
@="C:\WINDOWS\system32\mscdaux.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2238}"="DCOM Server 2238"

[HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2238}\InProcServer32]
@="C:\WINDOWS\system32\dxvwcmxf.exe"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2238}\InProcServer32]
@="C:\WINDOWS\system32\dxvwcmxf.exe"



»»»»»»»»»»»»»»»»»»»»»»»» End
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Malware attack
« Reply #7 on: July 16, 2006, 08:06:20 PM »
I really wanted you to run Smitfraudfix from your user account in safe mode
Chances are you may of signed in with the Default Adminstrator account

Do the following please
In normal windows
Close all browser windows
==Open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process
I'll need to see these later, by default they are also saved at C:\rapport.txt

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Along with a fresh Hijackthis log
[/list]
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline soL309

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Malware attack
« Reply #8 on: July 16, 2006, 11:16:31 PM »
Alright I did all of that woohoo! its getting much better, heres the hijackthis file log:

Logfile of HijackThis v1.99.1
Scan saved at 9:14:06 PM, on 7/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1128695648\ee\AOLSoftware.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
c:\program files\common files\aol\1128695648\ee\aim6.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
E:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Grem Fox\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128695648\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [d037c73c.exe] C:\Documents and Settings\Grem Fox\Local Settings\Application Data\d037c73c.exe
O4 - HKCU\..\Run: [ÿ_zskhuzhbigu`fhrdjhc50inkrwksz_] c:\windows\system32\_zskwrkni05chjdrhf`ugibhzuh.exe
O4 - HKCU\..\RunServices: [AtiDisplayDrv] atidrvxx.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

and the dr web-cute it report

d037c73c.exe;C:\!KillBox;Trojan.DownLoader.based;Deleted.;
A0216129.EXE;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1259;Adware.Aws;Incurable.Moved.;
A0221083.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1282;Trojan.PWS.Snap;Deleted.;
A0221084.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1282;Trojan.PWS.Snap;Deleted.;
A0221085.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1282;Trojan.PWS.Snap;Deleted.;
A0221086.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1282;Trojan.PWS.Snap;Deleted.;
A0221176.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1284;Trojan.DownLoader.based;Deleted.;
A0221185.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1284;Trojan.DownLoader.based;Deleted.;
A0222194.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1284;Trojan.DownLoader.based;Deleted.;
A0223212.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1284;Trojan.DownLoader.based;Deleted.;
A0224241.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1284;Trojan.DownLoader.based;Deleted.;
A0224308.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Adware.Zango;Incurable.Moved.;
A0224309.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Adware.Zango;Incurable.Moved.;
A0224315.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.10917;Deleted.;
A0225302.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.PWS.Alanchum;Deleted.;
A0225303.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Adware.Zango;Incurable.Moved.;
A0225305.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Proxy.991;Deleted.;
A0225312.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.10595;Deleted.;
A0225316.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.based;Deleted.;
A0225336.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225376.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.PWS.Snap;Deleted.;
A0225377.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.based;Deleted.;
A0225378.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Proxy.986;Deleted.;
A0225379.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Proxy.986;Deleted.;
A0225381.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;BackDoor.Dsrv;Deleted.;
A0225382.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.6332;Deleted.;
A0225388.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.9540;Deleted.;
A0225390.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.9540;Deleted.;
A0225391.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.9540;Deleted.;
A0225392.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.10841;Deleted.;
A0225393.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.10842;Deleted.;
A0225398.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.PWS.Alanchum;Deleted.;
A0225399.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.EmailSpy;Deleted.;
A0225400.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Proxy.899;Deleted.;
A0225401.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;BackDoor.Uragan;Deleted.;
A0225402.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.10593;Deleted.;
A0225403.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.9502;Deleted.;
A0225405.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.8077;Deleted.;
A0225406.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Galapoper;Deleted.;
A0225407.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.9540;Deleted.;
A0225415.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.PWS.Snap;Deleted.;
A0225416.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.PWS.Snap;Deleted.;
A0225417.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.PWS.Snap;Deleted.;
A0225419.DLL;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Click.519;Deleted.;
A0225420.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225421.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225422.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225423.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225424.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225425.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225426.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225427.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225428.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225429.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225430.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225431.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225432.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225433.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225434.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225435.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225436.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225437.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225438.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225439.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225440.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225441.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225442.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225443.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225444.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225445.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225446.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225447.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225448.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225449.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Dialer.Silent;Deleted.;
A0225451.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.10649;Deleted.;
A0225452.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.9540;Deleted.;
A0225453.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Adware.Zango;Incurable.Moved.;
A0225454.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Adware.Zango;Incurable.Moved.;
A0225472.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.based;Deleted.;
A0225521.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.based;Deleted.;
A0225881.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1286;Trojan.DownLoader.based;Deleted.;
A0225883.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1286;Trojan.DownLoader.based;Deleted.;
A0225893.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1286;Trojan.DownLoader.based;Deleted.;
UWA6P_0001_N822M1605NetInstaller.exe;C:\WINDOWS\Downloaded Program Files;Trojan.DownLoader.10346;Deleted.;
UWA6P_0001_N822M1605NetInstaller.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.1;Trojan.DownLoader.10346;Deleted.;
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Malware attack
« Reply #9 on: July 16, 2006, 11:20:58 PM »
Was that the end of the log from Dr. Web?
UWA6P_0001_N822M1605NetInstaller.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.1;Trojan.DownLoader.10346;Deleted.;

Can you post anything below it please if it wasn't

Additionally, from below download and save too desktop find.zip
EXTRACT the contents to your desktop
Double click on find.bat, a text file will open, Copy>>Paste back here the contents please
« Last Edit: July 16, 2006, 11:44:23 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline soL309

