Help needed with a HJT log

BillB · 2007/01/05

I have a friend's computer now that was pretty messed up. He was getting blue screens, freezing up, etc. He has Spybot, Adaware, SpywareBlaster, AVG and Ewido but wasn't keeping them updated or scanning with them. When I got the machine, his wife wasn't able to open Outlook at all (under her account), it would either freeze the machine or get a BSOD and reboot. When his kids used their accounts, the machine would freeze up randomly and became unusable. On his account, the main one, it would work most of the time, but would BSOD and reboot also. He was also having problems trying to open a web page from an email link.

I updated all the spyware/antivirus software and scanned on each account individually (very time consuming), I also swapped Ewido for AVG-AS. I dumped the temporary internet files for each account under docs and settings. There were several trojan viruses found and cleaned up by AVG, there was also some spyware found and cleaned up.

Where it is now:
No more BSOD's or freezing, at least not so far. Outlook is working again under the wife's account. There remains one nagging problem that I haven't figured out and I'm not sure if it is related to any of the infections cleaned up or if there are more to clean up.

When clicking on a web link in an email under the main account id, a little window appears with this title; FEAD 2.5 Optimizer for Adobe Reader 7.0.7, and with this text;
Please wait while the Adobe Reader 7.0.7 setup is being processed. This will take some time depending on your operating system and hardware.
When this finishes, another window pops up with the following text;
Command line parameters;
/L language ID
/S Hide initialization dialog
/V parameters to MsiExec.exe
/UA <url to InstMsiA.exe
and a few more.

This happens on every web link in email. I searched the KB on Adobe's site but didn't find anything related to this problem. I'm posting a HJT log (taken under the main account) to see if there are more infections to be cleaned up that may be causing this. Any help would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 4:47:50 PM, on 1/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Global Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~7\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - https://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\lvju0919e.dll (file missing)
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\hr4q05h5e.dll (file missing)
O20 - Winlogon Notify: SystemFileProtection - C:\WINDOWS\system32\lvj6091se.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Email AntiVirus (Email AV) - Unknown owner - C:\WINDOWS\email-av.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Logon User Interface Skining (LogonUInterf) - Unknown owner - C:\WINDOWS\logonui.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmapsrvs.exe (file missing)

TeMerc · 2007/01/05

Two MAJOR problems on this box.

HackerDefender and L2M. If the frind of yours does any banking online....well you know the drill.

Lets get HackDef first then L2M afterwards.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, the Advanced Options Menu should appear;

Select the first option, to run Windows in Safe Mode, then press Enter.

Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.

It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.

Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.

Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

We'll attack L2M soon as we get this sucker cleaned of HackDef.

BillB · 2007/01/06

Here are the report.txt file from SDFix and a new HJT log;

SDFix: Version 1.55
****************

Sat 01/06/2007 - 17:05:54.18

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Stage One - Safe Mode

Checking Services...

Service Name:

WMIPerAddOn

File Path:

"C:\WINDOWS\wmapsrvs.exe"

WMIPerAddOn Deleted...

Starting Registry Repairs...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

Backing Up and Removing any Files Found...

Alternate Stream Check:

C:\WINDOWS\system32
No streams found.
Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE "= "C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE:*:Enabled:ActiveSync Connection Manager "
"C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE "= "C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE:*:Enabled:ActiveSync Application "
"C:\\Program Files\\AIM\\aim.exe "= "C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger "
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp "= "C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp:*:Enabled:KazaaLite "
"C:\\Program Files\\Common Files\\AOL\\1125424419\\ee\\aolservicehost.exe "= "C:\\Program Files\\Common Files\\AOL\\1125424419\\ee\\aolservicehost.exe:*:Enabled:AOL Services "
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader "
"C:\\Program Files\\iTunes\\iTunes.exe "= "C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes "
"C:\\Program Files\\Internet Explorer\\iexplore.exe "= "C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer "
"C:\\StubInstaller.exe "= "C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer "
"C:\\Program Files\\LimeWire\\LimeWire.exe "= "C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire "
"C:\\Program Files\\Common Files\\AOL\\1125424419\\EE\\aolsoftware.exe "= "C:\\Program Files\\Common Files\\AOL\\1125424419\\EE\\aolsoftware.exe:*:Enabled:AOL Services "
"C:\\Program Files\\Common Files\\AOL\\1125424419\\EE\\aim6.exe "= "C:\\Program Files\\Common Files\\AOL\\1125424419\\EE\\aim6.exe:*:Enabled:AIM "
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe "= "C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe "
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe "= "C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe "
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe "= "C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe "
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe "= "C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\Common Files\\AOL\\1125424419\\ee\\aolservicehost.exe "= "C:\\Program Files\\Common Files\\AOL\\1125424419\\ee\\aolservicehost.exe:*:Enabled:AOL Services "
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader "

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\ntdetect.com
C:\WINDOWS\mssys.com
C:\Program Files\Uninstall Information\IE40.Comctl32\AINF0000
C:\WINDOWS\nem216.dll
C:\WINDOWS\SYSTEM32\msxslab.dll
C:\WINDOWS\SYSTEM32\bridge.dll
C:\WINDOWS\SYSTEM32\jac.dll
C:\WINDOWS\SYSTEM32\d2kpax.dll
C:\Program Files\Uninstall Information\mshtml.DllReg\AINF0000
C:\WINDOWS\cvchost.exe
C:\WINDOWS\ntldr.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\wininet32.exe
C:\WINDOWS\runwin32.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\mstasks1.exe
C:\WINDOWS\msstasks.exe
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\urub.exe
C:\WINDOWS\SYSTEM32\a.exe
C:\WINDOWS\SYSTEM32\winproc32.exe
C:\WINDOWS\SYSTEM32\d2kpax.exe
C:\WINDOWS\SYSTEM32\mcc.exe
C:\WINDOWS\SYSTEM32\cdplayer.exe.manifest
C:\WINDOWS\SYSTEM32\logonui.exe.manifest
C:\WINDOWS\SYSTEM\wmscrop.exe
C:\Program Files\q330994.exe
C:\Recycled\cloaker.exe
C:\Recycled\finis.exe
C:\System Volume Information\_restore{3D08C3BF-0CF3-49DF-AE1E-029BE572F50F}\RP186\A0085082.exe
C:\MSDOS.SYS
C:\LOGO.SYS
C:\CONFIG.SYS
C:\io.sys
C:\pagefile.sys
C:\hiberfil.sys
C:\Documents and Settings\Karis Crosby\Application Data\Microsoft\Word\~WRL0002.tmp
C:\Documents and Settings\Karis Crosby\Application Data\Microsoft\Word\~WRL0003.tmp
C:\Documents and Settings\Karis Crosby\Application Data\Microsoft\Word\~WRL0004.tmp

FINISHED!

Logfile of HijackThis v1.99.1
Scan saved at 5:17:19 PM, on 1/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Global Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~7\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - https://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\lvju0919e.dll (file missing)
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\hr4q05h5e.dll (file missing)
O20 - Winlogon Notify: SystemFileProtection - C:\WINDOWS\system32\lvj6091se.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Email AntiVirus (Email AV) - Unknown owner - C:\WINDOWS\email-av.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Logon User Interface Skining (LogonUInterf) - Unknown owner - C:\WINDOWS\logonui.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

TeMerc · 2007/01/06

Ok, before I go crazy with KillBox, lets see what the L2M tool does.

Please download Look2Me-Destroyer to your desktop.

Close all windows before continuing.

Double-click Look2Me-Destroyer.exe to run it.

Put a check next to Run this program as a task.

You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK

When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.

Once it's done scanning, click the Remove L2M button.

You will receive a Done Scanning message, click OK.

When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.

Your computer will then shutdown.

Turn your computer back on.

Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from this link and place it in your C:\Windows\System32 Directory.

BillB · 2007/01/06

Wow, I had a feeling this thing was a little messed up..

Here's the Look2me log and a new HJT;

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 1/6/2007 10:54:19 PM

Infected! C:\WINDOWS\system32\lvju0919e.dll
Infected! C:\WINDOWS\system32\hr4q05h5e.dll

Attempting to delete infected files...

