Hijacked! [HJT Log]

quirkymac · 2006/09/20

Hi there, I am back and this time with a brand new challenge for you to diagnose and help back to life.

I can only get this computer to start in Safe mode or with the diagnostic option enabled...which then means I can't get on the net with it.

I suspect something is getting in at startup and causing it's problems, if I try a normal startup it comes up with a BSOD with the error
DRIVER_IRQ_NOT_LESSOR_THAN_EQUAL then it restarts after a memory dump.

Please help!

Thanks,
Tony.

Logfile of HijackThis v1.99.1
Scan saved at 12:38:26 PM, on 7/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\spyware\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Inoculator] C:\Program Files\Inoculator\inoc.exe
O4 - HKLM\..\Run: [FSW] C:\Program Files\FSW\FSW.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe "
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe "
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe "
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\System32\intell321.exe
O4 - HKLM\..\Run: [03f907e7.exe] C:\WINDOWS\System32\03f907e7.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [RunNarrator] Narrator.exe
O4 - HKCU\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au
O16 - DPF: ConferenceRoom Java Client - http://pix.sexyads.net:8080/java/cr.cab
O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://www.btinternetpayments.com/build/preload.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?310
O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.mtree.com/mt/dialers/fc/MultiDistFC.CAB
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSVCCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: VexiraAntivirus - Unknown owner - C:\Program Files\Vexira\VAGUARD.EXE (file missing)

quirkymac · 2006/09/20

Not one for sitting idle I have run ewido in safe mode with system files showing and all hidden files and folder showing. I quarantined a bunch of stuff and now can manage to log into windows without using diagnostic startup or safe mode.

I have also run combofix (after I read TeMerc's advice to someone else that it would do no harm).

Here is the log from combofix
Billy the Kid - 06-07-24 14:24:56.45 Service Pack 1
ComboFix 06.09.20 - Running from: "C:\Documents and Settings\Billy the Kid\Desktop\spyware "
Command switches used ::

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\vxgame1.exe
C:\WINDOWS\system32\vxgame3.exe
C:\WINDOWS\system32\vxgame4.exe
C:\WINDOWS\system32\vxgamet1.exe
C:\WINDOWS\system32\vxgamet2.exe
C:\Documents and Settings\Billy the Kid\Application Data\Install.dat
C:\WINDOWS\system32\kernels8.exe
C:\WINDOWS\system32\maxd641.exe
C:\WINDOWS\xpupdate.exe
C:\Documents and Settings\All Users\Documents\Settings

((((((((((((((((((((((((((((((( Files Created from 2006-06-24 to 2006-07-24 ))))))))))))))))))))))))))))))))))

