Author Topic: Infected - Please Help (Read 2323 times)

godzilly · « **on:** December 20, 2006, 12:21:25 PM »

I've picked up what I think is a virus combo - dell laptop running Win 2000 Pro

Both Zonealarm firewall and Spybot S&D have been giving popups about

1.exe
1.ini
2.exe
4.exe
5.exe
8.exe
9.exe
rund1132.exe
z2ts.dll

Spyware Doctor found C:\WINNT\Temp\Zt2\SVCHOST.exe

I've run a couple of Kaspersky On-line scans
and found Trojan-PSW.Win32.OnLineGames and Infostealer on different scans as files get created and deleted

My corporate anti-virus is Symantec and it is finding nothing

Any help would be greatly appreciated

HJT log is attached

[attachment=2166:hijackthis.txt]

Santa Owns · « **Reply #1 on:** December 20, 2006, 06:53:01 PM »

if you dont need anything on it reformat it

start in MS-DOS Mode

then type

c:/ format s

then theres no turning back

guestolo · « **Reply #2 on:** December 20, 2006, 08:22:47 PM »

Download this file - Combofix.exe and save it too desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the log from combofix, if you get an Internal error message trying to post the log
If you can't copy>>paste the log to a reply, can you upload combofix.txt as an attachment please

godzilly · « **Reply #3 on:** December 21, 2006, 01:37:11 AM »

guestolo, I think I prefer your option

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Attached is combofix log

I'm also attaching the log from the Kaspersky On line scan

Thanks

[attachment=2176:ComboFix.txt]

[attachment=2177:kaspersky.txt]

guestolo · « **Reply #4 on:** December 22, 2006, 12:45:05 AM »

Bump, I haven't forgot about this topic, I'll get back to you real quick, sorry about the delay
Tis the holiday season

guestolo · « **Reply #5 on:** December 23, 2006, 12:42:54 PM »

Sorry about the delay
Can you do the following please

You have a few antispyware programs that realtime protections will interfere with any fixes we try
Please disable SpybotSD TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
To disable SpybotSD TeaTimer:

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box.
Click Allow Change box if prompted
Close Spybot

Open Microsoft AntiSpyware.
Click on Options>>Settings
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Spyware Doctor's OnGuard Tools

1. From within Spyware Doctor, click the "OnGuard" button on the left side.
2. Uncheck "Activate OnGuard".

After the above is done, reboot your computer

Back in Windows

Download [color=\"#FF0000\"]ATF-Cleaner[/color] by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Download The Avenger.zip by Swandog46 to your Desktop.

* Click on Avenger.zip to open the file
* Extract avenger.exe to your desktop

Copy ALL the text contained in [color=\"#0000FF\"]blue[/color] below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard,
=============================================================
[color=\"#0000FF\"]
files to delete:
C:\Program Files\Eset\rund1132.exe

Registry values to delete:
HKEY_USERS\.default\software\microsoft\windows\currentversion\run | avptask
HKEY_USERS\.default\software\microsoft\windows\currentversion\run | myZt2
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks |
{1A404685-7563-4d02-B0F6-58B308A406A9}
[/color]

==========================================================================
Now, start The Avenger program by clicking on its icon on your desktop

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the [color=\"#00FF00\"]Green Light[/color] to begin execution of the script
* Answer "Yes" twice when prompted.

Avenger should now Reboot your computer

Back in Windows
Can you delete your version of Combofix.exe
Also delete the next folder if found
C:\sUBs and the file
C:\Combofix.txt
I'm going to have you run a different copy later

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log

You shouldn't have a problem now posting logs into a reply without attaching them

After you post the above 2 new logs
Can you also do the following
Download this version of [color=\"#0000FF\"]Combofix[/color]
to your desktop
Don't run it yet

Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the top of the screen that appears.
Sign in with your normal user account

Run combofix again while in safe mode with the version you just downloaded
After it has completed
Reboot back to Normal windows and post the log from Combofix
C:\Combofix.txt

godzilly · « **Reply #6 on:** December 23, 2006, 11:48:11 PM »

guestolo

A couple of things:

1: Microsoft anti-spyware was out of date so I could not do anythinh except uninstall it - which I did

2: When I log in normally I log in with an ID on my company's domain. In safe mode i had to log in as a user on the local machine. I hope this doesn't make any difference.

Thanks for all your help

Here are the various logs:

DR_WEB.csv

mona.exe;D:\Documents and Settings\murphyb\My Documents\OLD_01\userdata\eudora;Joke.Mona;Incurable.Deleted.;

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 7:28:02 PM, on 12/23/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Cognos\ca1\bin\cfsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Cognos\ca1\TicketServer\bin\TicketServer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
D:\Program Files\stunnel\stunnel-4.04.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Documents and Settings\murphyb\Desktop\DOWNLOADS\Hi-Jack\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AcronisÂ TrueÂ Image Monitor] D:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\system32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: STunnel to AIS.lnk = D:\Program Files\stunnel\stunnel-4.04.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
O16 - DPF: {0C5CF442-582B-4357-B116-765DA99CAA8C} (CompositeView Control) - http://pfs-nas2/appxtender/client/IrcViewer.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {130F89DC-B772-4E02-AEFA-1BDDD8BD4E96} -
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://finance.ucsfmedicalcenter.org/ScriptX2/ScriptX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124309989189
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134580203611
O16 - DPF: {80DC1772-21EF-11D4-B9DE-0008C7CB5F59} -
O16 - DPF: {816FE240-8F3B-460F-AA99-C53CC193807D} (CompositeView Control) - http://pfs-nas1/WX/Client/IrcViewer.cab
O16 - DPF: {89F1C7A1-B54C-406D-8CD6-901D277F6388} (Interactive Client Result Set Control) - http://pfs-nas2/appxtender/client/IrcResultSet.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {976C8ADC-0CEE-4440-9963-EA0199468D34} (Interactive Client Result Set Control) - http://pfs-nas1/WX/Client/IrcResultSet.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hbscorp.webex.com/client/v_mywebex-...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ucsfmedicalcenter.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ucsfmedicalcenter.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ucsfmedicalcenter.org
O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\SQLNAV~1\RNetPin.dll
O20 - Winlogon Notify: EFS - C:\WINNT\SYSTEM32\sclgntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINNT\system32\LgNotify.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cognos Finance Service (Cognos Finance) - Cognos - C:\Program Files\Cognos\ca1\bin\cfsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Cognos Ticket Server (DSTicketSrv) - Cognos Inc - C:\Program Files\Cognos\ca1\TicketServer\bin\TicketServer.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\system32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\wltrysvc.exe

