Malaware/Virus hijacking IP address

OK, lets try another special find tool. Sorry this is dragging on like this.

And a shout out to my good friend Blender, without whome none of this would be possible, she is my 'expert'.

1. Download combofix
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

MWAV did not find anything, nor any other program we have used so far. Here is the log you requested.

----------------------------------------
Start Time= Sun 07/09/2006 7:57:59.56
Running from: C:\My Download Files

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-08 10:29:08 ( .D... ) "C:\Program Files\Alwil Software "
2006-07-08 07:17:40 528446 ( A.... ) "C:\WINDOWS\gmer.dll "
2006-07-07 18:35:24 ( .D... ) "C:\Documents and Settings\Our Dell\Application Data\WinPatrol "
2006-07-07 18:34:52 ( .D... ) "C:\Program Files\BillP Studios "
2006-07-07 17:15:48 73 ( A.... ) "C:\WINDOWS\SYSTEM32\ssprs.dll "
2006-07-07 13:33:32 47564 ( A.SHR ) "C:\NTDETECT.COM "
2006-07-07 12:09:20 ( .D... ) "C:\Program Files\ProcessGuard "
2006-07-07 12:08:52 ( .D... ) "C:\Program Files\Port Explorer "
2006-07-07 07:51:34 1648 ( A.... ) "C:\run.bat "
2006-07-07 00:28:08 ( .D... ) "C:\Program Files\Index.dat Suite "
2006-07-06 14:03:06 ( .D... ) "C:\Program Files\Spybot - Search & Destroy "
2006-07-06 13:20:34 ( .D... ) "C:\Program Files\Zone Labs "
2006-07-06 11:39:40 ( .D... ) "C:\Program Files\Lavasoft "
2006-07-06 04:19:44 ( .D... ) "C:\Documents and Settings\Our Dell\Application Data\Lavasoft "
2006-07-06 02:09:20 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0 "
2006-07-05 16:57:30 44544 ( A.... ) "C:\WINDOWS\SYSTEM32\procguard.dll "
2006-06-19 16:20:42 702768 ( ..... ) "C:\WINDOWS\SYSTEM32\WgaLogon.dll "
2006-06-06 20:49:18 745531 ( A.... ) "C:\WINDOWS\gmer.exe "
2006-05-31 05:02:04 624640 ( A.... ) "C:\WINDOWS\SYSTEM32\aswBoot.exe "
2006-05-31 04:54:36 90112 ( A.... ) "C:\WINDOWS\SYSTEM32\AVASTSS.scr "
2003-09-29 15:29:14 812 ( A.... ) "C:\Program Files\INSTALL.LOG "
2000-10-02 16:12:46 381 ( A.... ) "C:\Program Files\bpftp.reg "