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Malware attack
« Reply #10 on: July 17, 2006, 03:51:18 AM »
Yes that was all for the Dr web-cureit and the find.bat turned up this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
  00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
  00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
  6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
  00
"LsaPid"=dword:000002d0
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000001
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"AtiDisplayDrv"="atidrvxx.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
  54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
  00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:7b,9c,25,f9,11,b8,8b,aa,f8,d8,4c,93,37,b9,38,c3,33,63,31,64,35,\
  65,63,31,00,68,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
  5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,d7,35,af,34

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:1f,63,0d,b6,c8,9a,58,75,34

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:27,e0,d7,12,1e,48

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:4e,73,56,c7,ec,db,1f,64,72,7e,d7,7c,89,51,20,0c

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:3c,00,34,cc,dd,b0,c4,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:80,6f,e3,94,f8,79,c4,01
"Type"=dword:00000031

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
  00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
  00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
  5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
  5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="N"
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
  00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
  00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
  00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00
"AtiDisplayDrv"="atidrvxx.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Malware attack
« Reply #11 on: July 17, 2006, 11:01:27 PM »
Sorry for the delay, can you do the following please

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop, we'll need it later
Ensure to copy from REGEDIT4 and down in the code box
You will know if you saved it correctly, the Icon should look like cubes

 
Code: [Select]
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000
"AtiDisplayDrv"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"
"AtiDisplayDrv"=-

Open killbox.exe.
Select the option "Delete on reboot".
Click the button: All Files [color=\"#009900\"](!important!)[/color]
Now it should flash green.

Now copy ALL the next bold part:

C:\WINDOWS\system32\ntos.exe
C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
C:\WINDOWS\System32\atidrvxx.exe

Open 'file' in the killboxmenu on top and choose Paste from clipboard

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer should reboot now.

After reboot,
Do a "System scan only" with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O4 - HKCU\..\Run: [d037c73c.exe] C:\Documents and Settings\Grem Fox\Local Settings\Application Data\d037c73c.exe
O4 - HKCU\..\Run: [ÿ_zskhuzhbigu`fhrdjhc50inkrwksz_] c:\windows\system32\_zskwrkni05chjdrhf`ugibhzuh.exe
O4 - HKCU\..\RunServices: [AtiDisplayDrv] atidrvxx.exe
020 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll


After you have ticked the above entries, close All other open windows
INCLUDING THIS ONE
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Double click on fix.reg and allow to add/merge to the registry at the prompt

Reboot the computer one more time

Come back here and post a fresh hijackthis log
Also, double click on find.bat again and post the text file that opens
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline soL309

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Malware attack
« Reply #12 on: July 18, 2006, 02:30:43 PM »
Here goes! http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Logfile of HijackThis v1.99.1
Scan saved at 12:27:51 PM, on 7/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1128695648\ee\AOLSoftware.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
c:\program files\common files\aol\1128695648\ee\aim6.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
E:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\Documents and Settings\Grem Fox\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128695648\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Find.bat

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
  00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
  00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
  6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
  00
"LsaPid"=dword:000002d0
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000001
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"AtiDisplayDrv"="atidrvxx.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
  54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
  00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:7b,9c,25,f9,11,b8,8b,aa,f8,d8,4c,93,37,b9,38,c3,33,63,31,64,35,\
  65,63,31,00,68,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
  5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,d7,35,af,34

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:1f,63,0d,b6,c8,9a,58,75,34

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:27,e0,d7,12,1e,48

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:4e,73,56,c7,ec,db,1f,64,72,7e,d7,7c,89,51,20,0c

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:3c,00,34,cc,dd,b0,c4,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:80,6f,e3,94,f8,79,c4,01
"Type"=dword:00000031

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
  00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
  00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
  5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
  5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="N"
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
  00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
  00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
  00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00
"AtiDisplayDrv"="atidrvxx.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
  00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
  00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
  6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
  00
"LsaPid"=dword:000002d0
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
  54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
  00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:7b,9c,25,f9,11,b8,8b,aa,f8,d8,4c,93,37,b9,38,c3,33,63,31,64,35,\
  65,63,31,00,68,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
  5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,d7,35,af,34

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:1f,63,0d,b6,c8,9a,58,75,34

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:27,e0,d7,12,1e,48

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:4e,73,56,c7,ec,db,1f,64,72,7e,d7,7c,89,51,20,0c

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:3c,00,34,cc,dd,b0,c4,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:80,6f,e3,94,f8,79,c4,01
"Type"=dword:00000031

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
  00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
  00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
  5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
  5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="Y"
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
  00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
  00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
  00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Malware attack
« Reply #13 on: July 18, 2006, 08:18:24 PM »
I like what I'm seeing
I'm also noting the latter part of find.bat

Did you uninstall Spybot 1.4?
Do you have Ad-Aware Se Personal 1.06?
Do you have any anti-virus software to install
If not i have free AV's for you, DO NOT be without one!!