2006-07-24 14:24 11,303 --a------ C:\anp.exe
2006-07-24 14:12 5,120 --a------ C:\WINDOWS\system32\tcusbdrv.dll
2006-07-24 08:36 72,192 --a------ C:\WINDOWS\system32\vdpaiie.dll
2006-07-24 08:36 15,104 --a------ C:\WINDOWS\system32\stonedrv.exe
2006-07-24 08:35 95,232 --a------ C:\WINDOWS\system32\tanfdtf.dll
2006-07-24 08:35 6,656 --a------ C:\WINDOWS\system32\intell321.exe
2006-07-24 08:35 6,082 --a------ C:\WINDOWS\system32\dlh9jkdq6.exe
2006-07-24 08:35 6,031 --a------ C:\WINDOWS\system32\dlh9jkdq7.exe
2006-07-24 08:35 4,275 --a------ C:\WINDOWS\system32\dlh9jkdq5.exe
2006-07-24 08:35 3,072 --a------ C:\WINDOWS\uninstDsk.exe
2006-07-24 08:35 17,807 --a------ C:\WINDOWS\system32\dlh9jkdq2.exe
2006-07-24 08:35 13 --a------ C:\WINDOWS\system32\dlh9jkdq8.exe
2006-07-24 08:33 4,096 --a------ C:\WINDOWS\system32\ntsystem.exe
2006-07-23 22:13 4,608 --a------ C:\WINDOWS\system32\ntoskrnl.dll
2006-07-23 15:57 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2006-06-28 17:51 17,920 --a------ C:\WINDOWS\system32\mdimon.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-07-24 14:25 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-07-24 14:12 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-24 12:24 -------- d-------- C:\Program Files\Inoculator
2006-07-24 08:36 -------- d-------- C:\Program Files\BraveSentry
2006-07-23 16:07 -------- d--h----- C:\Program Files\WindowsUpdate
2006-07-23 15:42 -------- d-------- C:\Documents and Settings\Billy the Kid\Application Data\Macromedia
2006-07-20 09:12 -------- d---s---- C:\Documents and Settings\Billy the Kid\Application Data\Microsoft
2006-06-28 17:49 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-06-28 17:49 -------- d-------- C:\Program Files\Common Files
2006-06-28 17:48 -------- d-------- C:\Program Files\Microsoft.NET
2006-06-28 17:47 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-06-28 17:44 -------- d-------- C:\Program Files\Microsoft Works
2006-06-28 17:44 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-06-28 17:44 -------- d-------- C:\Program Files\Microsoft Office
2006-06-28 17:44 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-06-28 17:43 -------- d-------- C:\Program Files\Common Files\System
2006-05-16 18:38 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-05-16 18:38 348160 --a------ C:\WINDOWS\system32\msvcr71.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background "
"Yahoo! Pager "= "C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet "
"ctfmon.exe "= "C:\\WINDOWS\\System32\\ctfmon.exe "
"03f907e7.exe "= "C:\\Documents and Settings\\Billy the Kid\\Local Settings\\Application Data\\03f907e7.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector "= "C:\\Program Files\\Creative\\ShareDLL\\CtNotify.exe "
"gwiz "= "C:\\WINDOWS\\System32\\ntsystem.exe "
"!ewido "= "\ "C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized "
"WinFoxV2 "= "C:\\WINDOWS\\System32\\WF2K.EXE "
"WinFast2KLoadDefault "= "rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings "
"WinFast Schedule "= "C:\\Program Files\\WinFast\\WFTVFM\\WFWIZ.exe "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"Pop3trap.exe "= "\ "C:\\Program Files\\Trend Micro\\PC-cillin 2002\\Pop3trap.exe\" "
"pccguide.exe "= "\ "C:\\Program Files\\Trend Micro\\PC-cillin 2002\\pccguide.exe\" "
"PCCClient.exe "= "\ "C:\\Program Files\\Trend Micro\\PC-cillin 2002\\PCCClient.exe\" "
"nwiz "= "nwiz.exe /install "
"NvCplDaemon "= "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize "
"NeroCheck "= "C:\\WINDOWS\\System32\\NeroCheck.exe "
"LogonStudio "= "\ "C:\\Program Files\\WinCustomize\\LogonStudio\\logonstudio.exe\" /RANDOM "
"KernelFaultCheck "=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"intell321.exe "= "C:\\WINDOWS\\System32\\intell321.exe "
"Inoculator "= "C:\\Program Files\\Inoculator\\inoc.exe "
"HPDJ Taskbar Utility "= "C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe "
"FSW "= "C:\\Program Files\\FSW\\FSW.EXE "
"CARPService "= "carpserv.exe "
"CapFax "= "C:\\Program Files\\Classic PhoneTools\\CapFax.EXE "
"C-Media Mixer "= "Mixer.exe /startup "
"03f907e7.exe "= "C:\\WINDOWS\\System32\\03f907e7.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonceex]
"Flag "=dword:00000002

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "C:\\WINDOWS\\warnhp.html "
"SubscribedURL "=" "
"FriendlyName "= "Desktop Uninstall "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,03,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=dword:40000002
"OriginalStateInfo "=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,03,\
00,00,02,00,00,40
"RestoredStateInfo "=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,03,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,cc,00,00,00,01,00,00,00,34,03,00,00,ff,02,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,cc,00,00,00,01,00,00,00,34,03,00,00,ff,02,\
00,00,01,00,00,40
"RestoredStateInfo "=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"RunNarrator "= "Narrator.exe "
"tscuninstall "=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"RunNarrator "= "Narrator.exe "
"tscuninstall "=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=hex:5f,00,00,00
"NoInstrumentation "=dword:00000000
"NoToolbarCustomize "=dword:00000000
"RestrictRun "=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"ClearRecentDocsOnExit "=dword:00000001
"NoRecentDocsHistory "=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "
"UPnPMonitor "= "{e57ce738-33e8-4c51-8354-bb4de9d215d1} "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Mon 07/24/2006 14:26:05.14
ComboFix.txt

quirkymac · 2006/09/20

and the HJT log following the combofix being run (note I did not restart in between)
Logfile of HijackThis v1.99.1
Scan saved at 2:34:16 PM, on 7/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSVCCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\WINDOWS\System32\intell321.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\spyware\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.optusnet.com.au/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe "
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe "
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe "
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\System32\intell321.exe
O4 - HKLM\..\Run: [Inoculator] C:\Program Files\Inoculator\inoc.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [FSW] C:\Program Files\FSW\FSW.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [03f907e7.exe] C:\WINDOWS\System32\03f907e7.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [03f907e7.exe] C:\Documents and Settings\Billy the Kid\Local Settings\Application Data\03f907e7.exe
O4 - Startup: MR Tech Systray.lnk = C:\Program Files\MR Tech Systray\mrsystray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ebates - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Ebates - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC} - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au
O16 - DPF: ConferenceRoom Java Client - http://pix.sexyads.net:8080/java/cr.cab
O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://www.btinternetpayments.com/build/preload.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?310
O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.mtree.com/mt/dialers/fc/MultiDistFC.CAB
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSVCCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: VexiraAntivirus - Unknown owner - C:\Program Files\Vexira\VAGUARD.EXE (file missing)

