Help needed with a HJT log

I downloaded a new copy of Combofix and here's the log. The rootkits listed are the ones that I am seeing zonealarm warnings about every time I try to run one of these programs;

van crosby - 07-01-08 20:30:37.80 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\van crosby\Desktop "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\windows


((((((((((((((((((((((((((((((( Files Created from 2006-12-07 to 2007-01-07 ))))))))))))))))))))))))))))))))))


2007-01-08 18:16 <DIR> d-------- C:\avenger
2007-01-08 18:09 1,080 --a------ C:\boxbfkoc.bat
2007-01-08 18:09 <DIR> d-------- C:\Rustbfix
2007-01-08 16:37 <DIR> d-------- C:\WINDOWS\pss
2007-01-07 10:19 <DIR> d-------- C:\!KillBox
2007-01-07 10:19 <DIR> d-------- C:\!KillBox
2007-01-07 10:19 <DIR> d-------- C:\!KillBox
2006-12-10 18:47 <DIR> d-------- C:\Documents and Settings\van crosby\.limewire


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required
Rootkit driver msguard is present. A rootkit scan is required
Rootkit driver lzx32 is present. A rootkit scan is required

2007-01-02 18:14 816672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
2007-01-02 18:14 4960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdi.sys
2007-01-02 18:14 4224 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsw.sys
2007-01-02 18:14 28416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
2006-12-26 21:22 11776 --a------ C:\Documents and Settings\van crosby\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2006-10-02 19:33 533 --a------ C:\Documents and Settings\van crosby\Application Data\perfc012.dat
2006-10-02 19:33 30 --a------ C:\Documents and Settings\van crosby\Application Data\FNTCACHE.BIN


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"H/PC Connection Agent "= "\ "C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\" "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"Aim6 "= "\ "C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp "
"AIM "= "C:\\Program Files\\AIM\\aim.exe -cnetwait.odl "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SystemTray "= "SysTray.Exe "
"Microsoft Works Portfolio "= "C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers "
"Microsoft Works Update Detection "= "C:\\Program Files\\Microsoft Works\\WkDetect.exe "
"AVG7_CC "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"NeroCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"REGSHAVE "= "C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN "
"Zone Labs Client "= "\ "C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\" "
"Adobe Photo Downloader "= "\ "C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"iTunesHelper "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,68,02,00,00,1f,00,00,00,a8,00,00,00,9e,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"H/PC Connection Agent "= "\ "C:\\PROGRAM FILES\\MICROSOFT ACTIVESYNC\\WCESCOMM.EXE\" "
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "
"qikk "= "C:\\Program Files\\Common Files\\qikk\\qikkm.exe "
"DNS "= "C:\\Program Files\\Common Files\\mc-110-12-0000487.exe "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"H/PC Connection Agent "= "\ "C:\\PROGRAM FILES\\MICROSOFT ACTIVESYNC\\WCESCOMM.EXE\" "
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "
"qikk "= "C:\\Program Files\\Common Files\\qikk\\qikkm.exe "
"DNS "= "C:\\Program Files\\Common Files\\mc-110-12-0000487.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:0000009d
"CDRAutoRun "=hex:00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000095
"CDRAutoRun "=hex:00,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000095
"CDRAutoRun "=hex:00,00,00,00

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor "= "{e57ce738-33e8-4c51-8354-bb4de9d215d1} "
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile "= "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme "
"MMTray "=" "
"hpsysdrv "= "C:\\WINDOWS\\SYSTEM32\\hpsysdrv.exe "
"Delay "= "C:\\WINDOWS\\delayrun.exe "
"WorksFUD "= "C:\\Program Files\\Microsoft Works\\wkfud.exe "
"USBMMKBD "= "usbmmkbd.exe "
"Hidserv "= "Hidserv.exe run "
"AT&T DSL Service PCA Program "= "C:\\Program Files\\AT&T\\DSL\\programs\\dslpca.exe /ws "
"HP Component Manager "= "\ "C:\\PROGRAM FILES\\HP\\HPCORETECH\\HPCMPMGR.EXE\" "
"AVG_CC "= "C:\\PROGRA~1\\GRISOFT\\AVG6\\avgcc32.exe /STARTUP "
"ViewMgr "= "C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\WebReg 20041220203133.job
C:\WINDOWS\tasks\Tune-up Application Start.job
C:\WINDOWS\tasks\PCHealth Scheduler for Data Collection.job
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 2400 series#1076889674.job
C:\WINDOWS\tasks\{0281F0DB-E434-4195-B921-6470EC18C955}_HPPAV_Mike Crosby.job
C:\WINDOWS\tasks\{F76F2F1E-36A8-49C9-9CEA-1095D9A85478}_HPPAV_Mike Crosby.job
C:\WINDOWS\tasks\{F5401EC6-BE5F-440A-9E5F-95B1EF19331F}_HPPAV_Mike Crosby.job
C:\WINDOWS\tasks\{9795FA4A-0F34-4FAF-944D-57FE42E33983}_HPPAV_Cameron Crosby.job
C:\WINDOWS\tasks\{8502E597-F733-44ED-AD7E-C3E455D561F1}_HPPAV_Cameron Crosby.job
C:\WINDOWS\tasks\{9C5B637F-749C-44A0-A152-D678187536D6}_HPPAV_Cameron Crosby.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 07-01-08 20:34:35.66
C:\ComboFix3.txt ... 07-01-07 10:36
C:\ComboFix2.txt ... 07-01-07 17:06
C:\ComboFix.txt ... 07-01-08 20:34

 

I need you to look for a log created by the rustockbfix:

Thanks.

 

TeMerc,

I posted the pelog.txt file previously, here is the avenger.txt file. This is from a run where it didn't appear to work, every run after that it didn't produce this file.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 80


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rncilwfh

*******************


Fatal error: integrity of Services key failed verification check! Security may be fatally compromised. Exiting immediately.

Could not open script file! Status: 0xc0000034 Abort!

 

Did the Avenger text file help any?

 

Bill I've been waiting for some help on this. It just so happens she has been offline for the last couple of days which usually means inclement weather or ISP problems. She is on Canada and this happens once a month or so for some reason.

Sorry this is taking as long as it is, but I have not been able to find a proper solution on my own.

Perhaps I'll just get in contact with the developer.

Thanks for being patient.

 

No problem, I just thought I would see if that file was any good, and the owner is anxious about his pc. Just told him it was a big mess and it would take some time to get it right again. If he'd done what I've preached to him about keeping the programs updated and do the scans on a regular basis he wouldn't be in this fix, or at least not this bad.

 

Hi Tom,

Have you been able to make any progress on this? My friend was asking when he might get his pc back, told him I didn't want to return it until I was sure it was clean.

Thanks,

Bill

 

Yeah, I surprised they waited this long.

It seems my associate is offline for an extended period of time, which is very odd. I've actually contacted others and we may be making an attempt at calling her, that's how concerned we are.

I'm going to have the developer have a peek at this later today, to see if he notices anything off hand. I thought it was a zip file prob, but further research has tilted me away from that cause.

Tell your friend thanks for being patient, I'll get back soon as I can.

 

No problem, thanks for the update.

 

Tom,

I need to try to get this PC back to the owner by the first part of the week if possible. Have you made any progress yet?

 

She has had major ISP problems and has not been online since the 7th.

I'm going to try and send her an email to see if she gets thru some how, sorry about that.

 

While await a reply from Tammy, can you download a fresh RustockBFix tool and run it again. It's been updated since we started this.

Also run ComboFix as well, it too has been actually combined with another version, which was originally targeted at Chinese infections.

I'm curious if it still claims there is an lzx rk present.

 

I'll download them this morning and try to get them run during lunch. Will post the logs back when done.

 

Tom,

Here are the logs;

************************* Rustock.b-fix -- By ejvindh *************************
Mon 01/22/2007 16:26:09.69

No Rustock.b-rootkits found

******************************* End of Logfile ********************************



"van crosby" - 07-01-22 16:29:27 Service Pack 2
ComboFix 07-01-21 - Running from: "C:\Documents and Settings\van crosby\Desktop "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\start.exe


((((((((((((((((((((((((((((((( Files Created from 2006-12-22 to 2007-01-22 ))))))))))))))))))))))))))))))))))


2007-01-08 18:16 <DIR> d-------- C:\avenger
2007-01-08 18:09 1,080 --a------ C:\boxbfkoc.bat
2007-01-08 18:09 <DIR> d-------- C:\Rustbfix
2007-01-08 16:37 <DIR> d-------- C:\WINDOWS\pss
2007-01-07 11:37 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2007-01-07 10:19 <DIR> d-------- C:\!KillBox
2007-01-06 17:00 <DIR> d-------- C:\SDFix
2007-01-03 17:31 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-01-02 21:10 <DIR> d-------- C:\hjt
2007-01-02 18:14 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
2007-01-02 18:14 18,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
2007-01-01 14:28 <DIR> d-------- C:\DOCUME~1\VANCRO~1\Application Data\AOL OCP
2007-01-01 14:28 <DIR> d-------- C:\DOCUME~1\VANCRO~1\Application Data\acccore
2007-01-01 14:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\AOL OCP
2007-01-01 14:27 <DIR> d-------- C:\Program Files\AIM6


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-02 18:14 816672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
2007-01-02 18:14 4960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdi.sys
2007-01-02 18:14 4224 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsw.sys
2007-01-02 18:14 28416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
2006-12-26 21:22 11776 --a------ C:\DOCUME~1\VANCRO~1\Application Data\dcbc2a71-70d8-4dan-ehr8-e0d61dea3fdf.ini
2006-10-02 19:33 533 --a------ C:\DOCUME~1\VANCRO~1\Application Data\perfc012.dat
2006-10-02 19:33 30 --a------ C:\DOCUME~1\VANCRO~1\Application Data\fntcache.bin


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"H/PC Connection Agent "= "\ "C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\" "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"Aim6 "= "\ "C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp "
"AIM "= "C:\\Program Files\\AIM\\aim.exe -cnetwait.odl "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SystemTray "= "SysTray.Exe "
"Microsoft Works Portfolio "= "C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers "
"Microsoft Works Update Detection "= "C:\\Program Files\\Microsoft Works\\WkDetect.exe "
"AVG7_CC "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"NeroCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"REGSHAVE "= "C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN "
"Zone Labs Client "= "\ "C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\" "
"Adobe Photo Downloader "= "\ "C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"iTunesHelper "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile "= "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme "
"MMTray "=" "
"hpsysdrv "= "C:\\WINDOWS\\SYSTEM32\\hpsysdrv.exe "
"Delay "= "C:\\WINDOWS\\delayrun.exe "
"WorksFUD "= "C:\\Program Files\\Microsoft Works\\wkfud.exe "
"USBMMKBD "= "usbmmkbd.exe "
"Hidserv "= "Hidserv.exe run "
"AT&T DSL Service PCA Program "= "C:\\Program Files\\AT&T\\DSL\\programs\\dslpca.exe /ws "
"HP Component Manager "= "\ "C:\\PROGRAM FILES\\HP\\HPCORETECH\\HPCMPMGR.EXE\" "
"AVG_CC "= "C:\\PROGRA~1\\GRISOFT\\AVG6\\avgcc32.exe /STARTUP "
"ViewMgr "= "C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor "= "{e57ce738-33e8-4c51-8354-bb4de9d215d1} "

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"H/PC Connection Agent "= "\ "C:\\PROGRAM FILES\\MICROSOFT ACTIVESYNC\\WCESCOMM.EXE\" "
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "
"qikk "= "C:\\Program Files\\Common Files\\qikk\\qikkm.exe "
"DNS "= "C:\\Program Files\\Common Files\\mc-110-12-0000487.exe "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"H/PC Connection Agent "= "\ "C:\\PROGRAM FILES\\MICROSOFT ACTIVESYNC\\WCESCOMM.EXE\" "
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "
"qikk "= "C:\\Program Files\\Common Files\\qikk\\qikkm.exe "
"DNS "= "C:\\Program Files\\Common Files\\mc-110-12-0000487.exe "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"CDRAutoRun "=hex:00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"CDRAutoRun "=hex:00,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"CDRAutoRun "=hex:00,00,00,00

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\WebReg 20041220203133.job
C:\WINDOWS\tasks\Tune-up Application Start.job
C:\WINDOWS\tasks\PCHealth Scheduler for Data Collection.job
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 2400 series#1076889674.job
C:\WINDOWS\tasks\{0281F0DB-E434-4195-B921-6470EC18C955}_HPPAV_Mike Crosby.job
C:\WINDOWS\tasks\{F76F2F1E-36A8-49C9-9CEA-1095D9A85478}_HPPAV_Mike Crosby.job
C:\WINDOWS\tasks\{F5401EC6-BE5F-440A-9E5F-95B1EF19331F}_HPPAV_Mike Crosby.job
C:\WINDOWS\tasks\{9795FA4A-0F34-4FAF-944D-57FE42E33983}_HPPAV_Cameron Crosby.job
C:\WINDOWS\tasks\{8502E597-F733-44ED-AD7E-C3E455D561F1}_HPPAV_Cameron Crosby.job
C:\WINDOWS\tasks\{9C5B637F-749C-44A0-A152-D678187536D6}_HPPAV_Cameron Crosby.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 07-01-22 16:32:14
C:\ComboFix3.txt ... 07-01-07 17:06
C:\ComboFix2.txt ... 07-01-08 20:34

 

Well, nothing showing in the ComboFix log. Did the Rustock tool throw any errors like it did before? And is there an Avenger log contained like before? If so, dig it out and post it.

I'd like to run another tool, which is not for any infection in particular that you have, but it too is very good at pointing out the lzx rk.

Please download SmitfraudFix (by S!Ri). Save it to your desktop.

Double-click the SmithFraud.exe and it will install a new folder to your desktop, called SmithFraudFix. Shortly after that a dos command window will appear. Once it opens, hit any key to continue.
Select option #1 - Search by typing 1 and press "Enter "; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool "; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore you may get an alert.

No need for a new HJT log, just the results from the SmithFraud tool.


We won't be bothering with the second step to this fix, I'm only running it to see if it picks up lzx.

Also, as it's been a while, and I'm lazy today and don't feel like re-reading the entire thread ......what problems are we addressing at this point, anything odd or unusual? Let me know

 

No odd behavior at this point that I've seen, just the rootkits showing up in the programs that we've run. No errors this time when running the programs, and no avenger file. I'll post the results of the smitfraud run soon.

 

Here's the Smitfraud report;

SmitFraudFix v2.133

Scan done at 23:13:32.45, Mon 01/22/2007
Run from C:\Documents and Settings\van crosby\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\migicons.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\van crosby


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\van crosby\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\VANCRO~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs "=" "


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

 

Oh, another little surprise, it found part of the SmithFraud nasty, but not a biggie, we'll run the second part of the fix which will also repair some reg entries.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please follow the instructions exactly in the order listed; this is very important!

Please download, install, and update the free version of AVG Anti-Spyware 7.5 Save the file to your desktop.

1. Double-click the file and select your language.
2. Follow the prompts to install. The application will add three start ups to your system, be sure and allow them if you have any real time monitoring of your system.
3. Once install has completed, run the program.
4. Be sure the two options are enabled:
   • Resident shield
   • Aromatic updates
5. From the main AVG 'Status' screen, click the update now link the update should begin automatically. If not then hit the [Manual Update] Burton to begin updating.
6. After the update finishes, the status bar will display "Update successful "
7. Click the 'Scanner' tab, and select the 'Settings' tab.
8. Under 'How to act?' click 'Recommended actions' and select 'Quarantine'
9. Under 'Reports' be sure to tick the radio button for 'Automatically generate report after each scan' and un-tick the 'Only if threats were found box.
10. Exit AVG. DO NOT run a scan yet.

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ? "; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter ".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

AFTER SmitfraudFix finishes (and after a reboot if required), please open AVG. (If a reboot is required, please boot BACK into Safe Mode.)

• Click on Scanner
• Click on Complete System Scan and the scan will begin.
• When the scan is finished, click the [Save report] button at the bottom of the screen.
• Then hit the [Save report as] button.
• Save the report to your desktop.
• Click the 'Scanner' tab again and then click the [Apply all actions] button.
• Close AVG

Then please restart it into Normal Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the AVG report and a new HijackThis log. (please edit out all 'cookies', 'Recycler folder' and 'restore\system volume folder' references from the AVG log)

 

Go figure, another infection. I'll try to get this done during lunch today and post the logs back.

 

I just glanced thru the thread, we may as well get as many scans as we can so hit Panda and KAV, rebooting between each. We need to get as many 'opinions' on this box as possible.

Panda ActiveScan

• Click the [Scan your PC] button. ( You may have to disable any pop up blockers)
• Then press the green [Check Now] button.
• Enter your country and state along with a valid email address.
• Allow the ActiveX install, it may be a few minutes for all components. (For XP SP 2 watch for the yellow bar at the top of IE)
• Once installation is complete you will need to select a device to scan. Please select 'My Computer' and the scan will begin.
• Once the scan is done, click the 'See report' button, then the 'save report' button. Be sure to save the log file created in a place easy for you to find.

KAV SCAN
Kaspersky Online Scanner

Click on Kaspersky Online Scanner icon.
Accept the Kaspersky agreement and the program will load.
You will then be prompted to install an ActiveX component from Kaspersky, click Yes

The program will then begin downloading the latest definition files. This will take a good while, even with hi-speed Internet access.
Once the files have been downloaded click on Next

Now click on [Scan Settings] button.
In the scan settings make sure that the following are selected:

• Scan using the following Anti-Virus database:
• Extended (if available otherwise Standard)

• Scan Options:
  Scan Archives
  Scan Mail Bases

Click OK

Now under the Please select a target to scan:
Select My Computer

The program will begin the scanning process.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Then click on the [Save as Text] button
Save the file to your desktop.

Copy and paste that information in your next post for me to review.

**Notelease edit out any references to 'cookies', 'Recyler folder' and 'System Volume Information Folder' from all logs