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2822BE16-EA3A-4B6A-B931-051119FC9B3D} "
HKCR\Clsid\{2822BE16-EA3A-4B6A-B931-051119FC9B3D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{84A40065-EA81-4EC7-A690-1CA1EA671BE2} "
HKCR\Clsid\{84A40065-EA81-4EC7-A690-1CA1EA671BE2}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F20A1F68-0464-4270-9E47-D5E2BB7D1C1A} "
HKCR\Clsid\{F20A1F68-0464-4270-9E47-D5E2BB7D1C1A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1FD7E896-09E3-4547-95D1-013F6582C29A} "
HKCR\Clsid\{1FD7E896-09E3-4547-95D1-013F6582C29A}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

Logfile of HijackThis v1.99.1
Scan saved at 11:02:38 PM, on 1/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\hjt\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Global Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~7\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - https://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O20 - Winlogon Notify: SystemFileProtection - C:\WINDOWS\system32\lvj6091se.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Email AntiVirus (Email AV) - Unknown owner - C:\WINDOWS\email-av.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Logon User Interface Skining (LogonUInterf) - Unknown owner - C:\WINDOWS\logonui.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

TeMerc · 2007/01/06

OK, I'm glad I let the tool do some work for me, I'm tired tonite.

Lets attack what we have remaining, from the ComboFix log and the rest.

Download the Killbox from here and save it to the desktop.

Double-click the KillBox icon on your desktop to open it

Select "Delete on Reboot "

Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\mssys.com
C:\WINDOWS\nem216.dll
C:\WINDOWS\SYSTEM32\msxslab.dll
C:\WINDOWS\SYSTEM32\bridge.dll
C:\WINDOWS\SYSTEM32\jac.dll
C:\WINDOWS\SYSTEM32\d2kpax.dll
C:\WINDOWS\cvchost.exe
C:\WINDOWS\ntldr.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\wininet32.exe
C:\WINDOWS\runwin32.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\mstasks1.exe
C:\WINDOWS\msstasks.exe
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\urub.exe
C:\WINDOWS\SYSTEM32\a.exe
C:\WINDOWS\SYSTEM32\winproc32.exe
C:\WINDOWS\SYSTEM32\d2kpax.exe
C:\WINDOWS\SYSTEM32\mcc.exe
C:\WINDOWS\SYSTEM\wmscrop.exe
C:\Program Files\q330994.exe
C:\WINDOWS\system32\lvj6091se.dll

Return to Killbox

Go to the File menu, and choose "Paste from Clipboard ".

Click the red-and-white [Delete File] button.

Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations' prompt.

Do not allow a reboot yet.

Run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

O20 - Winlogon Notify: SystemFileProtection - C:\WINDOWS\system32\lvj6091se.dll (file missing)

O23 - Service: Microsoft Logon User Interface Skining (LogonUInterf) - Unknown owner - C:\WINDOWS\logonui.exe (file missing)

Reboot and run ComboFix first, then HJT and post both logs back into this thread.

BillB · 2007/01/07

Here are the logs from Combofix and HJT;

crosby - 07-01-07 10:33:54.57 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\van crosby\Desktop "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\windows

((((((((((((((((((((((((((((((( Files Created from 2006-12-07 to 2007-01-07 ))))))))))))))))))))))))))))))))))

2007-01-07 10:19 <DIR> d-------- C:\!KillBox
2007-01-06 17:00 <DIR> d-------- C:\SDFix
2007-01-03 17:31 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-01-02 21:10 <DIR> d-------- C:\hjt
2007-01-02 18:14 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
2007-01-02 18:14 18,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
2007-01-02 18:02 <DIR> d--hs---- C:\FOUND.024
2007-01-01 14:28 <DIR> d-------- C:\Documents and Settings\van crosby\Application Data\AOL OCP
2007-01-01 14:28 <DIR> d-------- C:\Documents and Settings\van crosby\Application Data\acccore
2007-01-01 14:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-01-01 14:27 <DIR> d-------- C:\Program Files\AIM6
2006-12-25 17:16 <DIR> d--hs---- C:\FOUND.023
2006-12-24 16:40 <DIR> d--hs---- C:\FOUND.022
2006-12-10 18:49 <DIR> d-------- C:\Documents and Settings\van crosby\Shared
2006-12-10 18:49 <DIR> d-------- C:\Documents and Settings\van crosby\Incomplete
2006-12-10 18:48 <DIR> d-------- C:\Program Files\LimeWire
2006-12-10 18:47 <DIR> d-------- C:\Documents and Settings\van crosby\.limewire