quirkymac · 2006/09/20

As per other postings I also downloaded blacklight and ran the scan
results
07/24/06 14:45:10 [Info]: BlackLight Engine 1.0.46 initialized
07/24/06 14:45:10 [Info]: OS: 5.1 build 2600 (Service Pack 1)
07/24/06 14:45:10 [Note]: 7019 4
07/24/06 14:45:10 [Note]: 7005 0
07/24/06 14:45:28 [Note]: 7006 0
07/24/06 14:45:28 [Note]: 7011 1092
07/24/06 14:45:28 [Note]: 7026 0
07/24/06 14:45:28 [Note]: 7026 0
07/24/06 14:45:37 [Note]: FSRAW library version 1.7.1019
07/24/06 14:53:53 [Note]: 7007 0

QM

quirkymac · 2006/09/20

I also ran Gmer from the windows folder with registry option unticked....results

GMER 1.0.11.11349 - http://www.gmer.net
Rootkit 2006-07-24 15:01:06
Windows 5.1.2600 Service Pack 1

---- System - GMER 1.0.11 ----

SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess

SYSENTER ? ED937ED5

---- Modules - GMER 1.0.11 ----

Module (noname) (*** hidden *** ) ED933000

---- Threads - GMER 1.0.11 ----

Thread 4:1300 ED935F6C

---- Processes - GMER 1.0.11 ----

Process guard.exe (*** hidden *** ) [1808] 8283D808

---- Services - GMER 1.0.11 ----

Service C:\WINDOWS\System32:lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!

---- Files - GMER 1.0.11 ----

ADS C:\codeworkx.exe:SummaryInformation
ADS C:\codeworkx.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS ...
ADS C:\WINDOWS\system32:lzx32.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.11 ----

quirkymac · 2006/09/21

Right...things were starting to look ok. I was just running an adaware scan when the computer spat the dummy with the following error.
Bad_pool_Caller with a BSOD and a memory dump.

OOps!!

TeMerc · 2006/09/21

Well well, busy busy I see.

We need to rid the rk first with GMER and HJT.

Open GMER

Select the Services tab

Find the service called pe386

Right-click it and select Delete

Close GMER and Reboot

Open HJT.

Click the config button

Then click on the Misc Tools button

Then click the Open ADS Spy button

Then untick the 'Quick scan'(Windows base folder only) box

Then click the Scan button

When it finds the file, select it and hit the Remove Selected button

Close HJT

Reboot and run ComboFix first, then HJT and finally GMER then post all logs back into this thread.

We will have more to clean up no doubt.

quirkymac · 2006/09/21

Done,

Combo fix report

Billy the Kid - 06-07-24 17:30:50.57 Service Pack 1
ComboFix 06.09.20 - Running from: "C:\Documents and Settings\Billy the Kid\Desktop\spyware "
Command switches used ::

((((((((((((((((((((((((((((((( Files Created from 2006-06-24 to 2006-07-24 ))))))))))))))))))))))))))))))))))