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

COMBOFIX LOG

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEMDATA
C:\Documents and Settings\All Users\Application Data\Microsoft\Office\USERDATA
C:\Documents and Settings\brian\My Documents\mc-*-*.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\-20*.lnk
C:\Documents and Settings\brian\Xinstall.exe
C:\WINNT\system32\.exe
C:\Documents and Settings\brian\..\dapcon1.2.ini
C:\WINNT\system32\.exe
C:\WINNT\system32\drivers\npf.sys
C:\WINNT\Downloaded Program Files\WebEx

((((((((((((((((((((((((((((((( Files Created from 2006-11-23 to 2006-12-23 ))))))))))))))))))))))))))))))))))

2006-12-23   12:06   669   --a------   C:\backup.reg
2006-12-23   12:06   669   --a------   C:\backup.reg
2006-12-23   12:06   <DIR>   d--------   C:\avenger
2006-12-23   12:06   <DIR>   d--------   C:\avenger
2006-12-23   11:59   126,976   --a------   C:\zip.exe
2006-12-23   11:59   126,976   --a------   C:\zip.exe
2006-12-23   11:56   662   --a------   C:\avexport.bat
2006-12-23   11:56   662   --a------   C:\avexport.bat
2006-12-23   11:38   <DIR>   d-ahs----   C:\Config.Msi
2006-12-23   11:38   <DIR>   d-ahs----   C:\Config.Msi
2006-12-20   22:53   <DIR>   d--------   C:\WINNT\KB921883
2006-12-15   09:20   51,072   --a------   C:\WINNT\system32\drivers\ikhlayer.sys
2006-12-15   09:20   30,592   --a------   C:\WINNT\system32\drivers\ikhfile.sys
2006-12-15   09:20   <DIR>   d-a------   C:\Program Files\Spyware Doctor
2006-12-15   09:20   <DIR>   d-a------   C:\Program Files\Spyware Doctor
2006-12-15   09:20   <DIR>   d-a------   C:\Program Files\Spyware Doctor
2006-12-15   09:20   <DIR>   d-a------   C:\Program Files\Spyware Doctor
2006-12-13   14:46   <DIR>   d--------   C:\WINNT\system32\Kaspersky Lab
2006-12-08   10:58   <DIR>   d--------   C:\WINNT\interl
2006-12-08   10:52   <DIR>   d--------   C:\Program Files\Eset
2006-12-08   10:52   <DIR>   d--------   C:\Program Files\Eset
2006-12-08   10:52   <DIR>   d--------   C:\Program Files\Eset
2006-12-08   10:52   <DIR>   d--------   C:\Program Files\Eset
2006-12-04   09:13   <DIR>   d--------   C:\Program Files\SPORT6
2006-12-04   09:13   <DIR>   d--------   C:\Program Files\SPORT6
2006-12-04   09:13   <DIR>   d--------   C:\Program Files\SPORT6
2006-12-04   09:13   <DIR>   d--------   C:\Program Files\SPORT6

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-12-23 19:31    --------   d--------   C:\Program Files\Symantec AntiVirus
2006-12-23 19:31    --------   d--------   C:\Program Files\Symantec AntiVirus
2006-12-23 11:38    --------   d--------   C:\Program Files\Microsoft AntiSpyware
2006-12-23 11:38    --------   d--------   C:\Program Files\Microsoft AntiSpyware
2006-12-22 12:13    --------   d-a------   C:\Program Files\Common Files\System
2006-12-20 08:31    --------   d-a------   C:\Program Files\Common Files\Symantec Shared
2006-12-15 09:15    --------   d--------   C:\Program Files\Yahoo!
2006-12-15 09:15    --------   d--------   C:\Program Files\Yahoo!
2006-12-14 10:30    --------   d--------   C:\Program Files\QuickTime
2006-12-14 10:30    --------   d--------   C:\Program Files\QuickTime
2006-11-28 06:40    --------   d--------   C:\Program Files\Macromedia
2006-11-28 06:40    --------   d--------   C:\Program Files\Macromedia
2006-11-28 06:40    --------   d--------   C:\Program Files\Common Files
2006-11-28 06:40    --------   d--------   C:\Program Files\Common Files
2006-11-28 06:38    --------   d--h-----   C:\Program Files\InstallShield Installation Information
2006-11-28 06:38    --------   d--h-----   C:\Program Files\InstallShield Installation Information
2006-11-28 06:38    --------   d--------   C:\Program Files\Common Files\Adaptec Shared
2006-11-02 13:23    --------   d--------   C:\Program Files\SQL Navigator 5
2006-11-02 13:23    --------   d--------   C:\Program Files\SQL Navigator 5
2006-10-23 08:00    --------   d-a------   C:\Program Files\Adobe
2006-10-23 08:00    --------   d-a------   C:\Program Files\Adobe
2006-10-23 07:59    --------   d-a------   C:\Program Files\Common Files\Adobe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"PRONoMgr.exe"="C:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe"
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ACUMon"="\"C:\\Program Files\\Cisco Systems\\Aironet Client Monitor\\ACUMon.Exe\" -a"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~2\\VPTray.exe"
"AcronisÂ TrueÂ Image Monitor"="D:\\Program Files\\Acronis\\TrueImage\\TrueImageMonitor.exe"
"Acronis Scheduler2 Service"="C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedhlp.exe"
"Zone Labs Client"="\"D:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"WinampAgent"="D:\\Program Files\\Winamp\\winampa.exe"
"FinePrint Dispatcher v4"="C:\\WINNT\\system32\\spool\\DRIVERS\\W32X86\\2\\fpdisp4.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"AnyDVD"="D:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00002002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c4,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"disablecad"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"nodrivetypeautorun"=dword:000000ff