Rootkit driver pe386 is present. A rootkit scan is required


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-08 10:29 90,112 C:\WINDOWS\system32\AVASTSS.scr
2006-07-08 10:29 624,640 C:\WINDOWS\system32\aswBoot.exe
2006-07-08 07:17 745,531 C:\WINDOWS\gmer.exe
2006-07-08 07:17 528,446 C:\WINDOWS\gmer.dll
2006-07-08 00:00 146,432 C:\WINDOWS\REGEDIT.COM
2006-07-08 00:00 146,432 C:\WINDOWS\R.COM
2006-07-08 00:00 135,680 C:\WINDOWS\system32\TASKMGR.COM
2006-07-08 00:00 135,680 C:\WINDOWS\system32\T.COM
2006-07-07 13:47 9,216 C:\WINDOWS\system32\proxycfg.exe
2006-07-07 13:47 59,392 C:\WINDOWS\system32\logman.exe
2006-07-07 13:46 88,064 C:\WINDOWS\system32\p2pnetsh.dll
2006-07-07 13:46 86,016 C:\WINDOWS\system32\p2pgasvc.dll
2006-07-07 13:46 81,920 C:\WINDOWS\system32\ieencode.dll
2006-07-07 13:46 81,408 C:\WINDOWS\system32\wscsvc.dll
2006-07-07 13:46 8,192 C:\WINDOWS\system32\smbinst.exe
2006-07-07 13:46 75,776 C:\WINDOWS\system32\strmfilt.dll
2006-07-07 13:46 73,832 C:\WINDOWS\system32\slcoinst.dll
2006-07-07 13:46 73,796 C:\WINDOWS\system32\slserv.exe
2006-07-07 13:46 71,680 C:\WINDOWS\system32\blastcln.exe
2006-07-07 13:46 7,680 C:\WINDOWS\system32\kbdsmsno.dll
2006-07-07 13:46 7,680 C:\WINDOWS\system32\kbdsmsfi.dll
2006-07-07 13:46 7,168 C:\WINDOWS\system32\kbdukx.dll
2006-07-07 13:46 7,168 C:\WINDOWS\system32\kbdno1.dll
2006-07-07 13:46 7,168 C:\WINDOWS\system32\kbdfi1.dll
2006-07-07 13:46 60,416 C:\WINDOWS\system32\fwcfg.dll
2006-07-07 13:46 6,656 C:\WINDOWS\system32\kbdinmal.dll
2006-07-07 13:46 6,656 C:\WINDOWS\system32\kbdinben.dll
2006-07-07 13:46 6,144 C:\WINDOWS\system32\kbdmlt48.dll
2006-07-07 13:46 6,144 C:\WINDOWS\system32\kbdmlt47.dll
2006-07-07 13:46 6,144 C:\WINDOWS\system32\kbdinbe1.dll
2006-07-07 13:46 526,848 C:\WINDOWS\system32\p2psvc.dll
2006-07-07 13:46 516,768 C:\WINDOWS\system32\ativvaxx.dll
2006-07-07 13:46 50,688 C:\WINDOWS\system32\btpanui.dll
2006-07-07 13:46 50,176 C:\WINDOWS\system32\xmlprovi.dll
2006-07-07 13:46 5,632 C:\WINDOWS\system32\kbdmaori.dll
2006-07-07 13:46 49,152 C:\WINDOWS\system32\powercfg.exe
2006-07-07 13:46 48,640 C:\WINDOWS\system32\pnrpnsp.dll
2006-07-07 13:46 44,032 C:\WINDOWS\system32\twext.dll
2006-07-07 13:46 397,056 C:\WINDOWS\system32\s3gnb.dll
2006-07-07 13:46 384,512 C:\WINDOWS\system32\mp4sdmod.dll
2006-07-07 13:46 377,984 C:\WINDOWS\system32\ati2dvaa.dll
2006-07-07 13:46 32,866 C:\WINDOWS\system32\slrundll.exe
2006-07-07 13:46 32,866 C:\WINDOWS\slrundll.exe
2006-07-07 13:46 32,768 C:\WINDOWS\system32\ativtmxx.dll
2006-07-07 13:46 32,285 C:\WINDOWS\system32\hsfcisp2.dll
2006-07-07 13:46 312,320 C:\WINDOWS\system32\p2pgraph.dll
2006-07-07 13:46 30,208 C:\WINDOWS\system32\bthserv.dll
2006-07-07 13:46 29,184 C:\WINDOWS\system32\sdhcinst.dll
2006-07-07 13:46 286,792 C:\WINDOWS\system32\slextspk.dll
2006-07-07 13:46 24,576 C:\WINDOWS\system32\httpapi.dll
2006-07-07 13:46 229,376 C:\WINDOWS\system32\ati2cqag.dll
2006-07-07 13:46 22,528 C:\WINDOWS\system32\fltmc.exe
2006-07-07 13:46 20,992 C:\WINDOWS\system32\bthci.dll
2006-07-07 13:46 2,113,536 C:\WINDOWS\system32\dxdiagn.dll
2006-07-07 13:46 193,024 C:\WINDOWS\system32\fsquirt.exe
2006-07-07 13:46 188,508 C:\WINDOWS\system32\slgen.dll
2006-07-07 13:46 17,408 C:\WINDOWS\system32\winshfhc.dll
2006-07-07 13:46 16,896 C:\WINDOWS\system32\fltlib.dll
2006-07-07 13:46 15,872 C:\WINDOWS\system32\w3ssl.dll
2006-07-07 13:46 14,336 C:\WINDOWS\system32\auditusr.exe
2006-07-07 13:46 13,824 C:\WINDOWS\system32\wscntfy.exe
2006-07-07 13:46 13,824 C:\WINDOWS\system32\cmsetacl.dll
2006-07-07 13:46 129,536 C:\WINDOWS\system32\xmlprov.dll
2006-07-07 13:46 118,784 C:\WINDOWS\system32\msdadiag.dll
2006-07-07 13:46 116,224 C:\WINDOWS\system32\p2p.dll
2006-07-07 13:46 108,032 C:\WINDOWS\system32\wshbth.dll
2006-07-07 13:46 1,737,856 C:\WINDOWS\system32\mtxparhd.dll
2006-07-07 13:46 1,689,088 C:\WINDOWS\system32\d3d9.dll
2006-07-07 12:59 44,544 C:\WINDOWS\system32\procguard.dll
2006-07-07 12:08 7,440 C:\WINDOWS\system32\sporder.dll
2006-07-07 12:08 42,496 C:\WINDOWS\system32\dcsws2.dll
2006-07-07 00:50 1,648 C:\run.bat
2006-07-06 13:20 79,616 C:\WINDOWS\system32\zlcomm.dll
2006-07-06 13:20 71,424 C:\WINDOWS\system32\zlcommdb.dll
2006-07-06 13:20 71,424 C:\WINDOWS\system32\vsregexp.dll
2006-07-06 13:20 368,256 C:\WINDOWS\system32\vsdatant.sys
2006-07-06 13:20 227,072 C:\WINDOWS\system32\vspubapi.dll
2006-07-06 13:20 104,192 C:\WINDOWS\system32\vsmonapi.dll
2006-07-06 13:20 100,096 C:\WINDOWS\system32\vsxml.dll
2006-07-06 13:19 83,712 C:\WINDOWS\system32\vsdata.dll
2006-07-06 13:19 382,720 C:\WINDOWS\system32\vsutil.dll
2006-07-06 13:19 141,056 C:\WINDOWS\system32\vsinit.dll
2006-07-06 00:36 22,752 C:\WINDOWS\system32\spupdsvc.exe
2006-07-06 00:29 18,200 C:\WINDOWS\system32\wups2.dll
2006-06-19 16:20 702,768 C:\WINDOWS\system32\WgaLogon.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIModeChange "= "Ati2mdxx.exe "
"CARPService "= "carpserv.exe "
"SynTPLpr "= "C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe "
"SynTPEnh "= "C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe "
"DadApp "= "C:\\Program Files\\Dell\\AccessDirect\\dadapp.exe "
"DVDSentry "= "C:\\WINDOWS\\System32\\DSentry.exe "
"TkBellExe "= "\ "C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot "
"AdaptecDirectCD "= "\ "C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\" "
"DwlClient "= "C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe "
"NeroCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"AdobeVersionCue "= "C:\\Program Files\\Adobe\\Adobe Version Cue\\ControlPanel\\VersionCueTray.exe "
"Share-to-Web Namespace Daemon "= "C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe "
"ATIPTA "= "C:\\PROGRAM FILES\\ATI TECHNOLOGIES\\ATI CONTROL PANEL\\ATIPTAXX.EXE "
"ISUSPM Startup "= "C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup "
"ISUSScheduler "= "\ "C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start "
"!ewido "= "\ "C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized "
"Zone Labs Client "= "C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe "
"!1_pgaccount "= "\ "C:\\Program Files\\ProcessGuard\\pgaccount.exe\" "
"WinPatrol "= "C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\winpatrol.exe "
"avast! "= "C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange "= "1 "
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"SpybotSD TeaTimer "= "C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe "
"!1_ProcessGuard_Startup "= "\ "C:\\Program Files\\ProcessGuard\\procguard.exe\" -minimize "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"CDRAutoRun "=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"CDRAutoRun "=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} "= "Eudora's Shell Extension "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "



Contents of the 'Scheduled Tasks' folder

Completion time: Sun 07/09/2006 7:59:03.32
ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-09.075759.txt

 

Havn't forgotten about you, but Tammy, my friend has been offline much of the day and I have been doin some researchin on my own as well.

Should have something soon.

 

No problem, thank you that you are still with me on this "adventure." I did some search on my own. I ran Autoruns and among the Autorun Entries I found this:

pe386 c:\windows\system32:lzx32.sys

I did a search and found Symantec's definition file for this Trojan. It seems that I am infected by Backdoor.Rustock.B worm that does exactly what my symptoms are, and as it seems, it cannot be detected by gmer or blacklight. Obviously I had other infections, but this is the persistent one.

I deleted the registry entry but I am not sure what else I should do to end this in Autorun (I can delete it there, but Symantec recommends using the windows Recovery Console). I'd rather not play with System Restore...

Anyway, I'll be waiting for your response. Thanks again.

 

OK, so here is a funny thing......kinda....the Combo fix saw that pe386 file, and I just didn't see that line. Apologies for that, I was so busy looking up all those other files, it just got by me.

Now, Tammy says GMER should see that in the 'services' tab.

Open GMER, select the 'services' tab and look for the service, hi light it, select 'delete service' and reboot.

Then post a new HJT logfile please.

Also, you need to contact your banks or any other financial institutes you do any business with online. Check for any unusual activities and find a 'clean' computer to change all your passwords from.

This infection is a key logger so there is a chance you could be compromised.

Let me know how all that goes.

 

OK, lets also use HJT to find a hidden infection, ADS.

Follow the instructions given here:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#adsspy

 

I am glad that you even look at this problem, with all these logs it is natural something to be overlooked. I read from Symantec that this is a new Trojan that is mainly used for mass emailing. Well, I was lucky I did not use my laptop for anything else but email. But I immediately changed my passwords to my main accounts and I am in the process of changing all passwords of importance to me.

Here are two logs, one from GMER and the HJT. The GMER has some hidden files that I now, after rebooting, cannot find anymore. So I am curious what they are... and thank you again (and Tammy).