2006-07-24 17:30 35,840 --a------ C:\anp.exe
2006-07-24 16:28 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-07-24 16:13 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2006-07-24 16:13 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2006-07-24 16:13 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-07-24 16:13 158,720 --------- C:\WINDOWS\system32\xpob2res.dll
2006-07-24 16:12 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2006-07-24 16:03 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-07-24 16:03 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-07-24 16:03 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-07-24 16:03 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2006-07-24 16:03 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-07-24 16:03 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2006-07-24 15:47 4,096 --a------ C:\WINDOWS\system32\ntsystem.exe
2006-07-24 14:12 5,120 --a------ C:\WINDOWS\system32\tcusbdrv.dll
2006-07-24 08:36 72,192 --a------ C:\WINDOWS\system32\vdpaiie.dll
2006-07-24 08:36 15,104 --a------ C:\WINDOWS\system32\stonedrv.exe
2006-07-24 08:35 95,232 --a------ C:\WINDOWS\system32\tanfdtf.dll
2006-07-24 08:35 6,082 --a------ C:\WINDOWS\system32\dlh9jkdq6.exe
2006-07-24 08:35 6,031 --a------ C:\WINDOWS\system32\dlh9jkdq7.exe
2006-07-24 08:35 4,275 --a------ C:\WINDOWS\system32\dlh9jkdq5.exe
2006-07-24 08:35 3,072 --a------ C:\WINDOWS\uninstDsk.exe
2006-07-24 08:35 17,807 --a------ C:\WINDOWS\system32\dlh9jkdq2.exe
2006-07-24 08:35 13 --a------ C:\WINDOWS\system32\dlh9jkdq8.exe
2006-07-23 22:13 4,608 --a------ C:\WINDOWS\system32\ntoskrnl.dll
2006-07-23 15:57 198,424 --a------ C:\WINDOWS\system32\iuengine.dll
2006-06-28 17:51 17,920 --a------ C:\WINDOWS\system32\mdimon.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-07-24 17:26 -------- d-------- C:\Program Files\hijackthis
2006-07-24 16:50 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-24 16:49 -------- d-------- C:\Program Files\HighGrow
2006-07-24 16:49 -------- d-------- C:\Program Files\GetRight
2006-07-24 15:17 -------- d-------- C:\Program Files\Lavasoft
2006-07-24 14:27 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-07-24 12:24 -------- d-------- C:\Program Files\Inoculator
2006-07-24 08:36 -------- d-------- C:\Program Files\BraveSentry
2006-07-23 16:07 -------- d--h----- C:\Program Files\WindowsUpdate
2006-07-23 15:42 -------- d-------- C:\Documents and Settings\Billy the Kid\Application Data\Macromedia
2006-07-20 09:12 -------- d---s---- C:\Documents and Settings\Billy the Kid\Application Data\Microsoft
2006-06-28 17:49 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-06-28 17:49 -------- d-------- C:\Program Files\Common Files
2006-06-28 17:48 -------- d-------- C:\Program Files\Microsoft.NET
2006-06-28 17:47 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-06-28 17:44 -------- d-------- C:\Program Files\Microsoft Works
2006-06-28 17:44 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-06-28 17:44 -------- d-------- C:\Program Files\Microsoft Office
2006-06-28 17:44 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-06-28 17:43 -------- d-------- C:\Program Files\Common Files\System
2006-05-16 18:38 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-05-16 18:38 348160 --a------ C:\WINDOWS\system32\msvcr71.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background "
"Yahoo! Pager "= "C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet "
"03f907e7.exe "= "C:\\Documents and Settings\\Billy the Kid\\Local Settings\\Application Data\\03f907e7.exe "
"ctfmon.exe "= "C:\\WINDOWS\\System32\\ctfmon.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector "= "C:\\Program Files\\Creative\\ShareDLL\\CtNotify.exe "
"WinFoxV2 "= "C:\\WINDOWS\\System32\\WF2K.EXE "
"WinFast2KLoadDefault "= "rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings "
"WinFast Schedule "= "C:\\Program Files\\WinFast\\WFTVFM\\WFWIZ.exe "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"nwiz "= "nwiz.exe /install "
"NvCplDaemon "= "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize "
"NeroCheck "= "C:\\WINDOWS\\System32\\NeroCheck.exe "
"LogonStudio "= "\ "C:\\Program Files\\WinCustomize\\LogonStudio\\logonstudio.exe\" /RANDOM "
"KernelFaultCheck "=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"Inoculator "= "C:\\Program Files\\Inoculator\\inoc.exe "
"HPDJ Taskbar Utility "= "C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe "
"FSW "= "C:\\Program Files\\FSW\\FSW.EXE "
"CARPService "= "carpserv.exe "
"CapFax "= "C:\\Program Files\\Classic PhoneTools\\CapFax.EXE "
"C-Media Mixer "= "Mixer.exe /startup "
"03f907e7.exe "= "C:\\WINDOWS\\System32\\03f907e7.exe "
"gwiz "= "C:\\WINDOWS\\System32\\ntsystem.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonceex]
"Flag "=dword:00000002

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "C:\\WINDOWS\\warnhp.html "
"SubscribedURL "=" "
"FriendlyName "= "Desktop Uninstall "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,03,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:02,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,03,\
00,00,02,00,00,40
"RestoredStateInfo "=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,03,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,cc,00,00,00,01,00,00,00,34,03,00,00,ff,02,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:01,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,cc,00,00,00,01,00,00,00,34,03,00,00,ff,02,\
00,00,01,00,00,40
"RestoredStateInfo "=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"RunNarrator "= "Narrator.exe "
"tscuninstall "=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"RunNarrator "= "Narrator.exe "
"tscuninstall "=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=hex:5f,00,00,00
"NoInstrumentation "=dword:00000000
"NoToolbarCustomize "=dword:00000000
"RestrictRun "=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"ClearRecentDocsOnExit "=dword:00000001
"NoRecentDocsHistory "=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "
"UPnPMonitor "= "{e57ce738-33e8-4c51-8354-bb4de9d215d1} "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Mon 07/24/2006 17:31:04.50
ComboFix.txt
ComboFix2.txt