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver lzx32 is present. A rootkit scan is required

2007-01-02 18:14 816672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
2007-01-02 18:14 4960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdi.sys
2007-01-02 18:14 4224 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsw.sys
2007-01-02 18:14 28416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
2006-12-26 21:22 11776 --a------ C:\Documents and Settings\van crosby\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2006-10-02 19:33 533 --a------ C:\Documents and Settings\van crosby\Application Data\perfc012.dat
2006-10-02 19:33 30 --a------ C:\Documents and Settings\van crosby\Application Data\FNTCACHE.BIN

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"H/PC Connection Agent "= "\ "C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\" "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"Aim6 "= "\ "C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp "
"AIM "= "C:\\Program Files\\AIM\\aim.exe -cnetwait.odl "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SystemTray "= "SysTray.Exe "
"Microsoft Works Portfolio "= "C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers "
"Microsoft Works Update Detection "= "C:\\Program Files\\Microsoft Works\\WkDetect.exe "
"AVG7_CC "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"NeroCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"REGSHAVE "= "C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN "
"Zone Labs Client "= "\ "C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\" "
"Adobe Photo Downloader "= "\ "C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"iTunesHelper "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,68,02,00,00,1f,00,00,00,a8,00,00,00,9e,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"H/PC Connection Agent "= "\ "C:\\PROGRAM FILES\\MICROSOFT ACTIVESYNC\\WCESCOMM.EXE\" "
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "
"qikk "= "C:\\Program Files\\Common Files\\qikk\\qikkm.exe "
"DNS "= "C:\\Program Files\\Common Files\\mc-110-12-0000487.exe "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"H/PC Connection Agent "= "\ "C:\\PROGRAM FILES\\MICROSOFT ACTIVESYNC\\WCESCOMM.EXE\" "
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "
"qikk "= "C:\\Program Files\\Common Files\\qikk\\qikkm.exe "
"DNS "= "C:\\Program Files\\Common Files\\mc-110-12-0000487.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:0000009d
"CDRAutoRun "=hex:00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000095
"CDRAutoRun "=hex:00,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000095
"CDRAutoRun "=hex:00,00,00,00

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor "= "{e57ce738-33e8-4c51-8354-bb4de9d215d1} "
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile "= "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme "
"MMTray "=" "
"hpsysdrv "= "C:\\WINDOWS\\SYSTEM32\\hpsysdrv.exe "
"Delay "= "C:\\WINDOWS\\delayrun.exe "
"WorksFUD "= "C:\\Program Files\\Microsoft Works\\wkfud.exe "
"USBMMKBD "= "usbmmkbd.exe "
"Hidserv "= "Hidserv.exe run "
"AT&T DSL Service PCA Program "= "C:\\Program Files\\AT&T\\DSL\\programs\\dslpca.exe /ws "
"HP Component Manager "= "\ "C:\\PROGRAM FILES\\HP\\HPCORETECH\\HPCMPMGR.EXE\" "
"AVG_CC "= "C:\\PROGRA~1\\GRISOFT\\AVG6\\avgcc32.exe /STARTUP "
"ViewMgr "= "C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070107-102136-879
O23 - Service: Microsoft Logon User Interface Skining (LogonUInterf) - Unknown owner - C:\WINDOWS\logonui.exe (file missing)
backup-20070107-102135-286
O20 - Winlogon Notify: SystemFileProtection - C:\WINDOWS\system32\lvj6091se.dll (file missing)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\WebReg 20041220203133.job
C:\WINDOWS\tasks\Tune-up Application Start.job
C:\WINDOWS\tasks\PCHealth Scheduler for Data Collection.job
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 2400 series#1076889674.job
C:\WINDOWS\tasks\{0281F0DB-E434-4195-B921-6470EC18C955}_HPPAV_Mike Crosby.job
C:\WINDOWS\tasks\{F76F2F1E-36A8-49C9-9CEA-1095D9A85478}_HPPAV_Mike Crosby.job
C:\WINDOWS\tasks\{F5401EC6-BE5F-440A-9E5F-95B1EF19331F}_HPPAV_Mike Crosby.job
C:\WINDOWS\tasks\{9795FA4A-0F34-4FAF-944D-57FE42E33983}_HPPAV_Cameron Crosby.job
C:\WINDOWS\tasks\{8502E597-F733-44ED-AD7E-C3E455D561F1}_HPPAV_Cameron Crosby.job
C:\WINDOWS\tasks\{9C5B637F-749C-44A0-A152-D678187536D6}_HPPAV_Cameron Crosby.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 07-01-07 10:36:26.82
C:\ComboFix.txt ... 07-01-07 10:36