Let me know the above, then we'll do a final cleanup
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline soL309

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Malware attack
« Reply #14 on: July 20, 2006, 01:57:11 AM »
well i HAD adware but everytime i used it, it would freeze, so i dont know what that was about, couldve been cause of all that virus junk on my computer, i dont have spyboy 1.4 or any anti-virus stuff, im such a LOSER, your a LIFE saver guestolo you have no clue!
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Malware attack
« Reply #15 on: July 20, 2006, 09:10:00 PM »
Try ad-aware again, it may hesitate when checking a few spots
But give it time
Here's a link
Ad-Aware SE Personal 1.06
Remember to update before running a scan

Post back and let me know if it ran or if gave you errors
If it won't finish in Normal mode, try it in safe mode

I just want to do some last final cleanup
« Last Edit: July 20, 2006, 09:12:05 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline soL309

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Malware attack
« Reply #16 on: July 24, 2006, 06:05:10 PM »
hey there sorry that took so long ive been at my new job 11 hour days 6 days a week its a killer! ill get the scan back to you when its finished! ^^
Logged

Offline soL309

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Malware attack
« Reply #17 on: July 24, 2006, 06:42:12 PM »
Ad-Aware SE Build 1.06r1
Logfile Created on:Monday, July 24, 2006 4:05:50 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R116 24.07.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
180Solutions(TAC index:6):6 total references
CoolWebSearch(TAC index:10):9 total references
MRU List(TAC index:0):29 total references
Tracking Cookie(TAC index:3):17 total references
Win32.Trojan.Downloader(TAC index:10):5 total references
Zango(TAC index:6):31 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


7-24-2006 4:05:50 PM - Scan started. (Full System Scan)

 MRU List Object Recognized!
    Location:          : C:\Documents and Settings\Grem Fox\Application Data\microsoft\office\recent
    Description        : list of recently opened documents using microsoft office


 MRU List Object Recognized!
    Location:          : C:\Documents and Settings\Grem Fox\recent
    Description        : list of recently opened documents


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\google\navclient\1.1\history
    Description        : list of recently used search terms in the google toolbar


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\direct3d\mostrecentapplication
    Description        : most recent application to use microsoft direct3d


 MRU List Object Recognized!
    Location:          : software\microsoft\direct3d\mostrecentapplication
    Description        : most recent application to use microsoft direct3d


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\direct3d\mostrecentapplication
    Description        : most recent application to use microsoft direct X


 MRU List Object Recognized!
    Location:          : software\microsoft\direct3d\mostrecentapplication
    Description        : most recent application to use microsoft direct X


 MRU List Object Recognized!
    Location:          : software\microsoft\directdraw\mostrecentapplication
    Description        : most recent application to use microsoft directdraw


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\directinput\mostrecentapplication
    Description        : most recent application to use microsoft directinput


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\directinput\mostrecentapplication
    Description        : most recent application to use microsoft directinput


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\internet explorer
    Description        : last download directory used in microsoft internet explorer


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\internet explorer\typedurls
    Description        : list of recently entered addresses in microsoft internet explorer


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\mediaplayer\preferences
    Description        : last playlist index loaded in microsoft windows media player


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\mediaplayer\preferences
    Description        : last playlist loaded in microsoft windows media player


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\microsoft management console\recent file list
    Description        : list of recent snap-ins used in the microsoft management console


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru
    Description        : list of recent documents saved by microsoft word


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\search assistant\acmru
    Description        : list of recent search terms used with the search assistant


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\windows\currentversion\applets\paint\recent file list
    Description        : list of files recently opened using microsoft paint


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\windows\currentversion\applets\regedit
    Description        : last key accessed using the microsoft registry editor


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
    Description        : list of recent programs opened


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
    Description        : list of recently saved files, stored according to file extension


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\windows\currentversion\explorer\recentdocs
    Description        : list of recent documents opened


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\windows\currentversion\explorer\runmru
    Description        : mru list for items opened in start | run


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\nico mak computing\winzip\filemenu
    Description        : winzip recently used archives


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\realnetworks\realplayer\6.0\preferences
    Description        : list of recent skins in realplayer


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\realnetworks\realplayer\6.0\preferences
    Description        : list of recent clips in realplayer


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\realnetworks\realplayer\6.0\preferences
    Description        : last login time in realplayer


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\windows media\wmsdk\general
    Description        : windows media sdk


 MRU List Object Recognized!
    Location:          : S-1-5-21-1547161642-1275210071-839522115-1004\software\winrar\dialogedithistory\extrpath
    Description        : winrar "extract-to" history


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
    FilePath           : \SystemRoot\System32\
    ProcessID          : 592
    ThreadCreationTime : 7-24-2006 6:58:23 PM
    BasePriority       : Normal


#:2 [csrss.exe]
    FilePath           : \??\C:\WINDOWS\system32\
    ProcessID          : 640
    ThreadCreationTime : 7-24-2006 6:58:27 PM
    BasePriority       : Normal


#:3 [winlogon.exe]
    FilePath           : \??\C:\WINDOWS\system32\
    ProcessID          : 664
    ThreadCreationTime : 7-24-2006 6:58:28 PM
    BasePriority       : High


#:4 [services.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 708
    ThreadCreationTime : 7-24-2006 6:58:32 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Services and Controller app
    InternalName       : services.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : services.exe

#:5 [lsass.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 720
    ThreadCreationTime : 7-24-2006 6:58:32 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : LSA Shell (Export Version)
    InternalName       : lsass.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : lsass.exe

#:6 [svchost.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 892
    ThreadCreationTime : 7-24-2006 6:58:33 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:7 [svchost.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 976
    ThreadCreationTime : 7-24-2006 6:58:33 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:8 [svchost.exe]
    FilePath           : C:\WINDOWS\System32\
    ProcessID          : 1076
    ThreadCreationTime : 7-24-2006 6:58:33 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:9 [smc.exe]
    FilePath           : E:\Program Files\Sygate\SPF\
    ProcessID          : 1248
    ThreadCreationTime : 7-24-2006 6:58:34 PM
    BasePriority       : Normal
    FileVersion        : 5.6.00.2808
    ProductVersion     : 5.6.00.2808
    ProductName        : Sygate® Security Agent and Personal Firewall
    CompanyName        : Sygate Technologies, Inc.
    FileDescription    : Sygate Agent Firewall
    InternalName       : Smc
    LegalCopyright     : Copyright ©  1999 - 2004 Sygate Technologies, Inc. All rights reserved.
    OriginalFilename   : Smc.EXE