quirkymac · 2006/09/21

Logfile of HijackThis v1.99.1
Scan saved at 5:34:28 PM, on 7/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSVCCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.optusnet.com.au/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Inoculator] C:\Program Files\Inoculator\inoc.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [FSW] C:\Program Files\FSW\FSW.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [03f907e7.exe] C:\WINDOWS\System32\03f907e7.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [03f907e7.exe] C:\Documents and Settings\Billy the Kid\Local Settings\Application Data\03f907e7.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au
O16 - DPF: ConferenceRoom Java Client - http://pix.sexyads.net:8080/java/cr.cab
O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://www.btinternetpayments.com/build/preload.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153720701531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153724987734
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?310
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSVCCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VexiraAntivirus - Unknown owner - C:\Program Files\Vexira\VAGUARD.EXE (file missing)

quirkymac · 2006/09/21

Gmer report

GMER 1.0.11.11349 - http://www.gmer.net
Rootkit 2006-07-24 17:36:15
Windows 5.1.2600 Service Pack 1

---- System - GMER 1.0.11 ----

SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess

---- Files - GMER 1.0.11 ----

ADS C:\codeworkx.exe:SummaryInformation
ADS C:\codeworkx.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS ...

---- EOF - GMER 1.0.11 ----

TeMerc · 2006/09/21

Very good, lets remove whats been found.

1) Please download the Killbox.
Save it to the desktop and run it.

2) Select "Delete on Reboot ", and then select "All files ".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\tcusbdrv.dll
C:\WINDOWS\system32\vdpaiie.dll
C:\WINDOWS\system32\stonedrv.exe
C:\WINDOWS\system32\tanfdtf.dll
C:\WINDOWS\system32\dlh9jkdq6.exe
C:\WINDOWS\system32\dlh9jkdq7.exe
C:\WINDOWS\system32\dlh9jkdq5.exe
C:\WINDOWS\uninstDsk.exe
C:\WINDOWS\system32\dlh9jkdq2.exe
C:\WINDOWS\system32\dlh9jkdq8.exe
C:\Program Files\BraveSentry
C:\Program Files\WindowsUpdate
C:\WINDOWS\System32\03f907e7.exe
C:\WINDOWS\System32\ntsystem.exe
C:\WINDOWS\warnhp.html

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Reboot and run ComboFix first, then HJT and post both logs back into this thread.

quirkymac · 2006/09/21

Thank you Doctor!
The patient is recovering nicely....

Billy the Kid - 06-07-24 18:14:09.25 Service Pack 1
ComboFix 06.09.20 - Running from: "C:\Documents and Settings\Billy the Kid\Desktop\spyware "
Command switches used ::

((((((((((((((((((((((((((((((( Files Created from 2006-06-24 to 2006-07-24 ))))))))))))))))))))))))))))))))))

2006-07-24 18:12 35,840 --a------ C:\anp.exe
2006-07-24 18:09 4,096 --a------ C:\WINDOWS\system32\ntsystem.exe
2006-07-24 16:28 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-07-24 16:13 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2006-07-24 16:13 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2006-07-24 16:13 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-07-24 16:13 158,720 --------- C:\WINDOWS\system32\xpob2res.dll
2006-07-24 16:12 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2006-07-24 16:03 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-07-24 16:03 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-07-24 16:03 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-07-24 16:03 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2006-07-24 16:03 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-07-24 16:03 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2006-07-23 22:13 4,608 --a------ C:\WINDOWS\system32\ntoskrnl.dll
2006-07-23 15:57 198,424 --a------ C:\WINDOWS\system32\iuengine.dll
2006-06-28 17:51 17,920 --a------ C:\WINDOWS\system32\mdimon.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-07-24 17:34 -------- d-------- C:\Program Files\hijackthis
2006-07-24 16:50 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-24 16:49 -------- d-------- C:\Program Files\HighGrow
2006-07-24 16:49 -------- d-------- C:\Program Files\GetRight
2006-07-24 15:17 -------- d-------- C:\Program Files\Lavasoft
2006-07-24 14:27 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-07-24 12:24 -------- d-------- C:\Program Files\Inoculator
2006-07-24 08:36 -------- d-------- C:\Program Files\BraveSentry
2006-07-23 16:07 -------- d-------- C:\Program Files\WindowsUpdate
2006-07-23 15:42 -------- d-------- C:\Documents and Settings\Billy the Kid\Application Data\Macromedia
2006-07-20 09:12 -------- d---s---- C:\Documents and Settings\Billy the Kid\Application Data\Microsoft
2006-06-28 17:49 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-06-28 17:49 -------- d-------- C:\Program Files\Common Files
2006-06-28 17:48 -------- d-------- C:\Program Files\Microsoft.NET
2006-06-28 17:47 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-06-28 17:44 -------- d-------- C:\Program Files\Microsoft Works
2006-06-28 17:44 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-06-28 17:44 -------- d-------- C:\Program Files\Microsoft Office
2006-06-28 17:44 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-06-28 17:43 -------- d-------- C:\Program Files\Common Files\System
2006-05-16 18:38 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-05-16 18:38 348160 --a------ C:\WINDOWS\system32\msvcr71.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background "
"Yahoo! Pager "= "C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet "
"03f907e7.exe "= "C:\\Documents and Settings\\Billy the Kid\\Local Settings\\Application Data\\03f907e7.exe "
"ctfmon.exe "= "C:\\WINDOWS\\System32\\ctfmon.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector "= "C:\\Program Files\\Creative\\ShareDLL\\CtNotify.exe "
"WinFoxV2 "= "C:\\WINDOWS\\System32\\WF2K.EXE "
"WinFast2KLoadDefault "= "rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings "
"WinFast Schedule "= "C:\\Program Files\\WinFast\\WFTVFM\\WFWIZ.exe "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"nwiz "= "nwiz.exe /install "
"NvCplDaemon "= "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize "
"NeroCheck "= "C:\\WINDOWS\\System32\\NeroCheck.exe "
"LogonStudio "= "\ "C:\\Program Files\\WinCustomize\\LogonStudio\\logonstudio.exe\" /RANDOM "
"KernelFaultCheck "=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"Inoculator "= "C:\\Program Files\\Inoculator\\inoc.exe "
"HPDJ Taskbar Utility "= "C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe "
"FSW "= "C:\\Program Files\\FSW\\FSW.EXE "
"CARPService "= "carpserv.exe "
"CapFax "= "C:\\Program Files\\Classic PhoneTools\\CapFax.EXE "
"C-Media Mixer "= "Mixer.exe /startup "
"03f907e7.exe "= "C:\\WINDOWS\\System32\\03f907e7.exe "
"gwiz "= "C:\\WINDOWS\\System32\\ntsystem.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonceex]
"Flag "=dword:00000002