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-07-10 02:36:41
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \??\C:\WINDOWS\System32\drivers\procguard.sys ZwCreateFile
SSDT \??\C:\WINDOWS\System32\drivers\procguard.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \??\C:\WINDOWS\System32\drivers\procguard.sys ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \??\C:\WINDOWS\System32\drivers\procguard.sys ZwDeleteKey
SSDT \??\C:\WINDOWS\System32\drivers\procguard.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \??\C:\WINDOWS\System32\drivers\procguard.sys ZwFsControlFile
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \??\C:\WINDOWS\System32\drivers\procguard.sys ZwOpenFile
SSDT \??\C:\WINDOWS\System32\drivers\procguard.sys ZwOpenKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\System32\drivers\procguard.sys ZwOpenSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \??\C:\WINDOWS\System32\drivers\procguard.sys ZwProtectVirtualMemory
SSDT \??\C:\WINDOWS\System32\drivers\procguard.sys ZwReadVirtualMemory
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \??\C:\WINDOWS\System32\drivers\procguard.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \??\C:\WINDOWS\System32\drivers\procguard.sys ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \??\C:\WINDOWS\System32\drivers\procguard.sys ZwSetSystemInformation
SSDT \??\C:\WINDOWS\System32\drivers\procguard.sys ZwSetValueKey
SSDT \??\C:\WINDOWS\System32\drivers\procguard.sys ZwSuspendProcess
SSDT \??\C:\WINDOWS\System32\drivers\procguard.sys ZwSuspendThread
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\System32\drivers\procguard.sys ZwTerminateThread
SSDT \??\C:\WINDOWS\System32\drivers\procguard.sys ZwWriteVirtualMemory

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [ECF33390] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT [ECF33390] vsdatant.sys

---- Processes - GMER 1.0.10 ----

Process swreg.exe (*** hidden *** ) 1960 <-- ROOTKIT !!!
Process C:\sUBs\tsf\findstr.exe (*** hidden *** ) 2144 <-- ROOTKIT !!!
Process hidden process (*** hidden *** ) 2824 <-- ROOTKIT !!!

---- EOF - GMER 1.0.10 ----

Hijack Log starts here

Logfile of HijackThis v1.99.1
Scan saved at 2:50:32 AM, on 7/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\aniServ.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.winamp.com/music/index.jhtml
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe "
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152160094986
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Airgo Networks NIC Service (ANISERVICE) - Airgo Networks, Inc. - C:\WINDOWS\System32\aniServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DiamondCS ProcessGuard Service v3.400 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

 

Did HJT ADS scan find anything?

Let me know and I'll begin lookling at the above log file.

 

No, the HJT ADS scan did not reveal anything. Do you think this worm is adapting? I rebooted the laptop and redid gmer rootkit, autostart and processes, and the hidden processes seem to have disappeared after I deleted the pe 386 registry entry.

 

Not likely the worm could morph while it's on the machine, especially since we seem to have nuked it.

Lets get another scan with the combo fix, because it sure did see that sucker and show it.

 

From what I see pe 386 is gone...

Dear TeMerc,

Here is the Combofix log, just in case. It's been an hour since I logged on the net and ...silence... My Outgoing log shows what it should, not a stream of SMTPs.

However, there is still something that drives me crazy: The desktop background settings. WinPatrol pops up this window every five minutes telling me once again.

A change has been detected in background page displayed on your desktop. Your new page is (Empty space here)
If that is OK, then click Yes or press Enter.
Click No and we’ll restore your page to the default about:Home.

What is that? Why does it happen? I can't seem to find my desktop images, either. They are found, instead of the wallpaper folder, directly at the C:/Windows directory.

Do you happen to know of this problem? How can I fix it? Or if this is not the right place to post this, where should I do that?

Please, let me know if you see anything remotely suspicious in the combofix log.

Thank you so very much for all your help with this very persistent worm. Within the last five days I've learned a lot and I feel more confident in protecting my computers.

Be well, and thank you again.


-------------------------------------
Start Time= Tue 07/11/2006 15:16:38.12
Running from: C:\My Download Files