#:10 [svchost.exe]
    FilePath           : C:\WINDOWS\System32\
    ProcessID          : 1272
    ThreadCreationTime : 7-24-2006 6:58:37 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:11 [svchost.exe]
    FilePath           : C:\WINDOWS\System32\
    ProcessID          : 1356
    ThreadCreationTime : 7-24-2006 6:58:38 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:12 [lexbces.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 1496
    ThreadCreationTime : 7-24-2006 6:58:38 PM
    BasePriority       : Normal
    FileVersion        : 7.4
    ProductVersion     : 7.4
    ProductName        : MarkVision for Windows (32 bit)
    CompanyName        : Lexmark International, Inc.
    FileDescription    : LexBce Service
    InternalName       : LexBce Service
    LegalCopyright     : © 1993 - 2002 Lexmark International, Inc.
    OriginalFilename   : LexBceS.exe

#:13 [spoolsv.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 1520
    ThreadCreationTime : 7-24-2006 6:58:38 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
    ProductVersion     : 5.1.2600.2696
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Spooler SubSystem App
    InternalName       : spoolsv.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : spoolsv.exe

#:14 [lexpps.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 1532
    ThreadCreationTime : 7-24-2006 6:58:38 PM
    BasePriority       : Normal
    FileVersion        : 7.4
    ProductVersion     : 7.4
    ProductName        : MarkVision for Windows (32 bit)
    CompanyName        : Lexmark International, Inc.
    FileDescription    : LEXPPS.EXE
    InternalName       : LEXPPS
    LegalCopyright     : © 1993 - 2002 Lexmark International, Inc.
    OriginalFilename   : LEXPPS.EXE
    Comments           : MarkVision for Windows '95 New P2P Server  (32-bit)

#:15 [devldr32.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 1848
    ThreadCreationTime : 7-24-2006 6:58:41 PM
    BasePriority       : Normal
    FileVersion        : 1, 0, 0, 22
    ProductVersion     : 1, 0, 0, 22
    ProductName        : Creative Ring3 NT Inteface
    CompanyName        : Creative Technology Ltd.
    FileDescription    : DevLdr32
    InternalName       : DevLdr
    LegalCopyright     : Copyright © 1997-2001 Creative Technology Ltd.
    OriginalFilename   : DevLdr32.exe

#:16 [explorer.exe]
    FilePath           : C:\WINDOWS\
    ProcessID          : 1904
    ThreadCreationTime : 7-24-2006 6:58:41 PM
    BasePriority       : Normal
    FileVersion        : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 6.00.2900.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Explorer
    InternalName       : explorer
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : EXPLORER.EXE

#:17 [hpwuschd2.exe]
    FilePath           : C:\Program Files\HP\HP Software Update\
    ProcessID          : 148
    ThreadCreationTime : 7-24-2006 6:58:42 PM
    BasePriority       : Normal
    FileVersion        : 53.0.13.000
    ProductVersion     : 053.000.013.000
    ProductName        : hp digital imaging - hp all-in-one series
    CompanyName        : Hewlett-Packard Co.
    FileDescription    : Hewlett-Packard Product Assistant
    InternalName       : hpwuSchd2
    LegalCopyright     : Copyright © Hewlett-Packard Co. 1995-2004
    OriginalFilename   : hpwuSchd2.exe
    Comments           : Hewlett-Packard Product Assistant

#:18 [aolsoftware.exe]
    FilePath           : C:\Program Files\Common Files\AOL\1128695648\ee\
    ProcessID          : 168
    ThreadCreationTime : 7-24-2006 6:58:42 PM
    BasePriority       : Normal
    FileVersion        : 1.4.16.3
    ProductVersion     : 1.4.16.3
    ProductName        : AOL Service Libraries
    CompanyName        : America Online, Inc.
    FileDescription    : AOL
    InternalName       : AOLSoftware
    LegalCopyright     : © 2006 America Online, Inc.
    OriginalFilename   : AOLSoftware.exe

#:19 [lgdcore.exe]
    FilePath           : C:\Program Files\Logitech\G-series Software\
    ProcessID          : 176
    ThreadCreationTime : 7-24-2006 6:58:42 PM
    BasePriority       : Normal
    FileVersion        : 1.00.402
    ProductVersion     : 1.00.402
    ProductName        : G-series Software
    CompanyName        : Logitech Inc.
    FileDescription    : Logitech G-series Profiler
    InternalName       : LGDCore
    LegalCopyright     : © 2004-2005 Logitech.  All rights reserved.
    LegalTrademarks    : Logitech, the Logitech logo, and other Logitech marks are owned by Logitech and may be registered.  All other trademarks are the property of their respective owners.
    OriginalFilename   : LGDCore.exe
    Comments           : Created by Interactive Entertainment.

#:20 [lcdmon.exe]
    FilePath           : C:\Program Files\Logitech\G-series Software\
    ProcessID          : 164
    ThreadCreationTime : 7-24-2006 6:58:42 PM
    BasePriority       : Normal
    FileVersion        : 1.00.402
    ProductVersion     : 1.00.402
    ProductName        : G-series Software
    CompanyName        : Logitech Inc.
    FileDescription    : Logitech G-series LCD Monitor
    InternalName       : LCDMon
    LegalCopyright     : © 2004-2005 Logitech.  All rights reserved.
    LegalTrademarks    : Logitech, the Logitech logo, and other Logitech marks are owned by Logitech and may be registered.  All other trademarks are the property of their respective owners.
    OriginalFilename   : LCDMon.exe
    Comments           : Created by Interactive Entertainment.