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "C:\\WINDOWS\\warnhp.html "
"SubscribedURL "=" "
"FriendlyName "= "Desktop Uninstall "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,03,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:02,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,03,\
00,00,02,00,00,40
"RestoredStateInfo "=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,03,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,cc,00,00,00,01,00,00,00,34,03,00,00,ff,02,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:01,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,cc,00,00,00,01,00,00,00,34,03,00,00,ff,02,\
00,00,01,00,00,40
"RestoredStateInfo "=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"RunNarrator "= "Narrator.exe "
"tscuninstall "=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"RunNarrator "= "Narrator.exe "
"tscuninstall "=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=hex:5f,00,00,00
"NoInstrumentation "=dword:00000000
"NoToolbarCustomize "=dword:00000000
"RestrictRun "=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"ClearRecentDocsOnExit "=dword:00000001
"NoRecentDocsHistory "=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "
"UPnPMonitor "= "{e57ce738-33e8-4c51-8354-bb4de9d215d1} "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Mon 07/24/2006 18:14:32.51
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

quirkymac · 2006/09/21

Logfile of HijackThis v1.99.1
Scan saved at 6:16:15 PM, on 7/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\CTSVCCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.optusnet.com.au/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Inoculator] C:\Program Files\Inoculator\inoc.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [FSW] C:\Program Files\FSW\FSW.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [03f907e7.exe] C:\WINDOWS\System32\03f907e7.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [03f907e7.exe] C:\Documents and Settings\Billy the Kid\Local Settings\Application Data\03f907e7.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au
O16 - DPF: ConferenceRoom Java Client - http://pix.sexyads.net:8080/java/cr.cab
O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://www.btinternetpayments.com/build/preload.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153720701531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153724987734
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?310
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSVCCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VexiraAntivirus - Unknown owner - C:\Program Files\Vexira\VAGUARD.EXE (file missing)

quirkymac · 2006/09/21

I don't think this is related but this computer also gets a debug box pop up especially when I am in windowsbbs.com that states that there is a runtime error in line 2, expecting {....
QM.