Logfile of HijackThis v1.99.1
Scan saved at 10:37:35 AM, on 1/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\sUBs\ComboFix.exe
C:\WINDOWS\system32\cmd.exe
C:\sUBs\TSF\nircmd.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Global Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~7\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - https://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Email AntiVirus (Email AV) - Unknown owner - C:\WINDOWS\email-av.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Logon User Interface Skining (LogonUInterf) - Unknown owner - C:\WINDOWS\logonui.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

TeMerc · 2007/01/07

Gee a rootkit!!!
Who'da thunk??

Download GMER from here

Right Click the Zip and Select "Extract All "

Double-click gmer.exe to launch the program.

Click on the Rootkit Tab and on the right side, untick the Registry box, then click Scan.

Once the scan is done, hit the copy button, then open notepad and paste the results here for me to see.

No need for any other logs, just GMER, once we deal with that we'll continue on with the rest of the removal.

BillB · 2007/01/07

Here' the Gmer report;

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-07 11:46:48
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwMapViewOfSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetSystemInformation
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ 40, 2F, 3C, F5, 50, 97, 3C, ... ]
.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ 40, 2F, 3C, F5, 50, 97, 3C, ... ]

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F53D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F53D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F53D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F911885A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F53D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F53D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F53D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F53D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F911885A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F53D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F53D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F53D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F53D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F911885A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F53D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F53D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F53D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F53D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F911885A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F53D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F53D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F53D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F53D4B10] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F911885A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F53D4B10] vsdatant.sys

---- EOF - GMER 1.0.12 ----

TeMerc · 2007/01/07

Hmmm....not seeing what I expected there, lets run another rk tool.

I'd also like you to fire up GMER again, run it, and then:

Select the Services tab

Look for a service called pe386

Right-click it and select Delete

Let me know if it was there.

Then download RootKitRevealer from here

Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire log file back into this thread for me to view.

BillB · 2007/01/07

TeMerc,

The pe386 service was not there.

Here's the Rootkit log;

C:\System Volume Information\_restore{3D08C3BF-0CF3-49DF-AE1E-029BE572F50F}\RP192\A0088537.RDB 1/7/2007 1:08 PM 2.44 MB Hidden from Windows API.

TeMerc · 2007/01/07

Ok, nothing found by RKR, tho it's odd that CF would throw up that rk alert. I'm going to look more into that, for now we'll kill what remains.

First thing we need to do is stop Email AntiVirus (Email AV) service:
Go to: Start > Run > type " services.msc ", then click OK

When the Services window appears scroll down to the Email AntiVirus (Email AV) service.

Click it to highlight it, then <right-click> and select: Properties
Select and set "Service Status" option to "Stop"
Select: "Startup type" and set it to "Disabled ", click Apply, then OK.

Do the same with this service:Microsoft Logon User Interface Skining

Have them uninstall LimeWire.