#:21 [realsched.exe]
    FilePath           : C:\Program Files\Common Files\Real\Update_OB\
    ProcessID          : 184
    ThreadCreationTime : 7-24-2006 6:58:43 PM
    BasePriority       : Normal
    FileVersion        : 0.1.0.3510
    ProductVersion     : 0.1.0.3510
    ProductName        : RealPlayer (32-bit)
    CompanyName        : RealNetworks, Inc.
    FileDescription    : RealNetworks Scheduler
    InternalName       : schedapp
    LegalCopyright     : Copyright © RealNetworks, Inc. 1995-2004
    LegalTrademarks    : RealAudio(tm) is a trademark of RealNetworks, Inc.
    OriginalFilename   : realsched.exe

#:22 [ituneshelper.exe]
    FilePath           : E:\Program Files\iTunes\
    ProcessID          : 212
    ThreadCreationTime : 7-24-2006 6:58:43 PM
    BasePriority       : Normal
    FileVersion        : 6.0.4.2
    ProductVersion     : 6.0.4.2
    ProductName        : iTunes
    CompanyName        : Apple Computer, Inc.
    FileDescription    : iTunesHelper Module
    InternalName       : iTunesHelper
    LegalCopyright     : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
    OriginalFilename   : iTunesHelper.exe

#:23 [ares.exe]
    FilePath           : C:\Program Files\Ares\
    ProcessID          : 224
    ThreadCreationTime : 7-24-2006 6:58:43 PM
    BasePriority       : Normal
    FileVersion        : 1.9.2.3011
    ProductVersion     : 1.9
    ProductName        : Ares for windows
    CompanyName        : Ares Development Group
    FileDescription    : Ares
    InternalName       : Ares
    OriginalFilename   : ARES.EXE
    Comments           : http://aresgalaxy.sourceforge.net

#:24 [lcdclock.exe]
    FilePath           : C:\Program Files\Logitech\G-series Software\Applets\
    ProcessID          : 284
    ThreadCreationTime : 7-24-2006 6:58:44 PM
    BasePriority       : Normal
    FileVersion        : 1.00.402
    ProductVersion     : 1.00.402
    ProductName        : G-series Software
    CompanyName        : Logitech Inc.
    FileDescription    : Logitech G-series LCD Clock
    InternalName       : LCDClock
    LegalCopyright     : © 2004-2005 Logitech.  All rights reserved.
    LegalTrademarks    : Logitech, the Logitech logo, and other Logitech marks are owned by Logitech and may be registered.  All other trademarks are the property of their respective owners.
    OriginalFilename   : LCDClock.exe
    Comments           : Created by Interactive Entertainment.

#:25 [lcdmedia.exe]
    FilePath           : C:\Program Files\Logitech\G-series Software\Applets\
    ProcessID          : 304
    ThreadCreationTime : 7-24-2006 6:58:44 PM
    BasePriority       : Normal
    FileVersion        : 1.00.402
    ProductVersion     : 1.00.402
    ProductName        : G-series Software
    CompanyName        : Logitech Inc.
    FileDescription    : Logitech G-series Media Display
    InternalName       : LCDMedia
    LegalCopyright     : © 2004-2005 Logitech.  All rights reserved.
    LegalTrademarks    : Logitech, the Logitech logo, and other Logitech marks are owned by Logitech and may be registered.  All other trademarks are the property of their respective owners.
    OriginalFilename   : LCDMedia.exe
    Comments           : Created by Interactive Entertainment.

#:26 [cisvc.exe]
    FilePath           : C:\WINDOWS\System32\
    ProcessID          : 988
    ThreadCreationTime : 7-24-2006 6:58:47 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Content Index service
    InternalName       : cisvc.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : cisvc.exe

#:27 [ctsvccda.exe]
    FilePath           : C:\WINDOWS\System32\
    ProcessID          : 1036
    ThreadCreationTime : 7-24-2006 6:58:47 PM
    BasePriority       : Normal
    FileVersion        : 1.0.1.0
    ProductVersion     : 1.0.0.0
    ProductName        : Creative Service for CDROM Access
    CompanyName        : Creative Technology Ltd
    FileDescription    : Creative Service for CDROM Access
    InternalName       : CTsvcCDAEXE
    LegalCopyright     : Copyright © Creative Technology Ltd., 1999. All rights reserved.
    OriginalFilename   : CTsvcCDA.EXE

#:28 [guard.exe]
    FilePath           : C:\Program Files\ewido anti-spyware 4.0\
    ProcessID          : 1072
    ThreadCreationTime : 7-24-2006 6:58:50 PM
    BasePriority       : Normal
    FileVersion        : 4, 0, 0, 172
    ProductVersion     : 4, 0, 0, 172
    ProductName        : ewido anti-spyware
    CompanyName        : Anti-Malware Development a.s.
    FileDescription    : ewido anti-spyware guard
    InternalName       : ewido anti-spywareguard
    LegalCopyright     : Copyright © 2005 Anti-Malware Development a.s.
    OriginalFilename   : guard.exe

#:29 [nprotect.exe]
    FilePath           : C:\Program Files\Norton AntiVirus\AdvTools\
    ProcessID          : 1208
    ThreadCreationTime : 7-24-2006 6:58:51 PM
    BasePriority       : Normal
    FileVersion        : 16.00.0.22
    ProductVersion     : 16.00.0.22
    ProductName        : Norton Utilities
    CompanyName        : Symantec Corporation
    FileDescription    : Norton Protection Status
    InternalName       : NPROTECT
    LegalCopyright     : Copyright © 2003 Symantec Corporation
    LegalTrademarks    : Norton Utilities
    OriginalFilename   : NPROTECT.EXE