quirkymac · 2006/09/21

Thought you might like to see what Panda found

Incident Status Location

Virus:W32/Smitfraud.D Disinfected Operating system
Adware:adware/portalscan Not disinfected c:\windows\system32\IdleUI.dll
Spyware:spyware/smitfraud Not disinfected c:\windows\system32\oleext.dll
Adware:adware/superspider Not disinfected c:\windows\system32\services
Virus:trj/abwiz.a Disinfected Operating system
Adware:adware/adsmart Not disinfected c:\windows\system32\vx.tll
Potentially unwanted tool:application/bravesentry Not disinfected c:\program files\BraveSentry
Potentially unwanted tool:application/myway Not disinfected c:\program files\MySearch
Adware:adware/alfacleaner Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/dluxde Not disinfected Windows Registry
Dialer:dialer.ap Not disinfected hkey_current_user\software\Holistyc
Adware:adware/freescratch Not disinfected Windows Registry
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Billy the Kid\Cookies\billy the kid@ad.sensismediasmart.com[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Billy the Kid\Cookies\billy the kid@ad.yieldmanager[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Billy the Kid\Cookies\billy the kid@adtech[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Billy the Kid\Cookies\billy the kid@adultfriendfinder[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Billy the Kid\Cookies\billy the kid@ccbill[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Billy the Kid\Cookies\billy the kid@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Billy the Kid\Cookies\billy the kid@doubleclick[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Billy the Kid\Cookies\billy the kid@fastclick[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Billy the Kid\Cookies\billy the kid@maxserving[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Billy the Kid\Cookies\billy the kid@media.fastclick[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Billy the Kid\Cookies\billy the kid@microsoftwga.112.2o7[2].txt
Hacktool:Exploit/LoadImage Not disinfected C:\Documents and Settings\Billy the Kid\Local Settings\Temporary Internet Files\Content.IE5\FAM0CQ3Z\p[1].anr
Adware:Adware/BraveSentry Not disinfected C:\Program Files\BraveSentry\BraveSentry.exe
Adware:Adware/SpySheriff Not disinfected C:\Program Files\BraveSentry\BraveSentry0.dll
Adware:Adware/SpySheriff Not disinfected C:\Program Files\BraveSentry\BraveSentry1.dll
Adware:Adware/BraveSentry Not disinfected C:\Program Files\BraveSentry\BraveSentry3.dll
Adware:Adware/BraveSentry Not disinfected C:\Program Files\BraveSentry\Uninstall.exe
Potentially unwanted tool:Application/MyWay Not disinfected C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL
Potentially unwanted tool:Application/MyWay Not disinfected C:\Program Files\MySearch\bar\s4bareq.exe
Virus:Trj/Firebypass.AR Disinfected C:\WINDOWS\system32\ntoskrnl.dll

quirkymac · 2006/09/21

Bed calls...so I am using the downtime to download XP SP2 to be installed once all these nasties have been banished!

Thanks again for all your help,

QM.

TeMerc · 2006/09/21

OK lets run Killbox again, using the same directions as I gave previously with the following files:
C:\Program Files\BraveSentry
C:\Program Files\WindowsUpdate
C:\WINDOWS\System32\03f907e7.exe
C:\WINDOWS\System32\ntsystem.exe
C:\WINDOWS\warnhp.htm
c:\windows\system32\oleext.dll
c:\windows\system32\services
c:\windows\system32\vx.tll
c:\program files\MySearch

Reboot after that's been done and run ComboFix first, then HJT and post both logs back into this thread.

quirkymac · 2006/09/21

Billy the Kid - 06-07-25 2:21:31.45 Service Pack 1
ComboFix 06.09.20 - Running from: "C:\Documents and Settings\Billy the Kid\Desktop\spyware "
Command switches used ::

((((((((((((((((((((((((((((((( Files Created from 2006-06-25 to 2006-07-25 ))))))))))))))))))))))))))))))))))