Lets navigate to the following and delete:
C:\FOUND.022<<<--this file
C:\FOUND.023<<<--this file
C:\FOUND.024<<<--this file
C:\Program Files\LimeWire<<<<---this folder
C:\Documents and Settings\van crosby\.limewire<<<<---this folder

The last two may not be present, let me know if they were and if you had any trouble deleting them.

Download the Killbox from here and save it to the desktop.

Double-click the KillBox icon on your desktop to open it

Select "Delete on Reboot "

Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\logonui.exe
C:\WINDOWS\email-av.exe

Return to Killbox

Go to the File menu, and choose "Paste from Clipboard ".

Click the red-and-white [Delete File] button.

Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations' prompt.

Do not allow a reboot yet.

Run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

O23 - Service: Email AntiVirus (Email AV) - Unknown owner - C:\WINDOWS\email-av.exe (file missing)

O23 - Service: Microsoft Logon User Interface Skining (LogonUInterf) - Unknown owner - C:\WINDOWS\logonui.exe (file missing)

Reboot and run ComboFix first, then HJT and post both logs back into this thread.

BillB · 2007/01/07

Temerc,

The two services you mentioned were already stopped, I disabled them as you requested. I uninstalled Limewire and removed all the directories you requested. When I tried to paste the filenames in Killbox from the clipboard, they wouldn't paste, even though I did see them in the clipboard. I pasted them individually, I hoped that worked. The two entries you wanted me to delete in HJT were not there. Something I've noticed I thought I should mention; every now and then, Zonealarm will pop up a warning that says;
AVG Anti-Spyware is trying to change your network settings by modifying the file Windrvdir\etc\hosts, and it lists the application as avgas.exe. The first time I saw this I clicked on allow, figuring that since it was the AVG app it was ok, on the subsequent warnings I've been clicking on deny thinking something is awry. Also, when running the Combofix, I got several warnings from Zonealarm that read; Swreg.exe is trying to install a new driver or service. The list of names mentioned are as follows in the order they appeared;
pe386, regedit, LZX32 and MSGUARD
The application named was swreg.exe. I clicked deny on all of these.

Here are the Combofix and HJT logs;

van crosby - 07-01-07 16:45:03.20 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\van crosby\Desktop "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\windows

((((((((((((((((((((((((((((((( Files Created from 2006-12-07 to 2007-01-07 ))))))))))))))))))))))))))))))))))

2007-01-07 11:37 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2007-01-07 10:38 360 --a------ C:\Combo.bat
2007-01-07 10:19 <DIR> d-------- C:\!KillBox
2007-01-07 10:19 <DIR> d-------- C:\!KillBox
2006-12-10 18:47 <DIR> d-------- C:\Documents and Settings\van crosby\.limewire

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required
Rootkit driver msguard is present. A rootkit scan is required
Rootkit driver lzx32 is present. A rootkit scan is required

2007-01-02 18:14 816672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
2007-01-02 18:14 4960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdi.sys
2007-01-02 18:14 4224 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsw.sys
2007-01-02 18:14 28416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
2006-12-26 21:22 11776 --a------ C:\Documents and Settings\van crosby\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2006-10-02 19:33 533 --a------ C:\Documents and Settings\van crosby\Application Data\perfc012.dat
2006-10-02 19:33 30 --a------ C:\Documents and Settings\van crosby\Application Data\FNTCACHE.BIN

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"H/PC Connection Agent "= "\ "C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\" "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"Aim6 "= "\ "C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp "
"AIM "= "C:\\Program Files\\AIM\\aim.exe -cnetwait.odl "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SystemTray "= "SysTray.Exe "
"Microsoft Works Portfolio "= "C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers "
"Microsoft Works Update Detection "= "C:\\Program Files\\Microsoft Works\\WkDetect.exe "
"AVG7_CC "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"NeroCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"REGSHAVE "= "C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN "
"Zone Labs Client "= "\ "C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\" "
"Adobe Photo Downloader "= "\ "C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"iTunesHelper "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,68,02,00,00,1f,00,00,00,a8,00,00,00,9e,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"H/PC Connection Agent "= "\ "C:\\PROGRAM FILES\\MICROSOFT ACTIVESYNC\\WCESCOMM.EXE\" "
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "
"qikk "= "C:\\Program Files\\Common Files\\qikk\\qikkm.exe "
"DNS "= "C:\\Program Files\\Common Files\\mc-110-12-0000487.exe "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"H/PC Connection Agent "= "\ "C:\\PROGRAM FILES\\MICROSOFT ACTIVESYNC\\WCESCOMM.EXE\" "
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "
"qikk "= "C:\\Program Files\\Common Files\\qikk\\qikkm.exe "
"DNS "= "C:\\Program Files\\Common Files\\mc-110-12-0000487.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:0000009d
"CDRAutoRun "=hex:00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000095
"CDRAutoRun "=hex:00,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000095
"CDRAutoRun "=hex:00,00,00,00