#:30 [nvsvc32.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 1280
    ThreadCreationTime : 7-24-2006 6:58:51 PM
    BasePriority       : Normal
    FileVersion        : 6.14.10.7610
    ProductVersion     : 6.14.10.7610
    ProductName        : NVIDIA Driver Helper Service, Version 76.10
    CompanyName        : NVIDIA Corporation
    FileDescription    : NVIDIA Driver Helper Service, Version 76.10
    InternalName       : NVSVC
    LegalCopyright     : © NVIDIA Corporation. All rights reserved.
    OriginalFilename   : nvsvc32.exe

#:31 [hpzipm12.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 1336
    ThreadCreationTime : 7-24-2006 6:58:51 PM
    BasePriority       : Normal
    FileVersion        : 9, 0, 0, 0
    ProductVersion     : 9, 0, 0, 0
    ProductName        : HP PML
    CompanyName        : HP
    FileDescription    : PML Driver
    InternalName       : PmlDrv
    LegalCopyright     : Copyright © 1998, 1999 Hewlett-Packard Company
    OriginalFilename   : PmlDrv.exe

#:32 [svchost.exe]
    FilePath           : C:\WINDOWS\System32\
    ProcessID          : 1676
    ThreadCreationTime : 7-24-2006 6:58:54 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:33 [wdfmgr.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 1796
    ThreadCreationTime : 7-24-2006 6:58:54 PM
    BasePriority       : Normal
    FileVersion        : 5.2.3790.1230 built by: dnsrv(bld4act)
    ProductVersion     : 5.2.3790.1230
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows User Mode Driver Manager
    InternalName       : WdfMgr
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : WdfMgr.exe

#:34 [mspmspsv.exe]
    FilePath           : C:\WINDOWS\System32\
    ProcessID          : 1944
    ThreadCreationTime : 7-24-2006 6:58:54 PM
    BasePriority       : Normal
    FileVersion        : 7.00.00.1954
    ProductVersion     : 7.00.00.1954
    ProductName        : Microsoft ® DRM
    CompanyName        : Microsoft Corporation
    FileDescription    : WMDM PMSP Service
    InternalName       : MSPMSPSV.EXE
    LegalCopyright     : Copyright © Microsoft Corp. 1981-2000
    OriginalFilename   : MSPMSPSV.EXE

#:35 [ipodservice.exe]
    FilePath           : E:\Program Files\iPod\bin\
    ProcessID          : 2216
    ThreadCreationTime : 7-24-2006 6:58:56 PM
    BasePriority       : Normal
    FileVersion        : 6.0.4.2
    ProductVersion     : 6.0.4.2
    ProductName        : iTunes
    CompanyName        : Apple Computer, Inc.
    FileDescription    : iPodService Module
    InternalName       : iPodService
    LegalCopyright     : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
    OriginalFilename   : iPodService.exe

#:36 [wmiprvse.exe]
    FilePath           : C:\WINDOWS\System32\wbem\
    ProcessID          : 2344
    ThreadCreationTime : 7-24-2006 6:58:57 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : WMI
    InternalName       : Wmiprvse.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : Wmiprvse.exe

#:37 [svchost.exe]
    FilePath           : C:\WINDOWS\System32\
    ProcessID          : 3472
    ThreadCreationTime : 7-24-2006 6:59:03 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:38 [cidaemon.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 3408
    ThreadCreationTime : 7-24-2006 7:06:01 PM
    BasePriority       : Idle
    FileVersion        : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion     : 5.1.2600.0
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Indexing Service filter daemon
    InternalName       : cidaemon.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : cidaemon.exe

#:39 [aim6.exe]
    FilePath           : c:\program files\common files\aol\1128695648\ee\
    ProcessID          : 2764
    ThreadCreationTime : 7-24-2006 8:01:25 PM
    BasePriority       : Normal
    FileVersion        : 1.4.9.1
    ProductVersion     : 1.4.9.1
    ProductName        : AOL Service Libraries
    CompanyName        : America Online, Inc.
    FileDescription    : AIM
    InternalName       : AOLSoftware
    LegalCopyright     : © 2005 America Online, Inc.
    OriginalFilename   : AOLSoftware.exe

#:40 [firefox.exe]
    FilePath           : C:\Program Files\Mozilla Firefox\
    ProcessID          : 3184
    ThreadCreationTime : 7-24-2006 11:03:32 PM
    BasePriority       : Normal


#:41 [ad-aware.exe]
    FilePath           : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
    ProcessID          : 1156
    ThreadCreationTime : 7-24-2006 11:04:18 PM
    BasePriority       : Normal
    FileVersion        : 6.2.0.236
    ProductVersion     : SE 106
    ProductName        : Lavasoft Ad-Aware SE
    CompanyName        : Lavasoft Sweden
    FileDescription    : Ad-Aware SE Core application
    InternalName       : Ad-Aware.exe
    LegalCopyright     : Copyright © Lavasoft AB Sweden
    OriginalFilename   : Ad-Aware.exe
    Comments           : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 29


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 180Solutions Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : clsid\{0ac49246-419b-4ee0-8917-8818daad6a4e}

 180Solutions Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}

 180Solutions Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{2b0eceac-f597-4858-a542-d966b49055b9}

 180Solutions Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{ddea2e1d-8555-45e5-af09-ec9aa4ea27ad}

 180Solutions Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{f1f1e775-1b21-454d-8d38-7c16519969e5}

 180Solutions Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : typelib\{5b6689b5-c2d4-4dc7-bfd1-24ac17e5fcda}

 Zango Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{6c092742-10fe-4db2-988d-fc71948de70c}

 Zango Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{7fa8976f-d00c-4e98-8729-a66569233fb5}

 Zango Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : typelib\{8be3faba-7468-4851-b97c-0750af2b908e}

 Zango Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : zangohook.sabho

 Zango Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : zangohook.sabho.1

 Zango Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : clsid\{51cf80dc-a309-4735-bb11-ef18bf4e3ad9}

