[Resolved] XP Pro Hacked: Lost Admin rights on User Account!

left4dead · 4th November 2007

Hi....new member here looking for some help. I believe my Windows XP Pro machine has been hacked (or hit by a virus).

I have lost ALL "Computer Administrator" rights on my user account. The Control Panel is missing from the Start Menu, I can not access the Task Manager, right-click on Desktop Properties or go to Windows Update.

I keep getting a message stating that I have a "Limited Account" and that I can not access those features.

In SAFE MODE (logged as "Administrator")....the user account is displayed as Computer Administrator, yet it's still acting like a Limited Account.

So I decided to create another Admin User Account and DELETE the the other hacked account. I copied all the necessary files from one account to the other, but when trying to delete/remove the 1st account....I received a "8007042" error message and the deletion process failed to complete.

I'm really hoping to correct this issue WITHOUT formatting or re-installing Windows XP (since I can not find my Recovery CD and my pc is out of warranty).

I have already run a Virus scan (found "printer.exe" trojan....which was removed; not sure if related to this issue or not?) and Spyware scans (clean).

Is there a way to RESTORE Computer Administration rights back to my User Account via Registry Tweaking or some other modification or program???

I was told that this forum would be useful.....so any help/info/suggestions would be greatly appreciated.

Thanks.

**Admin.** · 4th November 2007

Hi,

Read this post, then post a HijackThis log in the Removing Spyware & Viruses forum.

**PeteC** · 4th November 2007

left4dead - Welcome to the Board

It is likeky that your computer has been compromised by an infection ......

Please download HijackThis through Quicklinks in my signature and save it to a folder on your hard drive, say C:\HJT - not to the Desktop or a temporary location. When entries are fixed with HJT a backup is made to the folder from which HJT is run and this must be in a permanent location.

Open the folder in which you placed HJT and double click on hijackthis.exe and select Scan and save a log file - this will be saved in the folder from which you ran HJT. Post the log (copy/past) into your next post here.

In the meantime I have moved your thread to the Removing Spyware & Viruses forum.

left4dead · 4th November 2007

Hi,

Thanks for your help. Here's my HJT log below.

Also KIS 7 recent found and Quarantined 2 "trojans" (c:\windows\system32\winavxx.exe and c:\windows\system32\printer.exe)

----------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:45 PM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\$ISR\$APP\Setup\ISRService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Steph\Desktop\PC Tools\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Slingo%20Quest/Images/stg_drm.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Slingo%20Quest/Images/armhelper.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: FirstDefense-ISR Service (ISRService) - Raxco Software, Inc. - C:\$ISR\$APP\Setup\ISRService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

**noahdfear** · 5th November 2007

And another welcome to WindowsBBS

Lets run a tool that's been updated for this infection. Download SmitfraudFix by S!Ri, saving it to the desktop.

Restart the computer in Safe Mode by tapping the F8 key upon startup and selecting Safe Mode from the Advanced Startup Menu. Logon to your account.
Double-click SmitfraudFix.exe to start the tool and press 2, then hit Enter.
You will be prompted 'Do you want to clean the registry?' answer Y (yes) and hit Enter.
If prompted to replace the infected wininet.dll file (if found), answer Y (yes) and hit Enter to restore a clean file.
Reboot to normal mode when the tool completes.

Note: You must be logged onto an account with administrator privileges to complete the following.

Download Deckard's System Scanner (dss.exe) to your desktop.

Close all applications and windows.
Double click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt and the SmitfraudFix log at C:\rapport.txt

left4dead · 5th November 2007

Hi noahdfear,

Thanks for your help. It seems to have done the trick. I can now access my Control Panel, Task Manager, Properties and go to Windows Update.

However I encountered during Windows Update. there were 8 updates available and it FAILED to install all of them. There was no error message or code....it just said "a problem with your computer prevented the updates from installing."

Below are the logs you requested:

---------------------------------------
-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2007-11-05 04:15:28 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 247 MiB (512 MiB recommended).