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor "= "{e57ce738-33e8-4c51-8354-bb4de9d215d1} "
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile "= "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme "
"MMTray "=" "
"hpsysdrv "= "C:\\WINDOWS\\SYSTEM32\\hpsysdrv.exe "
"Delay "= "C:\\WINDOWS\\delayrun.exe "
"WorksFUD "= "C:\\Program Files\\Microsoft Works\\wkfud.exe "
"USBMMKBD "= "usbmmkbd.exe "
"Hidserv "= "Hidserv.exe run "
"AT&T DSL Service PCA Program "= "C:\\Program Files\\AT&T\\DSL\\programs\\dslpca.exe /ws "
"HP Component Manager "= "\ "C:\\PROGRAM FILES\\HP\\HPCORETECH\\HPCMPMGR.EXE\" "
"AVG_CC "= "C:\\PROGRA~1\\GRISOFT\\AVG6\\avgcc32.exe /STARTUP "
"ViewMgr "= "C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\WebReg 20041220203133.job
C:\WINDOWS\tasks\Tune-up Application Start.job
C:\WINDOWS\tasks\PCHealth Scheduler for Data Collection.job
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 2400 series#1076889674.job
C:\WINDOWS\tasks\{0281F0DB-E434-4195-B921-6470EC18C955}_HPPAV_Mike Crosby.job
C:\WINDOWS\tasks\{F76F2F1E-36A8-49C9-9CEA-1095D9A85478}_HPPAV_Mike Crosby.job
C:\WINDOWS\tasks\{F5401EC6-BE5F-440A-9E5F-95B1EF19331F}_HPPAV_Mike Crosby.job
C:\WINDOWS\tasks\{9795FA4A-0F34-4FAF-944D-57FE42E33983}_HPPAV_Cameron Crosby.job
C:\WINDOWS\tasks\{8502E597-F733-44ED-AD7E-C3E455D561F1}_HPPAV_Cameron Crosby.job
C:\WINDOWS\tasks\{9C5B637F-749C-44A0-A152-D678187536D6}_HPPAV_Cameron Crosby.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 07-01-07 17:06:07.08
C:\ComboFix2.txt ... 07-01-07 10:36
C:\ComboFix.txt ... 07-01-07 17:06

Logfile of HijackThis v1.99.1
Scan saved at 5:07:47 PM, on 1/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Global Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~7\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - https://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

TeMerc · 2007/01/07

For some odd reason GMER is not picking this rootkit up, and it usually does so with ease, I have used it about a dozen times in cleaning it up on my test box.

Very odd. I'm beginning to think we may be better off reformatting, but I'm trying to get my fellow spyware researcher to have a peek, she has a deeper knowledge of rootkits.

I'll let you know as soon as she gets back to me. Which I'm hoping will be tonite.

Does your friend have any data they need to save? If so, I'd start saving it, to be half a step ahead of a reformat.

BillB · 2007/01/07

I don't think they are going to want to persue that option. I hope we can get this machine clean without a reformat. I think there would be a lot of stuff to get off before that could occur.

TeMerc · 2007/01/08

Ok Bill, got a way to look for those drivers. There is also another tool which should get this rk sa well. We'll check for the drivers first then use the tool.