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:95,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\EFS
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\$~$Sys0$.job
C:\WINNT\tasks\$~$Sys1$.job

Completion time: Sat 2006-12-23 19:58:17.26
C:\combofix.txt ... 06-12-23 19:58
C:\ComboFix2.txt ... 06-12-20 22:26

godzilly · « **Reply #7 on:** December 23, 2006, 11:52:13 PM »

guestolo

A couple of things:

1: Microsoft anti-spyware was out of date so I could not do anythinh except uninstall it - which I did

2: When I log in normally I log in with an ID on my company's domain. In safe mode i had to log in as a user on the local machine. I hope this doesn't make any difference.

Thanks for all your help

Here are the various logs:

DR_WEB.csv

mona.exe;D:\Documents and Settings\murphyb\My Documents\OLD_01\userdata\eudora;Joke.Mona;Incurable.Deleted.;

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 7:28:02 PM, on 12/23/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Cognos\ca1\bin\cfsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Cognos\ca1\TicketServer\bin\TicketServer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
D:\Program Files\stunnel\stunnel-4.04.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Documents and Settings\murphyb\Desktop\DOWNLOADS\Hi-Jack\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AcronisÂ TrueÂ Image Monitor] D:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\system32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: STunnel to AIS.lnk = D:\Program Files\stunnel\stunnel-4.04.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
O16 - DPF: {0C5CF442-582B-4357-B116-765DA99CAA8C} (CompositeView Control) - http://pfs-nas2/appxtender/client/IrcViewer.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {130F89DC-B772-4E02-AEFA-1BDDD8BD4E96} -
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://finance.ucsfmedicalcenter.org/ScriptX2/ScriptX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124309989189
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134580203611
O16 - DPF: {80DC1772-21EF-11D4-B9DE-0008C7CB5F59} -
O16 - DPF: {816FE240-8F3B-460F-AA99-C53CC193807D} (CompositeView Control) - http://pfs-nas1/WX/Client/IrcViewer.cab
O16 - DPF: {89F1C7A1-B54C-406D-8CD6-901D277F6388} (Interactive Client Result Set Control) - http://pfs-nas2/appxtender/client/IrcResultSet.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {976C8ADC-0CEE-4440-9963-EA0199468D34} (Interactive Client Result Set Control) - http://pfs-nas1/WX/Client/IrcResultSet.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hbscorp.webex.com/client/v_mywebex-...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ucsfmedicalcenter.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ucsfmedicalcenter.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ucsfmedicalcenter.org
O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\SQLNAV~1\RNetPin.dll
O20 - Winlogon Notify: EFS - C:\WINNT\SYSTEM32\sclgntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINNT\system32\LgNotify.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cognos Finance Service (Cognos Finance) - Cognos - C:\Program Files\Cognos\ca1\bin\cfsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Cognos Ticket Server (DSTicketSrv) - Cognos Inc - C:\Program Files\Cognos\ca1\TicketServer\bin\TicketServer.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\system32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\wltrysvc.exe

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

COMBOFIX LOG

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEMDATA
C:\Documents and Settings\All Users\Application Data\Microsoft\Office\USERDATA
C:\Documents and Settings\brian\My Documents\mc-*-*.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\-20*.lnk
C:\Documents and Settings\brian\Xinstall.exe
C:\WINNT\system32\.exe
C:\Documents and Settings\brian\..\dapcon1.2.ini
C:\WINNT\system32\.exe
C:\WINNT\system32\drivers\npf.sys
C:\WINNT\Downloaded Program Files\WebEx

((((((((((((((((((((((((((((((( Files Created from 2006-11-23 to 2006-12-23 ))))))))))))))))))))))))))))))))))

2006-12-23   12:06   669   --a------   C:\backup.reg
2006-12-23   12:06   669   --a------   C:\backup.reg
2006-12-23   12:06   <DIR>   d--------   C:\avenger
2006-12-23   12:06   <DIR>   d--------   C:\avenger
2006-12-23   11:59   126,976   --a------   C:\zip.exe
2006-12-23   11:59   126,976   --a------   C:\zip.exe
2006-12-23   11:56   662   --a------   C:\avexport.bat
2006-12-23   11:56   662   --a------   C:\avexport.bat
2006-12-23   11:38   <DIR>   d-ahs----   C:\Config.Msi
2006-12-23   11:38   <DIR>   d-ahs----   C:\Config.Msi
2006-12-20   22:53   <DIR>   d--------   C:\WINNT\KB921883
2006-12-15   09:20   51,072   --a------   C:\WINNT\system32\drivers\ikhlayer.sys
2006-12-15   09:20   30,592   --a------   C:\WINNT\system32\drivers\ikhfile.sys
2006-12-15   09:20   <DIR>   d-a------   C:\Program Files\Spyware Doctor
2006-12-15   09:20   <DIR>   d-a------   C:\Program Files\Spyware Doctor
2006-12-15   09:20   <DIR>   d-a------   C:\Program Files\Spyware Doctor
2006-12-15   09:20   <DIR>   d-a------   C:\Program Files\Spyware Doctor
2006-12-13   14:46   <DIR>   d--------   C:\WINNT\system32\Kaspersky Lab
2006-12-08   10:58   <DIR>   d--------   C:\WINNT\interl
2006-12-08   10:52   <DIR>   d--------   C:\Program Files\Eset
2006-12-08   10:52   <DIR>   d--------   C:\Program Files\Eset
2006-12-08   10:52   <DIR>   d--------   C:\Program Files\Eset
2006-12-08   10:52   <DIR>   d--------   C:\Program Files\Eset
2006-12-04   09:13   <DIR>   d--------   C:\Program Files\SPORT6
2006-12-04   09:13   <DIR>   d--------   C:\Program Files\SPORT6
2006-12-04   09:13   <DIR>   d--------   C:\Program Files\SPORT6
2006-12-04   09:13   <DIR>   d--------   C:\Program Files\SPORT6