 Zango Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : clsid\{f31a5d11-bf0b-4a4e-90af-274f2090aaa6}

 Zango Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{a16650a9-b065-40ec-bbd1-f8d370d17fb1}

 Zango Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{bdddf1a5-51a9-4f51-b38d-4cd0ad831b31}

 Zango Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{e43dfaa6-8c16-4519-b022-8792408505a4}

 Zango Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_USERS
    Object             : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango

 Zango Object Recognized!
    Type               : RegValue
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_USERS
    Object             : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
    Value              : last_conn_l

 Zango Object Recognized!
    Type               : RegValue
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_USERS
    Object             : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
    Value              : we

 Zango Object Recognized!
    Type               : RegValue
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_USERS
    Object             : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
    Value              : cdata

 Zango Object Recognized!
    Type               : RegValue
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_USERS
    Object             : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
    Value              : TimeOffset

 Zango Object Recognized!
    Type               : RegValue
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_USERS
    Object             : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
    Value              : recent_shown

 Zango Object Recognized!
    Type               : RegValue
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_USERS
    Object             : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
    Value              : key_int_high

 Zango Object Recognized!
    Type               : RegValue
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_USERS
    Object             : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
    Value              : key_int_low

 Zango Object Recognized!
    Type               : RegValue
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_USERS
    Object             : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
    Value              : geourl_current_version

 Zango Object Recognized!
    Type               : RegValue
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_USERS
    Object             : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
    Value              : geourl_last_full_version

 Zango Object Recognized!
    Type               : RegValue
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_USERS
    Object             : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
    Value              : actionurl_current_version

 Zango Object Recognized!
    Type               : RegValue
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_USERS
    Object             : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
    Value              : actionurl_last_full_version

 Zango Object Recognized!
    Type               : RegValue
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_USERS
    Object             : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
    Value              : keyword_current_version

 Zango Object Recognized!
    Type               : RegValue
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_USERS
    Object             : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
    Value              : keyword_last_full_version

 CoolWebSearch Object Recognized!
    Type               : RegValue
    Data               :
    TAC Rating         : 10
    Category           : Malware
    Comment            : "{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}"
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
    Value              : {3F143C3A-1457-6CCA-03A7-7AA23B61E40F}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 31
Objects found so far: 60


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 60


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : grem [email protected][1].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:1
    Value              : Cookie:grem [email protected]/
    Expires            : 7-16-2006 12:48:40 PM
    LastSync           : Hits:1
    UseCount           : 0
    Hits               : 1

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : grem [email protected][1].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:1
    Value              : Cookie:grem [email protected]/
    Expires            : 12-30-2037 9:00:00 AM
    LastSync           : Hits:1
    UseCount           : 0
    Hits               : 1

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : grem fox@live365[1].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:51
    Value              : Cookie:grem [email protected]/
    Expires            : 7-21-2011 1:52:42 AM
    LastSync           : Hits:51
    UseCount           : 0
    Hits               : 51

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : grem fox@fastclick[2].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:2
    Value              : Cookie:grem [email protected]/
    Expires            : 7-15-2008 11:44:32 AM
    LastSync           : Hits:2
    UseCount           : 0
    Hits               : 2

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : grem fox@atdmt[2].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:13
    Value              : Cookie:grem [email protected]/
    Expires            : 7-16-2011 5:00:00 PM
    LastSync           : Hits:13
    UseCount           : 0
    Hits               : 13

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : grem [email protected][2].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:4
    Value              : Cookie:grem [email protected]/
    Expires            : 12-31-2009 5:00:00 PM
    LastSync           : Hits:4
    UseCount           : 0
    Hits               : 4

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : grem fox@realmedia[1].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:1
    Value              : Cookie:grem [email protected]/
    Expires            : 7-14-2007 10:36:50 AM
    LastSync           : Hits:1
    UseCount           : 0
    Hits               : 1

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : grem fox@2o7[2].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:329
    Value              : Cookie:grem [email protected]/
    Expires            : 7-23-2011 3:32:26 PM
    LastSync           : Hits:329
    UseCount           : 0
    Hits               : 329

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : grem fox@doubleclick[1].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:50
    Value              : Cookie:grem [email protected]/
    Expires            : 7-15-2009 5:30:12 PM
    LastSync           : Hits:50
    UseCount           : 0
    Hits               : 50

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : grem fox@advertising[2].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:1022
    Value              : Cookie:grem [email protected]/
    Expires            : 7-23-2011 3:32:30 PM
    LastSync           : Hits:1022
    UseCount           : 0
    Hits               : 1022

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : grem fox@zedo[1].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:17
    Value              : Cookie:grem [email protected]/
    Expires            : 7-17-2016 1:39:34 AM
    LastSync           : Hits:17
    UseCount           : 0
    Hits               : 17

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : grem fox@hitbox[2].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:2
    Value              : Cookie:grem [email protected]/
    Expires            : 7-14-2007 10:37:44 AM
    LastSync           : Hits:2
    UseCount           : 0
    Hits               : 2

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : grem [email protected][1].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:1
    Value              : Cookie:grem [email protected]/
    Expires            : 7-14-2007 10:37:44 AM
    LastSync           : Hits:1
    UseCount           : 0
    Hits               : 1

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : grem fox@mediaplex[1].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:8
    Value              : Cookie:grem [email protected]/
    Expires            : 6-21-2009 5:00:00 PM
    LastSync           : Hits:8
    UseCount           : 0
    Hits               : 8

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : grem fox@questionmarket[1].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:13
    Value              : Cookie:grem [email protected]/
    Expires            : 9-3-2006 4:15:04 PM
    LastSync           : Hits:13
    UseCount           : 0
    Hits               : 13