Go to: Start > Run > type " MSCONFIG ", then click OK

Once MSCONFIG comes up:

Click the Boot.INI tab

Under the tab Check All Boot Paths, tick the '/BOOTLOG' []box

Then hit the [Apply] button.

Reboot the system

Once rebooted navigate to C:\Windows folder and delete the ntbtlog.txt file.

Reboot the system again.

Once again, navigate to the windows folder, and look for ntbtlog.txt, and post the contents here for me to review.

Btw, if you look at the first ntbtlog, and compare it to the second one, you'll see why we deleted the first. Its HUGE!

BillB · 2007/01/08

Glad to hear there's another approach to this. I checked the size difference in the bootlog, you're right, big difference, here it is;

Service Pack 2 1 8 2007 16:43:29.500
Loaded driver \WINDOWS\system32\ntoskrnl.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver ohci1394.sys
Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS
Loaded driver intelide.sys
Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Loaded driver fltMgr.sys
Loaded driver sr.sys
Loaded driver Fastfat.sys
Loaded driver KSecDD.sys
Loaded driver NDIS.sys
Loaded driver srescan.sys
Loaded driver Mup.sys
Loaded driver agp440.sys
Loaded driver \SystemRoot\system32\DRIVERS\nic1394.sys
Loaded driver \SystemRoot\system32\DRIVERS\processr.sys
Loaded driver \SystemRoot\system32\DRIVERS\nv4_mini.sys
Loaded driver \SystemRoot\system32\DRIVERS\RTL8139.SYS
Loaded driver \SystemRoot\system32\drivers\es1371mp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ltmdmnt.sys
Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\system32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\system32\DRIVERS\parport.sys
Loaded driver \SystemRoot\system32\DRIVERS\serial.sys
Loaded driver \SystemRoot\system32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\System32\Drivers\cdrbsdrv.SYS
Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\System32\Drivers\GEARAspiWDM.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys
Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\update.sys
Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\system32\DRIVERS\gameenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\flpydisk.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\DRIVERS\AvgAsCln.sys
Loaded driver \SystemRoot\System32\Drivers\avgclean.sys
Did not load driver \SystemRoot\system32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\vsdatant.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\system32\DRIVERS\wceusbsh.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\system32\DRIVERS\arp1394.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\System32\Drivers\avg7core.sys
Loaded driver \SystemRoot\System32\Drivers\avg7rsw.sys
Loaded driver \SystemRoot\system32\DRIVERS\USBSTOR.SYS
Loaded driver Fastfat.SYS
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\System32\Drivers\avg7rsxp.sys
Loaded driver \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys
Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\System32\Drivers\avgtdi.sys
Did not load driver \SystemRoot\System32\Drivers\mrtRate.SYS
Loaded driver \SystemRoot\system32\DRIVERS\secdrv.sys
Loaded driver \SystemRoot\system32\DRIVERS\srv.sys
Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys

TeMerc · 2007/01/08

Ok, that didn't show us those drivers, but I'm told some rks can alter the log, sooooo.......another tool anyways, as it can't hurt.

Download Rustbfix from one of these locations:
http://www.uploads.ejvindh.net/rustbfix.exe
http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly thereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.

BillB · 2007/01/08

Ok, I'm not sure if the tool worked properly or not. In order to get it to run, I had to reply allow to all the services prompts from Zonealarm that I mentioned before. If I didn't, it displayed an error message saying it was unable to create the registry key needed to run. Here are the logs anyway;

************************* Rustock.b-fix -- By ejvindh *************************
Mon 01/08/2007 18:22:47.70

No Rustock.b-rootkits found

******************************* End of Logfile ********************************

Logfile of HijackThis v1.99.1
Scan saved at 6:23:54 PM, on 1/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Global Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~7\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - https://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

TeMerc · 2007/01/08

Well none of the info contained in the logs is showing me the rk that ComboFix is saying is present, we may be dealing with a corrupt ComboFix.

Download a new version and run it, see if shows the rk present again.

In the meantime I'm going to look for any other instances of problems with the tool.

Log in or Sign up

Help needed with a HJT log

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

Share This Page

Log in or Sign up

Help needed with a HJT log

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

Share This Page

Useful Searches