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-12-23 19:31    --------   d--------   C:\Program Files\Symantec AntiVirus
2006-12-23 19:31    --------   d--------   C:\Program Files\Symantec AntiVirus
2006-12-23 11:38    --------   d--------   C:\Program Files\Microsoft AntiSpyware
2006-12-23 11:38    --------   d--------   C:\Program Files\Microsoft AntiSpyware
2006-12-22 12:13    --------   d-a------   C:\Program Files\Common Files\System
2006-12-20 08:31    --------   d-a------   C:\Program Files\Common Files\Symantec Shared
2006-12-15 09:15    --------   d--------   C:\Program Files\Yahoo!
2006-12-15 09:15    --------   d--------   C:\Program Files\Yahoo!
2006-12-14 10:30    --------   d--------   C:\Program Files\QuickTime
2006-12-14 10:30    --------   d--------   C:\Program Files\QuickTime
2006-11-28 06:40    --------   d--------   C:\Program Files\Macromedia
2006-11-28 06:40    --------   d--------   C:\Program Files\Macromedia
2006-11-28 06:40    --------   d--------   C:\Program Files\Common Files
2006-11-28 06:40    --------   d--------   C:\Program Files\Common Files
2006-11-28 06:38    --------   d--h-----   C:\Program Files\InstallShield Installation Information
2006-11-28 06:38    --------   d--h-----   C:\Program Files\InstallShield Installation Information
2006-11-28 06:38    --------   d--------   C:\Program Files\Common Files\Adaptec Shared
2006-11-02 13:23    --------   d--------   C:\Program Files\SQL Navigator 5
2006-11-02 13:23    --------   d--------   C:\Program Files\SQL Navigator 5
2006-10-23 08:00    --------   d-a------   C:\Program Files\Adobe
2006-10-23 08:00    --------   d-a------   C:\Program Files\Adobe
2006-10-23 07:59    --------   d-a------   C:\Program Files\Common Files\Adobe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"PRONoMgr.exe"="C:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe"
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ACUMon"="\"C:\\Program Files\\Cisco Systems\\Aironet Client Monitor\\ACUMon.Exe\" -a"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~2\\VPTray.exe"
"AcronisÂ TrueÂ Image Monitor"="D:\\Program Files\\Acronis\\TrueImage\\TrueImageMonitor.exe"
"Acronis Scheduler2 Service"="C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedhlp.exe"
"Zone Labs Client"="\"D:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"WinampAgent"="D:\\Program Files\\Winamp\\winampa.exe"
"FinePrint Dispatcher v4"="C:\\WINNT\\system32\\spool\\DRIVERS\\W32X86\\2\\fpdisp4.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"AnyDVD"="D:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00002002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c4,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"disablecad"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"nodrivetypeautorun"=dword:000000ff

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:95,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\EFS
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\$~$Sys0$.job
C:\WINNT\tasks\$~$Sys1$.job

Completion time: Sat 2006-12-23 19:58:17.26
C:\combofix.txt ... 06-12-23 19:58
C:\ComboFix2.txt ... 06-12-20 22:26

guestolo · « **Reply #8 on:** December 24, 2006, 01:08:23 AM »

Clear out any entries in your OUTLOOK Inbox and Sent box that you are unsure about trusting
If unsure, don't open them, just remove them
Since you uninstalled Microsoft Antispyware, you can delete this folder
C:\Program Files\Microsoft AntiSpyware <-folder

Can you close all browser windows, including this one and run ATF-Cleaner one more time please

Afterwards
Do a "System scan only" with Hijackthis and put a check next to these entries:

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
O16 - DPF: {130F89DC-B772-4E02-AEFA-1BDDD8BD4E96} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {80DC1772-21EF-11D4-B9DE-0008C7CB5F59} -

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} -

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

Come back here and post another fresh hijackthis log
Let me know how things are running please

Could you also
Download and save too your root directory
In your case, This will be the C:\ directory
F-Secure Blacklight(blbeta.exe)
So you will now have C:\blbeta.exe
* Open a command window. (Start>Run and type: cmd)
* Copy paste or type the following in the command window:

C:\blbeta.exe /expert

* Accept the user agreement.
* Click Scan.
* After the scan finishes, click on Next, then Exit.
Do not rename any files if found by blacklight, I need to see the log

EDIT>>Could you also post the log from Avenger I had you run earlier
The log is found here>>C:\Avenger.txt

godzilly · « **Reply #9 on:** December 24, 2006, 02:02:48 AM »

HJT log and Avenger.txt are below

Blacklight did not find anything

HJT LOG:

Logfile of HijackThis v1.99.1
Scan saved at 10:43:23 PM, on 12/23/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Cognos\ca1\bin\cfsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Cognos\ca1\TicketServer\bin\TicketServer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Apoint\Apoint.exe
D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\stunnel\stunnel-4.04.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
D:\Documents and Settings\murphyb\Desktop\DOWNLOADS\Hi-Jack\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AcronisÂ TrueÂ Image Monitor] D:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\system32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: STunnel to AIS.lnk = D:\Program Files\stunnel\stunnel-4.04.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0C5CF442-582B-4357-B116-765DA99CAA8C} (CompositeView Control) - http://pfs-nas2/appxtender/client/IrcViewer.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://finance.ucsfmedicalcenter.org/ScriptX2/ScriptX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124309989189
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134580203611
O16 - DPF: {816FE240-8F3B-460F-AA99-C53CC193807D} (CompositeView Control) - http://pfs-nas1/WX/Client/IrcViewer.cab
O16 - DPF: {89F1C7A1-B54C-406D-8CD6-901D277F6388} (Interactive Client Result Set Control) - http://pfs-nas2/appxtender/client/IrcResultSet.cab
O16 - DPF: {976C8ADC-0CEE-4440-9963-EA0199468D34} (Interactive Client Result Set Control) - http://pfs-nas1/WX/Client/IrcResultSet.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hbscorp.webex.com/client/v_mywebex-...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ucsfmedicalcenter.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ucsfmedicalcenter.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ucsfmedicalcenter.org
O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\SQLNAV~1\RNetPin.dll
O20 - Winlogon Notify: EFS - C:\WINNT\SYSTEM32\sclgntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINNT\system32\LgNotify.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cognos Finance Service (Cognos Finance) - Cognos - C:\Program Files\Cognos\ca1\bin\cfsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Cognos Ticket Server (DSTicketSrv) - Cognos Inc - C:\Program Files\Cognos\ca1\TicketServer\bin\TicketServer.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\system32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\wltrysvc.exe

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

avenger.txt

L o g f i l e o f T h e A v e n g e r v e r s i o n 1 , b y S w a n d o g 4 6

R u n n i n g f r o m r e g i s t r y k e y :

\ R e g i s t r y \ M a c h i n e \ S y s t e m \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ k e r l n k h j

* * * * * * * * * * * * * * * * * * *

S c r i p t f i l e l o c a t e d a t : \ ? ? \ C : \ P r o g r a m F i l e s \ a r b v x t g i . t x t

S c r i p t f i l e o p e n e d s u c c e s s f u l l y .

S c r i p t f i l e r e a d s u c c e s s f u l l y

B a c k u p s d i r e c t o r y o p e n e d s u c c e s s f u l l y a t C : \ A v e n g e r

* * * * * * * * * * * * * * * * * * *

B e g i n n i n g t o p r o c e s s s c r i p t f i l e :

F i l e C : \ P r o g r a m F i l e s \ E s e t \ r u n d 1 1 3 2 . e x e d e l e t e d s u c c e s s f u l l y .

R e g i s t r y v a l u e H K E Y _ U S E R S \ . d e f a u l t \ s o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ r u n | a v p t a s k d e l e t e d s u c c e s s f u l l y .

R e g i s t r y v a l u e H K E Y _ U S E R S \ . d e f a u l t \ s o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ r u n | m y Z t 2 d e l e t e d s u c c e s s f u l l y .

R e g i s t r y v a l u e H K E Y _ L O C A L _ M A C H I N E \ s o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ e x p l o r e r \ s h e l l e x e c u t e h o o k s | { 1 A 4 0 4 6 8 5 - 7 5 6 3 - 4 d 0 2 - B 0 F 6 - 5 8 B 3 0 8 A 4 0 6 A 9 } d e l e t e d s u c c e s s f u l l y .

C o m p l e t e d s c r i p t p r o c e s s i n g .

* * * * * * * * * * * * * * * * * * *

F i n i s h e d ! T e r m i n a t e .

guestolo · « **Reply #10 on:** December 24, 2006, 02:17:13 AM »

How's everything running on your end?

Can you do me one more log
You can go ahead and enable your anti-spyware realtime protections

After you enable the protections, ensure you allow any changes that we made
Reboot the computer

Post one last hijackthis log

godzilly · « **Reply #11 on:** December 24, 2006, 02:49:29 AM »

I'm experiencing some issues with connectivity

I can connect but a few minutes later if I try to go to a web page or refresh I get "page cannot be displayed"

I open a command wondow and do ipconfig /renew and the i can connect

I don't know if this is related to my virus or not. My laptop is configured for connecting at work and this may ne the issue, but I've never had this kind of problem before

I have 2 other home PC on the same router and they are connecting OK so I don't think it's ISP related

****UPDATE****

I've connected to my work via VPN and connectivity is OK. intriguing...

**** END UPDATE ***

HJT log is attached - it looks like some of the things we deleted came back

HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 11:40:45 PM, on 12/23/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Cognos\ca1\bin\cfsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Cognos\ca1\TicketServer\bin\TicketServer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Apoint\Apoint.exe
D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\stunnel\stunnel-4.04.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
D:\Documents and Settings\murphyb\Desktop\DOWNLOADS\Hi-Jack\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AcronisÂ TrueÂ Image Monitor] D:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\system32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: STunnel to AIS.lnk = D:\Program Files\stunnel\stunnel-4.04.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
O16 - DPF: {0C5CF442-582B-4357-B116-765DA99CAA8C} (CompositeView Control) - http://pfs-nas2/appxtender/client/IrcViewer.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {130F89DC-B772-4E02-AEFA-1BDDD8BD4E96} -
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://finance.ucsfmedicalcenter.org/ScriptX2/ScriptX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124309989189
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134580203611
O16 - DPF: {80DC1772-21EF-11D4-B9DE-0008C7CB5F59} -
O16 - DPF: {816FE240-8F3B-460F-AA99-C53CC193807D} (CompositeView Control) - http://pfs-nas1/WX/Client/IrcViewer.cab
O16 - DPF: {89F1C7A1-B54C-406D-8CD6-901D277F6388} (Interactive Client Result Set Control) - http://pfs-nas2/appxtender/client/IrcResultSet.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {976C8ADC-0CEE-4440-9963-EA0199468D34} (Interactive Client Result Set Control) - http://pfs-nas1/WX/Client/IrcResultSet.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hbscorp.webex.com/client/v_mywebex-...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ucsfmedicalcenter.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ucsfmedicalcenter.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ucsfmedicalcenter.org
O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\SQLNAV~1\RNetPin.dll
O20 - Winlogon Notify: EFS - C:\WINNT\SYSTEM32\sclgntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINNT\system32\LgNotify.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cognos Finance Service (Cognos Finance) - Cognos - C:\Program Files\Cognos\ca1\bin\cfsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Cognos Ticket Server (DSTicketSrv) - Cognos Inc - C:\Program Files\Cognos\ca1\TicketServer\bin\TicketServer.exe
O23 - Service: Intel NCS NetService (NetSvc) - IntelÂ® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\system32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\wltrysvc.exe

guestolo · « **Reply #12 on:** December 24, 2006, 04:07:23 AM »

Can we try and look at a couple things please

Close down all browser windows
Go to start>>run
type in cmd
Hit OK

type the following in the command prompt
ipconfig /flushdns
Hit Enter on keyboard then type exit
Hit Enter

Download: Registry Search Tool from this link, it's a very small download
http://billsway.com/vbspage/
You will have to scroll down to see it

Unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run

In the open field copy and paste the below in bold then hit OK

1A404685-7563-4d02-B0F6-58B308A406A9

Wait for the results and post them back here

Also, Download>>Save and unzip to desktop
Search.zip
[attachment=2214:search.zip]
Double click on Search.bat, a text file should open, can you copy>>paste back here the results please

NOTE: The entries returned in your Hijackthis log from either SpywareDoctor or Spybot's TeaTimer
Did they both prompt about changes?
Are you sure you selected the right button at the prompt?

godzilly · « **Reply #13 on:** December 24, 2006, 08:54:39 PM »

As you said - 'tis the season..

It may be tuesday before I can get to this. Is that OK?

Thanks once again and have a great holiday

godzilly · « **Reply #14 on:** December 26, 2006, 02:27:29 PM »

Good Morning

I ran ipconfig /fushdns successfully

I ran RegSrech - here are the results:

REGEDIT4
; RegSrch.vbs Â© Bill James

; Registry search results for string "1A404685-7563-4d02-B0F6-58B308A406A9" 12/26/2006 11:08:31 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A404685-7563-4d02-B0F6-58B308A406A9}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A404685-7563-4d02-B0F6-58B308A406A9}\InProcServer32]

++++++++++++++++++++++++++++++++++++++++++++++

I couldn't open search.zip - winzip says it is an invalid archive. I tried on 2 different computers

As for Spyware doctor and spybot - I don't rememeber any popups about items being added to registry or startup

They both seem to be set up OK

In Spybot tools the following are NOT ticked: Bug Report, ActiveX, Browser Pages, Opt Out, Process List

In Spyware Doctor OnGuard is active and all options are ON

Thanks

Brian

guestolo · « **Reply #15 on:** December 26, 2006, 03:06:49 PM »

The zip file works good on my end
were you logged into the forum when you downloaded the file
You can't just right click on it and save it as an htm file, it must be a .zip file

Let's try this
Download Search.txt from below and save it to desktop
Then RIGHT CLICK on Search.txt and RENAME it too Search.bat

Double click on Search.bat, a text file should open, can you copy>>Paste back here the contents

godzilly · « **Reply #16 on:** December 28, 2006, 02:36:15 AM »

Result of search.bat

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"PRONoMgr.exe"="C:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe"
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ACUMon"="\"C:\\Program Files\\Cisco Systems\\Aironet Client Monitor\\ACUMon.Exe\" -a"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~2\\VPTray.exe"
"AcronisÃ¿TrueÃ¿Image Monitor"="D:\\Program Files\\Acronis\\TrueImage\\TrueImageMonitor.exe"
"Acronis Scheduler2 Service"="C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedhlp.exe"
"Zone Labs Client"="\"D:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"WinampAgent"="D:\\Program Files\\Winamp\\winampa.exe"
"FinePrint Dispatcher v4"="C:\\WINNT\\system32\\spool\\DRIVERS\\W32X86\\2\\fpdisp4.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"AnyDVD"="D:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
@="KHALMNPR.EXE"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="\"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,00,00
"LsaPid"=dword:00000130
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"fullprivilegeauditing"=hex:01
"lmcompatibilitylevel"=dword:00000000
"restrictanonymous"=dword:00000000
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"enabledcom"="y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:2a,d6,40,72,6d,d0,39,a2,e2,84,62,bd,20,ae,eb,18,34,66,31,32,32,\
37,33,32,00,fd,06,00,01,00,00,00,a8,00,00,00,b4,00,00,00,58,fa,06,00,57,4c,\
5a,78,04,00,00,00,b4,fd,06,00,ac,fd,06,00,77,c6,df,85

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:d9,a8,72,28,1b,80,54,99,c7

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:dd,28,d6,5b,cd,16

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"MaxPacketSize"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:97,e1,af,34,d8,71,ea,e6,dc,90,1d,ef,f4,b2,c9,52

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:b0,c7,1f,3b,40,18,c4,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,f0,8f,cb,6e,4f,c2,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,e0,48,68,b6,d7,c0,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,e0,48,68,b6,d7,c0,01
"Type"=dword:00000031

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="Y"

godzilly · « **Reply #17 on:** December 28, 2006, 02:54:04 PM »

My weekly Symantec scan found the following and quarantined it. The previous scan was on 12/20:

Date,Filename,Threat,Original Location,Status
12/28/2006 12:20:30 AM,qef13B.tmp,Infostealer,C:\WINNT\Temp\,Infected

LATEST KASPERSKY ONLINE SCAN BELOW

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, December 28, 2006 11:50:04 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 28/12/2006
Kaspersky Anti-Virus database records: 240359
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: standard
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - My Computer:
   C:\
   D:\
   E:\
   H:\
   J:\

Scan Statistics:
   Total number of scanned objects: 67921
   Number of viruses found: 10
   Number of infected objects: 33 / 0
   Number of suspicious objects: 2
   Duration of the scan process: 04:06:13

Infected Object Name / Virus Name / Last Action
C:\WINNT\CSC0000001   Object is locked   skipped
C:\WINNT\Debug\ipsecpa.log   Object is locked   skipped
C:\WINNT\Debug\Netlogon.log   Object is locked   skipped
C:\WINNT\Debug\oakley.log   Object is locked   skipped
C:\WINNT\Debug\PASSWD.LOG   Object is locked   skipped
C:\WINNT\Internet Logs\5D1ZG61.ldb   Object is locked   skipped
C:\WINNT\Internet Logs\fwdbglog.txt   Object is locked   skipped
C:\WINNT\Internet Logs\fwpktlog.txt   Object is locked   skipped
C:\WINNT\Internet Logs\IAMDB.RDB   Object is locked   skipped
C:\WINNT\Internet Logs\tvDebug.log   Object is locked   skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log   Object is locked   skipped
C:\WINNT\system32\CCM\Logs\CcmExec.log   Object is locked   skipped
C:\WINNT\system32\CCM\Logs\CertificateMaintenance.log   Object is locked   skipped
C:\WINNT\system32\CCM\Logs\ClientIDManagerStartup.log   Object is locked   skipped
C:\WINNT\system32\CCM\Logs\DataTransferService.log   Object is locked   skipped
C:\WINNT\system32\CCM\Logs\execmgr.log   Object is locked   skipped
C:\WINNT\system32\CCM\Logs\FileSystemFile.log   Object is locked   skipped
C:\WINNT\system32\CCM\Logs\InventoryAgent.log   Object is locked   skipped
C:\WINNT\system32\CCM\Logs\LocationServices.log   Object is locked   skipped
C:\WINNT\system32\CCM\Logs\mtrmgr.log   Object is locked   skipped
C:\WINNT\system32\CCM\Logs\PatchInstall.log   Object is locked   skipped
C:\WINNT\system32\CCM\Logs\PatchUIMonitor.log   Object is locked   skipped
C:\WINNT\system32\CCM\Logs\PolicyAgent.log   Object is locked   skipped
C:\WINNT\system32\CCM\Logs\PolicyAgentProvider.log   Object is locked   skipped
C:\WINNT\system32\CCM\Logs\PolicyEvaluator.log   Object is locked   skipped
C:\WINNT\system32\CCM\Logs\Scheduler.log   Object is locked   skipped
C:\WINNT\system32\CCM\Logs\SrcUpdateMgr.log   Object is locked   skipped
C:\WINNT\system32\CCM\Logs\StatusAgent.log   Object is locked   skipped
C:\WINNT\system32\CCM\Logs\SWMTRReportGen.log   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint000000E.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint000000E.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\CTMDTSReply0000009.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\CTMDTSReply0000009.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr0000006.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr0000006.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent0000003.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent0000003.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations0000002.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations0000002.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup000000J.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup000000J.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\MtrMgr0000001.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\MtrMgr0000001.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PatchUIMonitor0000001.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PatchUIMonitor0000001.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup0000006.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup0000006.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload0000001.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload0000001.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator000002I.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator000002I.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments000000D.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments000000D.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_RequestAssignments000000V.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_RequestAssignments000000V.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReRequestPolicy0000001.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReRequestPolicy0000001.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\RemoteToolsAgent0000001.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\RemoteToolsAgent0000001.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr0000001.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr0000001.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\SWMTRReportGen0000002.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\SWMTRReportGen0000002.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\UpdatesInstallMgr0000001.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\UpdatesInstallMgr0000001.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\UploadProtocol0000001.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\UploadProtocol0000001.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\amp_[http]mp_locationmanager0000004.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\amp_[http]mp_locationmanager0000004.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint0000001.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint0000001.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint0000002.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint0000002.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_relayendpoint0000001.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_relayendpoint0000001.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint0000001.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint0000001.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver0000004.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver0000004.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_locationmanager0000001.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_locationmanager0000001.que   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager000000P.msg   Object is locked   skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager000000P.que   Object is locked   skipped
C:\WINNT\system32\config\AppEvent.Evt   Object is locked   skipped
C:\WINNT\system32\config\default   Object is locked   skipped
C:\WINNT\system32\config\default.LOG   Object is locked   skipped
C:\WINNT\system32\config\SAM   Object is locked   skipped
C:\WINNT\system32\config\SAM.LOG   Object is locked   skipped
C:\WINNT\system32\config\SecEvent.Evt   Object is locked   skipped
C:\WINNT\system32\config\SECURITY   Object is locked   skipped
C:\WINNT\system32\config\SECURITY.LOG   Object is locked   skipped
C:\WINNT\system32\config\software   Object is locked   skipped
C:\WINNT\system32\config\software.LOG   Object is locked   skipped
C:\WINNT\system32\config\SysEvent.Evt   Object is locked   skipped
C:\WINNT\system32\config\system   Object is locked   skipped
C:\WINNT\system32\config\SYSTEM.ALT   Object is locked   skipped
C:\WINNT\system32\Perflib_Perfdata_5e4.dat   Object is locked   skipped
C:\WINNT\system32\Perflib_Perfdata_a4c.dat   Object is locked   skipped
C:\WINNT\system32\wbem\Repository\CIM.REP   Object is locked   skipped
C:\WINNT\Temp\ZLT02f52.TMP   Object is locked   skipped
C:\WINNT\Temp\ZLT02f55.TMP   Object is locked   skipped
C:\WINNT\WindowsUpdate.log   Object is locked   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat   Object is locked   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine1AC0000.VBN   Infected: Trojan-PSW.Win32.OnLineGames.dc   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7440000.VBN   Infected: Trojan.Win32.Agent.abf   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7440001.VBN   Infected: Trojan-PSW.Win32.OnLineGames.bs   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7440002.VBN   Infected: Trojan-PSW.Win32.OnLineGames.bs   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7A00000.VBN   Infected: Trojan-PSW.Win32.OnLineGames.dc   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7A00001.VBN   Infected: Trojan-PSW.Win32.OnLineGames.dc   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7A00002.VBN   Infected: Trojan-PSW.Win32.OnLineGames.bs   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7CC0000.VBN   Infected: Trojan-PSW.Win32.OnLineGames.cx   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7CC0001.VBN   Infected: Trojan.Win32.Agent.abf   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7CC0002.VBN   Infected: Trojan-PSW.Win32.Nilage.apy   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7CC0003.VBN   Infected: Trojan-PSW.Win32.WOW.md   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7DC0000.VBN   Infected: Trojan-PSW.Win32.OnLineGames.cx   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7DC0001.VBN   Infected: Trojan-PSW.Win32.OnLineGames.db   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7DC0002.VBN   Infected: Trojan-PSW.Win32.OnLineGames.db   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7DC0004.VBN   Infected: Trojan.Win32.Agent.abf   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7DC0005.VBN   Infected: Trojan-PSW.Win32.OnLineGames.bs   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7DC0006.VBN   Infected: Trojan-PSW.Win32.Nilage.apy   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7DC0007.VBN   Infected: Trojan-PSW.Win32.OnLineGames.cj   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7DC0008.VBN   Infected: Trojan-PSW.Win32.OnLineGames.cx   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7E00000.VBN   Infected: Trojan-PSW.Win32.OnLineGames.dc   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7E00001.VBN   Infected: Trojan-PSW.Win32.OnLineGames.dc   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7F00000.VBN   Infected: Trojan-PSW.Win32.OnLineGames.db   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7F00001.VBN   Infected: Trojan.Win32.Agent.abf   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7F00002.VBN   Infected: Trojan-PSW.Win32.OnLineGames.bs   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7F00003.VBN   Infected: Trojan-PSW.Win32.Nilage.apy   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine8D40000.VBN   Infected: Trojan.Win32.Agent.abf   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine8D40001.VBN   Infected: Trojan-PSW.Win32.OnLineGames.bs   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine8D40002.VBN   Infected: Trojan-PSW.Win32.Nilage.apy   skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine8D40003.VBN   Infected: Trojan-PSW.Win32.OnLineGames.cx   skipped
D:\Documents and Settings\Default User\Cookies\index.dat   Object is locked   skipped
D:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
D:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
D:\Documents and Settings\murphyb\Application Data\Microsoft\Internet Explorer\UserData\index.dat   Object is locked   skipped
D:\Documents and Settings\murphyb\Cookies\index.dat   Object is locked   skipped
D:\Documents and Settings\murphyb\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
D:\Documents and Settings\murphyb\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
D:\Documents and Settings\murphyb\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
D:\Documents and Settings\murphyb\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
D:\Documents and Settings\murphyb\My Documents\Outlook\2003.pst/2003/Inbox/19 Sep 2003 15:43 from Inet Email System:Failure Advice.html   Suspicious: Exploit.HTML.Iframe.FileDownload   skipped
D:\Documents and Settings\murphyb\My Documents\Outlook\2003.pst/2003/Inbox/19 Sep 2003 15:43 from Inet Email System:Failure Advice.rtf   Suspicious: Exploit.HTML.Iframe.FileDownload   skipped
D:\Documents and Settings\murphyb\My Documents\Outlook\2003.pst/2003/Sent Items/17 Jan 2001 02:27 to 'The Malkow Family':RE: IT'S BEEN A LONG TI.rtf   Infected: Email-Worm.VBS.KakWorm   skipped
D:\Documents and Settings\murphyb\My Documents\Outlook\2003.pst   Mail MS Mail: infected - 1, suspicious - 2   skipped
D:\Documents and Settings\murphyb\My Documents\Outlook\murphyb.pst/Personal Folders/KEEP/07 Jul 2000 10:55 from The Malkow Family:IT'S BEEN A LONG TIME!.rtf   Infected: Email-Worm.VBS.KakWorm   skipped
D:\Documents and Settings\murphyb\My Documents\Outlook\murphyb.pst   Mail MS Mail: infected - 1   skipped
D:\Documents and Settings\murphyb\NTUSER.DAT   Object is locked   skipped
D:\Documents and Settings\murphyb\NTUSER.DAT.LOG   Object is locked   skipped

Scan process completed.

guestolo · « **Reply #18 on:** December 30, 2006, 12:46:59 PM »

You may want to try Symantec's removal tool and see if it finds anything
http://www.symantec.com/security_response/...-041507-4157-99

Just these files need removed
D:\Documents and Settings\murphyb\My Documents\Outlook\2003.pst/2003/Sent Items/17 Jan 2001 02:27 to 'The Malkow Family':RE: IT'S BEEN A LONG TI.rtf Infected: Email-Worm.VBS.KakWorm skipped
D:\Documents and Settings\murphyb\My Documents\Outlook\2003.pst Mail MS Mail: infected - 1, suspicious - 2 skipped
D:\Documents and Settings\murphyb\My Documents\Outlook\murphyb.pst/Personal Folders/KEEP/07 Jul 2000 10:55 from The Malkow Family:IT'S BEEN A LONG TIME!.rtf Infected: Email-Worm.VBS.KakWorm skipped

You may also want to clear the Quarantine area of Symantec's

The export from search.bat looks good

godzilly · « **Reply #19 on:** December 31, 2006, 11:40:04 AM »

The symantec removal tool found nothing

I will remove the various infected items

Everything seems OK exept for the connectivity issue

I'm beginning to wonder if it's related to a security download from my IT department. When I logged in voa VPN a few days ago They pushed some security updates to the laptop. If I still have the problems when get back to the office and connect at my desk then I'll seel if the have any idea

Thanks for all your help

Happy New Year

Brian

News:

Author Topic: Infected - Please Help (Read 2323 times)