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : grem fox@serving-sys[2].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:4
    Value              : Cookie:grem [email protected]/
    Expires            : 12-31-2037 3:00:00 PM
    LastSync           : Hits:4
    UseCount           : 0
    Hits               : 4

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : grem fox@casalemedia[1].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:9
    Value              : Cookie:grem [email protected]/
    Expires            : 7-7-2007 1:58:16 PM
    LastSync           : Hits:9
    UseCount           : 0
    Hits               : 9

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 17
Objects found so far: 77



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 Zango Object Recognized!
    Type               : File
    Data               : A0224308.exe
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Object             : C:\Documents and Settings\Grem Fox\DoctorWeb\Quarantine\
    FileVersion        : 8, 0, 63, 0
    ProductVersion     : 8, 0, 63, 0
    ProductName        : Zango
    CompanyName        : 180solutions, Inc.
    FileDescription    : Zango
    LegalCopyright     : Copyright © 2005, 180solutions Inc.


 Zango Object Recognized!
    Type               : File
    Data               : A0224309.dll
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Object             : C:\Documents and Settings\Grem Fox\DoctorWeb\Quarantine\
    FileVersion        : 8.5.63.0
    ProductVersion     : 8.5.63.0
    ProductName        : Zango
    CompanyName        : 180solutions, Inc.
    FileDescription    : Zango
    InternalName       : ClientHook
    LegalCopyright     : Copyright © 2005, 180solutions Inc.
    OriginalFilename   : ClientHook.dll


 Zango Object Recognized!
    Type               : File
    Data               : A0225303.exe
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Object             : C:\Documents and Settings\Grem Fox\DoctorWeb\Quarantine\
    FileVersion        : 8, 0, 63, 0
    ProductVersion     : 8, 0, 63, 0
    ProductName        : Zango
    CompanyName        : 180solutions, Inc.
    FileDescription    : Zango
    LegalCopyright     : Copyright © 2005, 180solutions Inc.


 Zango Object Recognized!
    Type               : File
    Data               : A0225454.dll
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Object             : C:\Documents and Settings\Grem Fox\DoctorWeb\Quarantine\
    FileVersion        : 8.5.63.0
    ProductVersion     : 8.5.63.0
    ProductName        : Zango
    CompanyName        : 180solutions, Inc.
    FileDescription    : Zango
    InternalName       : ClientHook
    LegalCopyright     : Copyright © 2005, 180solutions Inc.
    OriginalFilename   : ClientHook.dll


 Win32.Trojan.Downloader Object Recognized!
    Type               : File
    Data               : A0225409.dll
    TAC Rating         : 10
    Category           : Malware
    Comment            :
    Object             : C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 82


Deep scanning and examining files (E:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for E:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 82


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
33 entries scanned.
New critical objects:0
Objects found so far: 82




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 Zango Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : lmgr180.wmdrmax

 Zango Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : clientax.zangoclientax

 Zango Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 6
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : clientax.zangoclientax.1

 CoolWebSearch Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 10
    Category           : Malware
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : clsid\{3f143c3a-1457-6cca-03a7-7aa23b61e40f}\inprocserver32

 CoolWebSearch Object Recognized!
    Type               : RegValue
    Data               :
    TAC Rating         : 10
    Category           : Malware
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : clsid\{3f143c3a-1457-6cca-03a7-7aa23b61e40f}\inprocserver32
    Value              : ThreadingModel

 CoolWebSearch Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 10
    Category           : Malware
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : software\microsoft\downloadmanager

 CoolWebSearch Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 10
    Category           : Malware
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : software\microsoft\internet explorer\urlsearchhooks

 CoolWebSearch Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 10
    Category           : Malware
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : system\currentcontrolset\enum\root\legacy_zesoft

 CoolWebSearch Object Recognized!
    Type               : RegValue
    Data               :
    TAC Rating         : 10
    Category           : Malware
    Comment            :
    Rootkey            : HKEY_CURRENT_USER
    Object             : software\microsoft\internet explorer\main
    Value              : Use Custom Search URL

 CoolWebSearch Object Recognized!
    Type               : RegValue
    Data               :
    TAC Rating         : 10
    Category           : Malware
    Comment            :
    Rootkey            : HKEY_CURRENT_USER
    Object             : software\microsoft\internet explorer\main
    Value              : Enable Browser Extensions

 CoolWebSearch Object Recognized!
    Type               : RegValue
    Data               :
    TAC Rating         : 10
    Category           : Malware
    Comment            :
    Rootkey            : HKEY_CURRENT_USER
    Object             : software\microsoft\internet explorer\media
    Value              : GUID

 Win32.Trojan.Downloader Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 10
    Category           : Malware
    Comment            :
    Rootkey            : HKEY_CURRENT_USER
    Object             : software\microsoft\windows\currentversion\policies\activedesktop

 Win32.Trojan.Downloader Object Recognized!
    Type               : File
    Data               : winsub.xml
    TAC Rating         : 10
    Category           : Malware
    Comment            :
    Object             : C:\WINDOWS\system32\



 Win32.Trojan.Downloader Object Recognized!
    Type               : File
    Dat
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Malware attack
« Reply #18 on: July 24, 2006, 06:55:01 PM »
I wasn't really wanting to see the Ad-Aware log, but since you posted it
I assume it ran well
Looks like Ad-Aware got some leftovers cleaned  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Could you post the bottom part of the log
After this entry


 Win32.Trojan.Downloader Object Recognized!
Type : File
Dat
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline soL309

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Malware attack
« Reply #19 on: July 26, 2006, 09:13:14 PM »
I definitely did not save the logfile! im sorry http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' /> what should i do?
Logged
Pages: [1] 2
« previous next »