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-09 17:06:26 ( .D... ) "C:\Program Files\CCleaner "
2006-07-08 10:29:08 ( .D... ) "C:\Program Files\Alwil Software "
2006-07-08 07:17:40 528446 ( A.... ) "C:\WINDOWS\gmer.dll "
2006-07-07 18:35:24 ( .D... ) "C:\Documents and Settings\Our Dell\Application Data\WinPatrol "
2006-07-07 18:34:52 ( .D... ) "C:\Program Files\BillP Studios "
2006-07-07 17:15:48 73 ( A.... ) "C:\WINDOWS\SYSTEM32\ssprs.dll "
2006-07-07 13:33:32 47564 ( A.SHR ) "C:\NTDETECT.COM "
2006-07-07 12:09:20 ( .D... ) "C:\Program Files\ProcessGuard "
2006-07-07 12:08:52 ( .D... ) "C:\Program Files\Port Explorer "
2006-07-07 07:51:34 1648 ( A.... ) "C:\run.bat "
2006-07-07 00:28:08 ( .D... ) "C:\Program Files\Index.dat Suite "
2006-07-06 14:03:06 ( .D... ) "C:\Program Files\Spybot - Search & Destroy "
2006-07-06 13:20:34 ( .D... ) "C:\Program Files\Zone Labs "
2006-07-06 11:39:40 ( .D... ) "C:\Program Files\Lavasoft "
2006-07-06 04:19:44 ( .D... ) "C:\Documents and Settings\Our Dell\Application Data\Lavasoft "
2006-07-06 02:09:20 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0 "
2006-07-05 16:57:30 44544 ( A.... ) "C:\WINDOWS\SYSTEM32\procguard.dll "
2006-06-19 16:20:42 702768 ( ..... ) "C:\WINDOWS\SYSTEM32\WgaLogon.dll "
2006-06-06 20:49:18 745531 ( A.... ) "C:\WINDOWS\gmer.exe "
2006-05-31 05:02:04 624640 ( A.... ) "C:\WINDOWS\SYSTEM32\aswBoot.exe "
2006-05-31 04:54:36 90112 ( A.... ) "C:\WINDOWS\SYSTEM32\AVASTSS.scr "
2003-09-29 15:29:14 812 ( A.... ) "C:\Program Files\INSTALL.LOG "
2000-10-02 16:12:46 381 ( A.... ) "C:\Program Files\bpftp.reg "