2006-07-24 22:59 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-07-24 22:59 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-07-24 22:59 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-07-24 22:59 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-07-24 16:28 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-07-24 16:13 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2006-07-24 16:13 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2006-07-24 16:13 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-07-24 16:13 158,720 --------- C:\WINDOWS\system32\xpob2res.dll
2006-07-24 16:12 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2006-07-24 16:03 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-07-24 16:03 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-07-24 16:03 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-07-24 16:03 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2006-07-24 16:03 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-07-24 16:03 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2006-07-23 15:57 198,424 --a------ C:\WINDOWS\system32\iuengine.dll
2006-06-28 17:51 17,920 --a------ C:\WINDOWS\system32\mdimon.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-07-24 23:18 -------- d-------- C:\Program Files\QuickTime
2006-07-24 23:18 -------- d-------- C:\Program Files\Common Files
2006-07-24 20:39 -------- d-------- C:\Program Files\Internet Explorer
2006-07-24 20:37 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-07-24 20:34 -------- d-------- C:\Program Files\Classic PhoneTools
2006-07-24 18:16 -------- d-------- C:\Program Files\hijackthis
2006-07-24 16:50 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-24 16:49 -------- d-------- C:\Program Files\HighGrow
2006-07-24 16:49 -------- d-------- C:\Program Files\GetRight
2006-07-24 15:17 -------- d-------- C:\Program Files\Lavasoft
2006-07-24 12:24 -------- d-------- C:\Program Files\Inoculator
2006-07-23 16:07 -------- d-------- C:\Program Files\WindowsUpdate
2006-07-23 15:42 -------- d-------- C:\Documents and Settings\Billy the Kid\Application Data\Macromedia
2006-07-20 09:12 -------- d---s---- C:\Documents and Settings\Billy the Kid\Application Data\Microsoft
2006-06-28 17:49 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-06-28 17:48 -------- d-------- C:\Program Files\Microsoft.NET
2006-06-28 17:47 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-06-28 17:44 -------- d-------- C:\Program Files\Microsoft Works
2006-06-28 17:44 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-06-28 17:44 -------- d-------- C:\Program Files\Microsoft Office
2006-06-28 17:44 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-06-28 17:43 -------- d-------- C:\Program Files\Common Files\System
2006-05-16 18:38 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-05-16 18:38 348160 --a------ C:\WINDOWS\system32\msvcr71.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background "
"Yahoo! Pager "= "C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet "
"03f907e7.exe "= "C:\\Documents and Settings\\Billy the Kid\\Local Settings\\Application Data\\03f907e7.exe "
"ctfmon.exe "= "C:\\WINDOWS\\System32\\ctfmon.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector "= "C:\\Program Files\\Creative\\ShareDLL\\CtNotify.exe "
"WinFoxV2 "= "C:\\WINDOWS\\System32\\WF2K.EXE "
"WinFast2KLoadDefault "= "rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings "
"WinFast Schedule "= "C:\\Program Files\\WinFast\\WFTVFM\\WFWIZ.exe "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"nwiz "= "nwiz.exe /install "
"NvCplDaemon "= "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize "
"NeroCheck "= "C:\\WINDOWS\\System32\\NeroCheck.exe "
"KernelFaultCheck "=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"Inoculator "= "C:\\Program Files\\Inoculator\\inoc.exe "
"HPDJ Taskbar Utility "= "C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe "
"FSW "= "C:\\Program Files\\FSW\\FSW.EXE "
"CARPService "= "carpserv.exe "
"CapFax "= "C:\\Program Files\\Classic PhoneTools\\CapFax.EXE "
"C-Media Mixer "= "Mixer.exe /startup "
"03f907e7.exe "= "C:\\WINDOWS\\System32\\03f907e7.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonceex]
"Flag "=dword:00000002

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"RunNarrator "= "Narrator.exe "
"tscuninstall "=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"RunNarrator "= "Narrator.exe "
"tscuninstall "=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=hex:5f,00,00,00
"NoInstrumentation "=dword:00000000
"NoToolbarCustomize "=dword:00000000
"RestrictRun "=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"ClearRecentDocsOnExit "=dword:00000001
"NoRecentDocsHistory "=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "
"UPnPMonitor "= "{e57ce738-33e8-4c51-8354-bb4de9d215d1} "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Tue 07/25/2006 2:22:23.12
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

quirkymac · 2006/09/21

Logfile of HijackThis v1.99.1
Scan saved at 2:24:24 AM, on 7/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\CTSVCCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Inoculator] C:\Program Files\Inoculator\inoc.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [FSW] C:\Program Files\FSW\FSW.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [03f907e7.exe] C:\WINDOWS\System32\03f907e7.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [03f907e7.exe] C:\Documents and Settings\Billy the Kid\Local Settings\Application Data\03f907e7.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au
O16 - DPF: ConferenceRoom Java Client - http://pix.sexyads.net:8080/java/cr.cab
O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://www.btinternetpayments.com/build/preload.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153720701531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153724987734
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?310
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSVCCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VexiraAntivirus - Unknown owner - C:\Program Files\Vexira\VAGUARD.EXE (file missing)

TeMerc · 2006/09/21

Ok, lets fix up with HJT and we ought to be done.

Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [03f907e7.exe] C:\WINDOWS\System32\03f907e7.exe

O4 - HKCU\..\Run: [03f907e7.exe] C:\Documents and Settings\Billy the Kid\Local Settings\Application Data\03f907e7.exe

O16 - DPF: ConferenceRoom Java Client - http://pix.sexyads.net:8080/java/cr.cab

O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://www.btinternetpayments.com/build/preload.cab

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
C:\WINDOWS\System32\03f907e7.exe<<<--this file
C:\Documents and Settings\Billy the Kid\Local Settings\Application Data\03f907e7.exe<<<--this file

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Reboot and run ComboFix first, then HJT and post both logs back into this thread.

Log in or Sign up

Hijacked! [HJT Log]

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

TeMerc Inactive Alumni

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

TeMerc Inactive Alumni

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

TeMerc Inactive Alumni

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

TeMerc Inactive Alumni

Share This Page

Log in or Sign up

Hijacked! [HJT Log]

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

TeMerc Inactive Alumni

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

TeMerc Inactive Alumni

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

TeMerc Inactive Alumni

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

TeMerc Inactive Alumni

Share This Page

Useful Searches