-- HijackThis (run as Steph.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:57 PM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\$ISR\$APP\Setup\ISRService.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Steph\Desktop\dss.exe
C:\DOCUME~1\Steph\Desktop\PCTOOL~1\Steph.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime
O4 - HKLM\..\Run: [AVP] 'C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe'
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Slingo%20Quest/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Slingo%20Quest/Images/armhelper.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: FirstDefense-ISR Service (ISRService) - Raxco Software, Inc. - C:\$ISR\$APP\Setup\ISRService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 3704 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Rss - c:\windows\system32\drivers\rss.sys <Not Verified; Raxco Software, Inc.; Raxco Software, Inc. rss>
R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ISRService (FirstDefense-ISR Service) - c:\$isr\$app\setup\isrservice.exe <Not Verified; Raxco Software, Inc.; FirstDefense-ISR>

S3 CachemanXPService (CachemanXP) - c:\program files\cachemanxp\cachemanxp.exe <Not Verified; Outertech; >
S3 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >

-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: USB Camera
Device ID: USB\VID_05A9&PID_8519&MI_00\6&280F7049&0&0000
Manufacturer:
Name: USB Camera
PNP Device ID: USB\VID_05A9&PID_8519&MI_00\6&280F7049&0&0000
Service:

-- Files created between 2007-10-04 and 2007-11-04 -----------------------------

2007-11-04 22:03:48 1512 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-04 22:03:12 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-04 22:03:12 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-11-04 22:03:12 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-04 22:03:12 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-04 22:03:12 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-02 16:23:05 0 d-------- C:\Program Files\bfgclient
2007-11-02 16:23:05 0 d-------- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2007-10-29 17:30:52 0 dr-h----- C:\Documents and Settings\Steph\Recent
2007-10-28 22:56:53 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-10-28 22:56:53 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-10-28 21:21:19 280 --a------ C:\WINDOWS\system32\PDBootState
2007-10-28 20:52:35 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-28 20:14:50 0 d-------- C:\Documents and Settings\Steph\Application Data\Sunbelt Software
2007-10-28 20:14:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-10-28 20:11:30 0 d-------- C:\Program Files\Sunbelt Software
2007-10-28 19:53:38 81549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-10-28 19:53:38 82061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-10-28 19:52:26 0 d-------- C:\Program Files\Kaspersky Lab
2007-10-28 19:52:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-28 19:52:20 49952 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-28 19:52:20 6379552 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-28 19:47:23 0 d-------- C:\KAV
2007-10-28 19:17:55 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-10-28 18:53:58 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2007-10-15 21:13:09 0 d-------- C:\Documents and Settings\Steph\Application Data\ZoomBrowser EX
2007-10-14 20:43:16 0 d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-10-14 20:42:43 0 d-------- C:\Program Files\Canon
2007-10-14 20:41:45 0 d-------- C:\Program Files\Common Files\Canon

-- Find3M Report ---------------------------------------------------------------

2007-11-04 22:11:51 0 d-------- C:\Program Files\cFosSpeed
2007-10-28 22:52:54 0 d-------- C:\Program Files\XP Smoker
2007-10-28 19:27:19 0 d-------- C:\Program Files\Common Files
2007-10-28 19:14:32 0 d-------- C:\Program Files\Registry Smoker
2007-10-28 19:00:53 0 d-------- C:\Program Files\RegHealer
2007-10-28 18:56:48 0 d-------- C:\Program Files\CachemanXP
2007-10-28 18:41:37 27032 --a----c- C:\WINDOWS\system32\tcpipbak.reg
2007-09-26 22:41:37 0 d-------- C:\Program Files\Trend Micro
2007-09-26 20:10:58 0 d-------- C:\Documents and Settings\Steph\Application Data\Move Networks
2007-09-23 14:14:45 0 d-------- C:\Program Files\Ace Utilities
2007-09-15 19:47:55 0 d-------- C:\Documents and Settings\Steph\Application Data\funkitron
2007-09-15 19:47:14 0 d-------- C:\Program Files\Slingo ® Deluxe
2007-09-15 09:49:39 0 d-------- C:\Program Files\Slingo Quest
2007-09-15 09:49:37 0 d-------- C:\Documents and Settings\Steph\Application Data\SpinTop
2007-08-29 15:10:49 3350 --ahs--c- C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-29 15:10:45 56 -r-hs--c- C:\WINDOWS\system32\044FB2F2B2.sys

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
'WinPatrol'='C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe' [10/26/2007 10:06 AM]
'cFosSpeed'='C:\Program Files\cFosSpeed\cFosSpeed.exe' [10/29/2007 05:02 PM]
'QuickTime Task'='C:\Program Files\QuickTime\qttask.exe' [10/25/2006 06:58 PM]
'AVP'='C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe' [06/28/2007 11:51 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
'InstallVisualStyle'=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
'InstallTheme'=C:\WINDOWS\Resources\Themes\Royale.theme
'RunStartupScriptSync'=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
'DisableRegistryTools'=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
'NoLowDiskSpaceChecks'=1 (0x1)
'NoInstrumentation'=1 (0x1)
'NoSMBalloonTip'=0 (0x0)
'NoDesktopCleanupWizard'=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
'appinit_dlls'=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSv c]
@='Service'

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
'QuickTime Task'='C:\Program Files\QuickTime\qttask.exe' -atboottime
'SBCSTray'=C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
'ISR_MONITOR'=C:\$ISR\$APP\ISRMonitor.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

-- End of Deckard's System Scanner: finished at 2007-11-04 22:18:11 -------------------------------------------------------

SmitFraudFix v2.248

Scan done at 22:07:06.07, Sun 11/04/2007
Run from C:\Documents and Settings\Steph\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F054F42F-13C4-4710-9C97-2C7C93AE4684}:
DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F054F42F-13C4-4710-9C97-2C7C93AE4684}:
DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F054F42F-13C4-4710-9C97-2C7C93AE4684}:
DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125
24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125
24.93.41.126
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125
24.93.41.126

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

**noahdfear** · 6th November 2007

A bit more to do. Download ComboFix by sUBs from here, saving the file to your desktop.

Close all open programs and windows
Double click combofix.exe and follow the prompts.
When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

left4dead · 7th November 2007

Hi,

Below are the logs you requested. Cheers.
---------------------------------------------
ComboFix 07-11-07.3 - Steph 2007-11-06 19:57:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.60 [GMT
-6:00]
Running from: C:\Documents and Settings\Steph\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07)))))))))))))))))))))))))))))))
.

2007-11-06 19:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-05 00:32 <DIR> d-------- C:\Program Files\MSBuild
2007-11-05 00:26 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-11-05 00:25 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-11-05 00:23 <DIR> d-------- C:\WINDOWS\LastGood
2007-11-05 00:23 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-11-04 22:14 <DIR> d-------- C:\Deckard
2007-11-04 22:03 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-04 22:03 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-04 22:03 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-04 22:03 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-04 22:03 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-04 22:03 1,512 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-02 21:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-11-02 21:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-11-02 21:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-11-02 21:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-11-02 21:53 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-11-02 21:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-11-02 21:53 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-11-02 21:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-11-02 16:23 <DIR> d-------- C:\Program Files\bfgclient
2007-11-02 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2007-10-29 19:42 706,512 -ra------C:\WINDOWS\system32\drivers\cfosspeed.sys
2007-10-29 13:51 116,224 --a------C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-10-29 13:51 27,648 --a------C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-10-29 13:51 23,040 --a------C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-10-29 13:51 17,408 --a------C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-10-29 13:51 4,608 --a------C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-10-29 13:22 290,816 --a------C:\WINDOWS\system32\dllcache\adsiis51.dll
2007-10-29 13:22 188,480 --a------C:\WINDOWS\system32\dllcache\cfgwiz.exe
2007-10-29 13:22 46,592 --a------C:\WINDOWS\system32\dllcache\coadmin.dll
2007-10-29 13:22 43,520 --a------C:\WINDOWS\system32\dllcache\admwprox.dll
2007-10-29 13:22 20,540 --a------C:\WINDOWS\system32\dllcache\author.dll
2007-10-29 13:22 20,540 --a------C:\WINDOWS\system32\dllcache\admin.dll
2007-10-29 13:22 16,439 --a------C:\WINDOWS\system32\dllcache\author.exe
2007-10-29 13:22 16,439 --a------C:\WINDOWS\system32\dllcache\admin.exe
2007-10-28 22:56 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-10-28 22:56 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-10-28 20:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-28 20:14 <DIR> d-------- C:\Documents and Settings\Steph\Application Data\Sunbelt Software
2007-10-28 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-10-28 20:11 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-10-28 19:53 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-10-28 19:53 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-10-28 19:52 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-10-28 19:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-28 19:52 7,368,736 --ahs----C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-28 19:52 105,248 --ahs----C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-28 19:47 <DIR> d-------- C:\KAV
2007-10-28 19:17 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-10-15 21:13 <DIR> d-------- C:\Documents and Settings\Steph\Application Data\ZoomBrowser EX
2007-10-15 21:05 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-10-15 21:05 15,104 --a------C:\WINDOWS\system32\drivers\usbscan.sys
2007-10-15 21:05 15,104 --a------C:\WINDOWS\system32\dllcache\usbscan.sys
2007-10-15 21:05 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-10-14 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-10-14 20:42 <DIR> d-------- C:\Program Files\Canon
2007-10-14 20:41 <DIR> d-------- C:\Program Files\Common Files\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-11-07 01:55 --------- d-----w C:\Program Files\cFosSpeed
2007-11-07 01:54 99,500 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-07 01:54 10,748 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-29 23:02 281,552 ----a-w C:\WINDOWS\system32\cfosspeed.dll
2007-10-29 04:52 --------- d-----w C:\Program Files\XP Smoker
2007-10-29 01:14 --------- d-----w C:\Program Files\Registry Smoker
2007-10-29 01:00 --------- d-----w C:\Program Files\RegHealer
2007-10-29 00:56 --------- d-----w C:\Program Files\CachemanXP
2007-10-29 00:41 27,032 -c--a-w C:\WINDOWS\system32\tcpipbak.reg
2007-09-27 04:41 --------- d-----w C:\Program Files\Trend Micro
2007-09-27 02:10 --------- d-----w C:\Documents and Settings\Steph\Application Data\Move Networks
2007-09-23 20:14 --------- d-----w C:\Program Files\Ace Utilities
2007-09-16 01:47 --------- d-----w C:\Program Files\Slingo ® Deluxe
2007-09-16 01:47 --------- d-----w C:\Documents and Settings\Steph\Application Data\funkitron
2007-09-16 01:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-09-15 15:49 --------- d-----w C:\Program Files\Slingo Quest
2007-09-15 15:49 --------- d-----w C:\Documents and Settings\Steph\Application Data\SpinTop
2007-08-29 21:10 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-27 16:26 27,120 ----a-w C:\WINDOWS\system32\SBBD.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ----a-wC:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-06_19.49.52.14
)))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-05 06:33:23 70,796 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-07 01:59:24 70,796 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-05 06:33:23 437,702 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-07 01:59:24 437,702 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 10:06]
"cFosSpeed"="C:\Program Files\cFosSpeed\cFosSpeed.exe" [2007-10-29 17:02]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 11:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"PhotoShow Deluxe Media
Manager"="C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras \mssysmgr.exe" [2005-05-19 15:59]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\R oyale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale. theme
"RunStartupScriptSync"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoInstrumentation"=1 (0x1)
"NoSMBalloonTip"=0 (0x0)
"NoDesktopCleanupWizard"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_Dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adi alhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SBCSTray"=C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
"ISR_MONITOR"=C:\$ISR\$APP\ISRMonitor.exe

R0 Rss;Rss;C:\WINDOWS\system32\drivers\Rss.sys
R2 ISRService;FirstDefense-ISR
Service;C:\$ISR\$APP\Setup\ISRService.exe
R3 klim5;Kaspersky Anti-Virus NDIS
Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
S3 CachemanXPService;CachemanXP;C:\Program
Files\CachemanXP\CachemanXP.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command

.
************************************************** ************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by
Gmer, http://www.gmer.net
Rootkit scan 2007-11-06 19:59:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-11-06 20:00:38
C:\ComboFix2.txt ... 2007-11-06 19:50
.
--- E O F ---

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[/B]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:36 PM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\$ISR\$APP\Setup\ISRService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Steph\Desktop\PC Tools\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Slingo%20Quest/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Slingo%20Quest/Images/armhelper.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: FirstDefense-ISR Service (ISRService) - Raxco Software, Inc. - C:\$ISR\$APP\Setup\ISRService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 3933 bytes

**noahdfear** · 7th November 2007

It appears you ran ComboFix twice. I'd like to see the log from the first run please.

left4dead · 7th November 2007

Quote:

Originally Posted by noahdfear

It appears you ran ComboFix twice. I'd like to see the log from the first run please.

On the 1st run, I had a security program freeze....so I rebooted, turned off the program and ran again. Nothing changed from 1st log to 2nd.

Is this okay?

**noahdfear** · 7th November 2007

Something did change. There were a number of files removed.

Please post the contents of C:\QooBox\ComboFix-quarantined-files.txt

left4dead · 7th November 2007

Quote:

Originally Posted by noahdfear

Something did change. There were a number of files removed.

Please post the contents of C:\QooBox\ComboFix-quarantined-files.txt

Before the 2nd scan....I deleted 2 "trojans" that were previously quarantined in KIS 7 (c:\windows\system32\winavxx.exe and c:\windows\system32\printer.exe).

Here is the ComboFix log #1 (prior to deletion of those 2 files)....sorry for any inconvenience.
---------------------------------------------------

ComboFix 07-11-07.3 - Steph 2007-11-06 19:45:36.1 - NTFSx86
Running from: C:\Documents and Settings\Steph\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07
)))))))))))))))))))))))))))))))
.

2007-11-06 19:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-05 00:32 <DIR> d-------- C:\Program Files\MSBuild
2007-11-05 00:26 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-11-05 00:25 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-11-05 00:23 <DIR> d-------- C:\WINDOWS\LastGood
2007-11-05 00:23 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-11-04 22:42 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-11-04 22:14 <DIR> d-------- C:\Deckard
2007-11-04 22:03 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-04 22:03 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-04 22:03 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-04 22:03 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-04 22:03 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-04 22:03 1,512 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-02 21:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-11-02 21:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-11-02 21:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-11-02 21:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-11-02 21:53 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-11-02 21:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-11-02 21:53 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-11-02 21:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-11-02 16:23 <DIR> d-------- C:\Program Files\bfgclient
2007-11-02 16:23 <DIR> d-------- C:\Documents and Settings\All
Users\Application Data\BigFishGamesCache
2007-10-29 19:42 706,512 -ra------
C:\WINDOWS\system32\drivers\cfosspeed.sys
2007-10-29 13:51 116,224 --a------
C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-10-29 13:51 27,648 --a------
C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-10-29 13:51 23,040 --a------
C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-10-29 13:51 17,408 --a------
C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-10-29 13:51 4,608 --a------
C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-10-29 13:22 290,816 --a------
C:\WINDOWS\system32\dllcache\adsiis51.dll
2007-10-29 13:22 188,480 --a------
C:\WINDOWS\system32\dllcache\cfgwiz.exe
2007-10-29 13:22 46,592 --a------
C:\WINDOWS\system32\dllcache\coadmin.dll
2007-10-29 13:22 43,520 --a------
C:\WINDOWS\system32\dllcache\admwprox.dll
2007-10-29 13:22 20,540 --a------
C:\WINDOWS\system32\dllcache\author.dll
2007-10-29 13:22 20,540 --a------
C:\WINDOWS\system32\dllcache\admin.dll
2007-10-29 13:22 16,439 --a------
C:\WINDOWS\system32\dllcache\author.exe
2007-10-29 13:22 16,439 --a------
C:\WINDOWS\system32\dllcache\admin.exe
2007-10-28 22:56 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-10-28 22:56 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-10-28 20:52 <DIR> d-a------ C:\Documents and Settings\All
Users\Application Data\TEMP
2007-10-28 20:14 <DIR> d-------- C:\Documents and
Settings\Steph\Application Data\Sunbelt Software
2007-10-28 20:14 <DIR> d-------- C:\Documents and Settings\All
Users\Application Data\Sunbelt Software
2007-10-28 20:11 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-10-28 19:53 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-10-28 19:53 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-10-28 19:52 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-10-28 19:52 <DIR> d-------- C:\Documents and Settings\All
Users\Application Data\Kaspersky Lab
2007-10-28 19:52 7,327,520 --ahs----
C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-28 19:52 102,688 --ahs----
C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-28 19:47 <DIR> d-------- C:\KAV
2007-10-28 19:17 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-10-15 21:13 <DIR> d-------- C:\Documents and
Settings\Steph\Application Data\ZoomBrowser EX
2007-10-15 21:05 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-10-15 21:05 15,104 --a------
C:\WINDOWS\system32\drivers\usbscan.sys
2007-10-15 21:05 15,104 --a------
C:\WINDOWS\system32\dllcache\usbscan.sys
2007-10-15 21:05 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-10-14 20:43 <DIR> d-------- C:\Documents and Settings\All
Users\Application Data\ZoomBrowser
2007-10-14 20:42 <DIR> d-------- C:\Program Files\Canon
2007-10-14 20:41 <DIR> d-------- C:\Program Files\Common Files\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 01:41 --------- d-----w C:\Program Files\cFosSpeed
2007-11-06 06:12 96,524 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-06 06:12 9,620 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-29 23:02 281,552 ----a-w C:\WINDOWS\system32\cfosspeed.dll
2007-10-29 04:52 --------- d-----w C:\Program Files\XP Smoker
2007-10-29 01:14 --------- d-----w C:\Program Files\Registry Smoker
2007-10-29 01:00 --------- d-----w C:\Program Files\RegHealer
2007-10-29 00:56 --------- d-----w C:\Program Files\CachemanXP
2007-10-29 00:41 27,032 -c--a-w C:\WINDOWS\system32\tcpipbak.reg
2007-09-27 04:41 --------- d-----w C:\Program Files\Trend Micro
2007-09-27 02:10 --------- d-----w C:\Documents and
Settings\Steph\Application Data\Move Networks
2007-09-23 20:14 --------- d-----w C:\Program Files\Ace Utilities
2007-09-16 01:47 --------- d-----w C:\Program Files\Slingo ® Deluxe
2007-09-16 01:47 --------- d-----w C:\Documents and
Settings\Steph\Application Data\funkitron
2007-09-16 01:47 --------- d-----w C:\Documents and Settings\All
Users\Application Data\Trymedia
2007-09-15 15:49 --------- d-----w C:\Program Files\Slingo Quest
2007-09-15 15:49 --------- d-----w C:\Documents and
Settings\Steph\Application Data\SpinTop
2007-08-29 21:10 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-27 16:26 27,120 ----a-w C:\WINDOWS\system32\SBBD.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-w
C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w
C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w
C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w
C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w
C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w
C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w
C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w
C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ----a-w
C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ----a-w
C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w
C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w
C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w
C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w
C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ----a-w
C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ----a-w
C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w
C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w
C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ----a-w
C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w
C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ----a-w
C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ----a-w
C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w
C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ----a-w
C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ----a-w
C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w
C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w
C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe"
[2007-10-26 10:06]
"cFosSpeed"="C:\Program Files\cFosSpeed\cFosSpeed.exe" [2007-10-29
17:02]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security
7.0\avp.exe" [2007-06-28 11:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25
18:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media
Manager"="C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe" [2005-05-19 15:59]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"RunStartupScriptSync"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoInstrumentation"=1 (0x1)
"NoSMBalloonTip"=0 (0x0)
"NoDesktopCleanupWizard"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\windows]
"AppInit_Dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SBCSTray"=C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
"ISR_MONITOR"=C:\$ISR\$APP\ISRMonitor.exe

R0 Rss;Rss;C:\WINDOWS\system32\drivers\Rss.sys
R2 ISRService;FirstDefense-ISR
Service;C:\$ISR\$APP\Setup\ISRService.exe
R3 klim5;Kaspersky Anti-Virus NDIS
Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
S3 CachemanXPService;CachemanXP;C:\Program
Files\CachemanXP\CachemanXP.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by
Gmer, http://www.gmer.net
Rootkit scan 2007-11-06 19:49:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-06 19:50:50
.
--- E O F ---

tuktaktim · 7th November 2007

You may need to go into the registry and edit a key located at:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

I can't remember the name of the key off the top of my head but you'll know it when you see it. Change the value to the opposite of what it is now.

**noahdfear** · 8th November 2007

Please post the contents of C:\QooBox\ComboFix-quarantined-files.txt

Run Deckard's System Scanner again and post the main.txt log too.

Thanks!

left4dead · 8th November 2007

Quote:

Originally Posted by tuktaktim

You may need to go into the registry and edit a key located at:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

I can't remember the name of the key off the top of my head but you'll know it when you see it. Change the value to the opposite of what it is now.

Other than "(default)".....it lists the following 2:

NoDriveAutoRun: 0x03ffffff (67108863)
NoDriveTypeAutoRun: 0x000000ff (255)