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-08 10:29 90,112 C:\WINDOWS\system32\AVASTSS.scr
2006-07-08 10:29 624,640 C:\WINDOWS\system32\aswBoot.exe
2006-07-08 07:17 745,531 C:\WINDOWS\gmer.exe
2006-07-08 07:17 528,446 C:\WINDOWS\gmer.dll
2006-07-08 00:00 146,432 C:\WINDOWS\REGEDIT.COM
2006-07-08 00:00 146,432 C:\WINDOWS\R.COM
2006-07-08 00:00 135,680 C:\WINDOWS\system32\TASKMGR.COM
2006-07-08 00:00 135,680 C:\WINDOWS\system32\T.COM
2006-07-07 13:47 9,216 C:\WINDOWS\system32\proxycfg.exe
2006-07-07 13:47 59,392 C:\WINDOWS\system32\logman.exe
2006-07-07 13:46 88,064 C:\WINDOWS\system32\p2pnetsh.dll
2006-07-07 13:46 86,016 C:\WINDOWS\system32\p2pgasvc.dll
2006-07-07 13:46 81,920 C:\WINDOWS\system32\ieencode.dll
2006-07-07 13:46 81,408 C:\WINDOWS\system32\wscsvc.dll
2006-07-07 13:46 8,192 C:\WINDOWS\system32\smbinst.exe
2006-07-07 13:46 75,776 C:\WINDOWS\system32\strmfilt.dll
2006-07-07 13:46 73,832 C:\WINDOWS\system32\slcoinst.dll
2006-07-07 13:46 73,796 C:\WINDOWS\system32\slserv.exe
2006-07-07 13:46 71,680 C:\WINDOWS\system32\blastcln.exe
2006-07-07 13:46 7,680 C:\WINDOWS\system32\kbdsmsno.dll
2006-07-07 13:46 7,680 C:\WINDOWS\system32\kbdsmsfi.dll
2006-07-07 13:46 7,168 C:\WINDOWS\system32\kbdukx.dll
2006-07-07 13:46 7,168 C:\WINDOWS\system32\kbdno1.dll
2006-07-07 13:46 7,168 C:\WINDOWS\system32\kbdfi1.dll
2006-07-07 13:46 60,416 C:\WINDOWS\system32\fwcfg.dll
2006-07-07 13:46 6,656 C:\WINDOWS\system32\kbdinmal.dll
2006-07-07 13:46 6,656 C:\WINDOWS\system32\kbdinben.dll
2006-07-07 13:46 6,144 C:\WINDOWS\system32\kbdmlt48.dll
2006-07-07 13:46 6,144 C:\WINDOWS\system32\kbdmlt47.dll
2006-07-07 13:46 6,144 C:\WINDOWS\system32\kbdinbe1.dll
2006-07-07 13:46 526,848 C:\WINDOWS\system32\p2psvc.dll
2006-07-07 13:46 516,768 C:\WINDOWS\system32\ativvaxx.dll
2006-07-07 13:46 50,688 C:\WINDOWS\system32\btpanui.dll
2006-07-07 13:46 50,176 C:\WINDOWS\system32\xmlprovi.dll
2006-07-07 13:46 5,632 C:\WINDOWS\system32\kbdmaori.dll
2006-07-07 13:46 49,152 C:\WINDOWS\system32\powercfg.exe
2006-07-07 13:46 48,640 C:\WINDOWS\system32\pnrpnsp.dll
2006-07-07 13:46 44,032 C:\WINDOWS\system32\twext.dll
2006-07-07 13:46 397,056 C:\WINDOWS\system32\s3gnb.dll
2006-07-07 13:46 384,512 C:\WINDOWS\system32\mp4sdmod.dll
2006-07-07 13:46 377,984 C:\WINDOWS\system32\ati2dvaa.dll
2006-07-07 13:46 32,866 C:\WINDOWS\system32\slrundll.exe
2006-07-07 13:46 32,866 C:\WINDOWS\slrundll.exe
2006-07-07 13:46 32,768 C:\WINDOWS\system32\ativtmxx.dll
2006-07-07 13:46 32,285 C:\WINDOWS\system32\hsfcisp2.dll
2006-07-07 13:46 312,320 C:\WINDOWS\system32\p2pgraph.dll
2006-07-07 13:46 30,208 C:\WINDOWS\system32\bthserv.dll
2006-07-07 13:46 29,184 C:\WINDOWS\system32\sdhcinst.dll
2006-07-07 13:46 286,792 C:\WINDOWS\system32\slextspk.dll
2006-07-07 13:46 24,576 C:\WINDOWS\system32\httpapi.dll
2006-07-07 13:46 229,376 C:\WINDOWS\system32\ati2cqag.dll
2006-07-07 13:46 22,528 C:\WINDOWS\system32\fltmc.exe
2006-07-07 13:46 20,992 C:\WINDOWS\system32\bthci.dll
2006-07-07 13:46 2,113,536 C:\WINDOWS\system32\dxdiagn.dll
2006-07-07 13:46 193,024 C:\WINDOWS\system32\fsquirt.exe
2006-07-07 13:46 188,508 C:\WINDOWS\system32\slgen.dll
2006-07-07 13:46 17,408 C:\WINDOWS\system32\winshfhc.dll
2006-07-07 13:46 16,896 C:\WINDOWS\system32\fltlib.dll
2006-07-07 13:46 15,872 C:\WINDOWS\system32\w3ssl.dll
2006-07-07 13:46 14,336 C:\WINDOWS\system32\auditusr.exe
2006-07-07 13:46 13,824 C:\WINDOWS\system32\wscntfy.exe
2006-07-07 13:46 13,824 C:\WINDOWS\system32\cmsetacl.dll
2006-07-07 13:46 129,536 C:\WINDOWS\system32\xmlprov.dll
2006-07-07 13:46 118,784 C:\WINDOWS\system32\msdadiag.dll
2006-07-07 13:46 116,224 C:\WINDOWS\system32\p2p.dll
2006-07-07 13:46 108,032 C:\WINDOWS\system32\wshbth.dll
2006-07-07 13:46 1,737,856 C:\WINDOWS\system32\mtxparhd.dll
2006-07-07 13:46 1,689,088 C:\WINDOWS\system32\d3d9.dll
2006-07-07 12:59 44,544 C:\WINDOWS\system32\procguard.dll
2006-07-07 12:08 7,440 C:\WINDOWS\system32\sporder.dll
2006-07-07 12:08 42,496 C:\WINDOWS\system32\dcsws2.dll
2006-07-07 00:50 1,648 C:\run.bat
2006-07-06 13:20 79,616 C:\WINDOWS\system32\zlcomm.dll
2006-07-06 13:20 71,424 C:\WINDOWS\system32\zlcommdb.dll
2006-07-06 13:20 71,424 C:\WINDOWS\system32\vsregexp.dll
2006-07-06 13:20 368,256 C:\WINDOWS\system32\vsdatant.sys
2006-07-06 13:20 227,072 C:\WINDOWS\system32\vspubapi.dll
2006-07-06 13:20 104,192 C:\WINDOWS\system32\vsmonapi.dll
2006-07-06 13:20 100,096 C:\WINDOWS\system32\vsxml.dll
2006-07-06 13:19 83,712 C:\WINDOWS\system32\vsdata.dll
2006-07-06 13:19 382,720 C:\WINDOWS\system32\vsutil.dll
2006-07-06 13:19 141,056 C:\WINDOWS\system32\vsinit.dll
2006-07-06 00:36 22,752 C:\WINDOWS\system32\spupdsvc.exe
2006-07-06 00:29 18,200 C:\WINDOWS\system32\wups2.dll
2006-06-19 16:20 702,768 C:\WINDOWS\system32\WgaLogon.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIModeChange "= "Ati2mdxx.exe "
"CARPService "= "carpserv.exe "
"SynTPLpr "= "C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe "
"SynTPEnh "= "C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe "
"DadApp "= "C:\\Program Files\\Dell\\AccessDirect\\dadapp.exe "
"DVDSentry "= "C:\\WINDOWS\\System32\\DSentry.exe "
"AdaptecDirectCD "= "\ "C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\" "
"DwlClient "= "C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe "
"NeroCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"AdobeVersionCue "= "C:\\Program Files\\Adobe\\Adobe Version Cue\\ControlPanel\\VersionCueTray.exe "
"Share-to-Web Namespace Daemon "= "C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe "
"ATIPTA "= "C:\\PROGRAM FILES\\ATI TECHNOLOGIES\\ATI CONTROL PANEL\\ATIPTAXX.EXE "
"!ewido "= "\ "C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized "
"Zone Labs Client "= "C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe "
"!1_pgaccount "= "\ "C:\\Program Files\\ProcessGuard\\pgaccount.exe\" "
"WinPatrol "= "C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\winpatrol.exe "
"avast! "= "C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe "
"ISUSScheduler "= "\ "C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange "= "1 "
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"SpybotSD TeaTimer "= "C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe "
"!1_ProcessGuard_Startup "= "\ "C:\\Program Files\\ProcessGuard\\procguard.exe\" -minimize "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"CDRAutoRun "=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"CDRAutoRun "=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} "= "Eudora's Shell Extension "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "



Contents of the 'Scheduled Tasks' folder

Completion time: Tue 07/11/2006 15:17:36.81
ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-09.075759.txt
ComboFix.2006-07-10.022233.txt
ComboFix.2006-07-11.151638.txt

 

OK, lets get to deleting a few files:
C:\WINDOWS\REGEDIT.COM
C:\WINDOWS\R.COM
C:\WINDOWS\system32\TASKMGR.COM
C:\WINDOWS\system32\T.COM

Lets also use notepad to open this file:
C:\run.bat<<<this file

Post results back here.

To get a look at desktop settings we're going to run the first fix option from SmithFraudFix.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter "; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool "; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore you may get an alert.

 

Done. And Thank you, once again for your time and help.

@echo off
echo This file will delete all index.dat files listed below. The Cookies, Temporary Internet Files, History, Temp folders, Recent Documents folder, swap file and any additional files or folders, will be cleared as per user Settings.
echo
echo Please note, use of this file is AT YOUR OWN RISK, Ur I.T. Mate Group will NOT be held liable for any problems caused due to the use of this file or any part of the Index.dat Suite software


del "C:\DOCUME~1\OURDEL~1\APPLIC~1\Adobe\FILEBR~1\PHOTOS~1\index.dat "
del "C:\DOCUME~1\OURDEL~1\LOCALS~1\History\History.IE5\MS19DC~1\index.dat "
del "C:\DOCUME~1\OURDEL~1\LOCALS~1\History\History.IE5\MS1931~1\index.dat "
del "C:\DOCUME~1\OURDEL~1\LOCALS~1\History\History.IE5\MSHIST~1\index.dat "
del "C:\DOCUME~1\OURDEL~1\LOCALS~1\History\History.IE5\MSHIST~2\index.dat "
del "C:\DOCUME~1\OURDEL~1\LOCALS~1\History\History.IE5\MSHIST~3\index.dat "
del "C:\DOCUME~1\OURDEL~1\LOCALS~1\History\History.IE5\MSHIST~4\index.dat "
del "C:\DOCUME~1\OURDEL~1\LOCALS~1\History\History.IE5\MS77B5~1\index.dat "
del "C:\DOCUME~1\OURDEL~1\UserData\index.dat "
del "C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\History\History.IE5\MSHIST~1\index.dat "
cd C:\DOCUME~1\OURDEL~1\
rd /s /q C:\DOCUME~1\OURDEL~1\Cookies
cd C:\DOCUME~1\OURDEL~1\LOCALS~1\
rd /s /q C:\DOCUME~1\OURDEL~1\LOCALS~1\History
cd C:\DOCUME~1\OURDEL~1\LOCALS~1\Temp\
rd /s /q C:\DOCUME~1\OURDEL~1\LOCALS~1\Temp\
cd C:\DOCUME~1\OURDEL~1\LOCALS~1\
rd /s /q C:\DOCUME~1\OURDEL~1\LOCALS~1\TEMPOR~1
cd C:\DOCUME~1\OURDEL~1\
rd /s /q C:\DOCUME~1\OURDEL~1\Recent
cd C:\WINDOWS\
del /s /q C:\WINDOWS\Prefetch\*.*
defrag C:
exit
cls

SmitFraudFix v2.69

Scan done at 22:01:40.73, Tue 07/11/2006
Run from C:\Documents and Settings\Our Dell\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Our Dell\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\OURDEL~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

 

<sigh> Yet another tool to check for registry strings.

Please download OldTimer's Winpfind from here:
http://www.bleepingcomputer.com/files/winpfind.php
Unzip it to the desktop and run Winpfind.exe.

Under 'plugins' checkmark the 'policies.def'

Once the scan is finished, please CLOSE the Notepad window that pops up.
Note:Just post the registry part of the log, and not anything else.

 

First off, thank you for checking all the alternatives regarding my desktop issue. I think, however, that it is a Windows XP problem. I have a desktop computer that I upgraded to XP SP2 at the same time with the laptop. I have the same desktop image in both of them. My desktop works perfectly well, I can change the desktop to whatever I want. I looked at both registries and here are some of the differences I managed to find that seem pertinent to my problem (I am sure there are a lot more settings concerning the desktop...).

HKCU\ControlPanel\Desktop in the original wallpaper tag my laptop has c:\windows\Azul.bmp

while in my desktop there is the generic one
c:\documents and settings\owner\Local settings\application data\microsoft\wallpaper1.bmp

Same differences occur within HKCU\software\Microsoft\Internet Explorer\Desktop\General

My laptop has in the tags %SystemRoot%\Azul.bmp while my desktop has
%userprofile%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

The annoying pop up stopped and the screen saver is working well right now, the problem, however, of not being able to change any of the desktop images continues. I am locked in Azul!

I don't know what you can figure out, I hope it is NOT a virus. Below is the log you requested.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180


»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\7-Zip
{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zipn.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip
{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zipn.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
{C0E10002-0028-0004-C0E1-C0E1C0E1C0E1} = c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ATIModeChange Ati2mdxx.exe
CARPService carpserv.exe
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
DadApp C:\Program Files\Dell\AccessDirect\dadapp.exe
DVDSentry C:\WINDOWS\System32\DSentry.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
DwlClient C:\Program Files\Common Files\Dell\EUSW\Support.exe
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
AdobeVersionCue C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
Share-to-Web Namespace Daemon C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
ATIPTA C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
!ewido "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
!1_pgaccount "C:\Program Files\ProcessGuard\pgaccount.exe "
WinPatrol C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
avast! C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
Zone Labs Client "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
SpybotSD TeaTimer C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
!1_ProcessGuard_Startup "C:\Program Files\ProcessGuard\procguard.exe" -minimize

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 1
ClassicShell 0
ForceActiveDesktopOn 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINDOWS\System32\NavLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


<<<<<<<<<< Checking for AddOn Policies.def information >>>>>>>>>>

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/12/2006 9:15:52 AM

 

OK, I'm not seeing anything jumping out at me, and Tammy has been offline most of the day, and that either means storms or power interruptions.

I'll get her to look ASAP.

 

Any news regarding the log? Computer seems stable, desktop still cannot change. I found a fix named wallpaperenable.reg in one of the posts in the XP forum but before I try anything with the registry I would like to make sure that all is well with my system in general.

Thank you once again for your help. I feel relieved that I don't have to reformat my hard drive!

 

Tammy has not gotten back to me, any fix from Kelly's Korner is a valid fix, run it, let me know how that goes.

Sorry I didn't get back to you sooner.

 

No problem. I will run the fix and hopefully that will do the trick. I will let you know how that goes. Thanks for still checking...

The system has been stable but Ewido has detected remnants of this file:

C:\WINDOWS\System32:lzx32.sys

Which by the way belongs to pe 386 or Backdoor.Rustock.B, as Symantec names it. I don't know if this website is OK to download the removal kit but here is what I found...

http://www.2-spyware.com/remove-rustock-b.html

I also tried another solution: I ran Gmer on the safe mode, used the cmd tab to type

type nul > "C:\WINDOWS\System32:lzx32.sys "

and restarted the computer. I ran Ewido again and voila!!!! NO more hidden files.

I don't know if there is anything else malware-wise I should take care of, so if you have any more suggestions, please, let me know.

Thank for your time and effort to help me. Now I have a great collection of tools to help me stay clean.

 

OK, let me know about that fix.

That GMER tool is super, altho still in heavy beta, its being touted as the best rootkit tool out there. It's also very dangerous and needs to be used with care. I only use it when supervised by my own expert, Tammy\Blender.

Stay clear of that 2-spyware site, all they do is push their own apps, affiliates and such.

Well, seeing as you are all cleaned up, lets finish off with my final speech.

We have 3 more things to do, to help ensure you have removed all the little 'leftovers' which may be hiding:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.1.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom