Dealing with Diskcleaner infection and others

Hi BillB

Please use Killbox again and kill this.

C:\WINDOWS\System32\shmgrate.exe


Please scan this file and post the results, there is malware with this file name along with a legit file. I want to make sure the one you have running is legit.

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page:
  
  • C:\WINDOWS\System32\WScript.exe
• Click on the submit button
  
• Please post the results in your next reply.

Then please call up task manager by pressing Ctr + Alt + Delete and check the process's and let me know which one(s) are running at a high CPU.

Also please make sure you check your PM's here.

Thanks
Geri

 

Geri,

I used Killbox as requested for that one file and rebooted. I ran the online check for the wscript.exe file as well and it didn't find any problem with it. Currently the process with the highest cpu use is 'system idle process'. I'm including another HJT log here too. As of right now, there is a significant improvement with the way this thing is running. The pop-up seem to have stopped, both on and offline, the suspicious icons in the system tray are gone, and whatever was chewing up the hard drive seems to have stopped. It doesn't take but a few seconds to shutdown now where it was taking upwards of 15 mins. or more. I've PM'ed the log you requested also.

Logfile of HijackThis v1.99.1
Scan saved at 9:42:28 AM, on 6/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijackthis\HiJackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Windows Setup Manger] h
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

 

Hi BillB
OK that's Great.

Before we do the last clean up, lets get a on-line scan. It may speed things up if you disable your AV when running the Kaspersky scan.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

I'll let you know about the other log, I'm being walked through it.

Please post the Kaspersky log.

Thanks
Geri

 

I'm attaching the Kaspersky report as a zip file, the text file was over a meg.

Should I be doing these scans on both accounts on this machine?

 

Hi BillB

Most all that was in system restore, so what ever you do don't do a restore point.

OK Kill these with Kill box.

C:\WINDOWS\system32\monterreyj_olive.exe
C:\WINDOWS\monterreyi_olive.exe

I was told you should run another tool also, just to be on the safe side.

Please download and run fixwareout.

Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt).

We will get a HJT log from the other account after we are done here, not always, but most of the time they will come up clean.

Please run combofix again and post the log along with the wareout log.

Thanks
Geri

 

I ran Killbox for the two files you mentioned, then ran Fixwareout and Combofix. Here are the log files.

Fixwareout Last edited 6/27/2007
Post this report in the forums please
...
»»»»»Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System "=" "
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"AVG7_CC "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP "
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6 "= "\ "C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp "
"Windows Setup Manger "= "h "
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


ComboFix 07-06-18.2 - C:\Documents and Settings\Stephanie\Desktop\ComboFix.exe
"Stephanie" - 2007-06-30 20:47:57 - Service Pack 1 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-01 to 2007-07-01 )))))))))))))))))))))))))))))))


2007-06-30 20:43 5,090 --a------ C:\dnsbak.reg
2007-06-30 15:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-30 15:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-29 18:33 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-27 08:40 <DIR> d-------- C:\!KillBox
2007-06-26 11:47 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-25 22:28 <DIR> d-------- C:\Program Files\RogueRemover
2007-06-25 22:19 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-25 22:16 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-25 22:16 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-25 22:16 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-25 18:48 <DIR> d-------- C:\I386
2007-06-25 17:41 3,026 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-25 12:15 <DIR> d-------- C:\VundoFix Backups
2007-06-25 12:03 <DIR> d-------- C:\DOCUME~1\Pete\APPLIC~1\Lavasoft
2007-06-24 18:15 <DIR> d-------- C:\Hijackthis
2007-06-24 16:13 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-06-24 13:22 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-24 10:01 33,792 --a------ C:\WINDOWS\system32\drivers\disk.sys
2007-06-24 09:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-24 09:49 <DIR> d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\Lavasoft
2007-06-23 18:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-22 00:29 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2007-06-22 00:29 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2007-06-20 21:47 <DIR> d-------- C:\DOCUME~1\Pete\APPLIC~1\DriveCleaner Free
2007-06-20 18:31 <DIR> d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\DriveCleaner Free
2007-06-20 17:57 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2007-06-20 17:57 <DIR> d-------- C:\Intel
2007-06-20 17:54 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
2007-06-20 17:54 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2007-06-20 17:22 33,792 --a------ C:\WINDOWS\ieuninst.exe
2007-06-01 16:58 97,280 --a------ C:\WINDOWS\system32\monterreyi_olive.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-24 13:51:26 -------- d-----w C:\Program Files\LimeWire
2007-06-24 13:49:16 -------- d-----w C:\Program Files\Lavasoft
2007-06-23 22:59:38 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-07 23:02:55 15,891 ----a-w C:\WINDOWS\system32\msratnit.dll
2007-06-01 02:34:59 97,280 ----a-w C:\WINDOWS\system32\monterreyg_olive.exe
2007-05-16 20:25:30 97,280 ----a-w C:\WINDOWS\system32\monterreyf_olive.exe
2007-05-12 00:37:10 -------- d-----w C:\Program Files\Audible
2007-05-11 23:59:55 -------- d-----w C:\Program Files\Google
2007-05-05 03:17:24 13 ----a-w C:\WINDOWS\system32\rasqervy.dll
2007-05-03 22:55:24 -------- d-----w C:\Program Files\Common Files\iuuk
2007-04-25 01:16:16 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-20 18:37]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-29 16:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6 "= "C:\Program Files\AIM6\aim6.exe" []
"Windows Setup Manger "= "h" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator "=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-06-29 16:37]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-30 20:48:52
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-30 20:49:12
C:\ComboFix-quarantined-files.txt ... 2007-06-30 20:49
C:\ComboFix2.txt ... 2007-06-29 12:01
C:\ComboFix3.txt ... 2007-06-25 22:25

--- E O F ---

 

Hi Bill
Well this seems to still be there.
C:\WINDOWS\system32\monterreyi_olive.exe

Lets try do delete it manually

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

C:\WINDOWS\system32\monterreyi_olive.exe

After that, Reboot.

Run Combo fix again and check to see if it is still in the log.

Let me know if it will delete.

Geri

 

Hi Geri,

Ok, I was able to delete it manually, actually there were 5 of them with the same name but a different letter after the y. I got rid of all of them and when I ran the Combofix, they are not in the log.

What's next?

One more thought I had, should I delete all the restore points and wait until we are sure it's clean before turning it on again, since it seems the restore points are infected?

 

Hi Bill

They are not a threat unless you do a system restore, we will clean that up after we are sure the machine is clean.

I also still see these in combofix, I would like you to log into each user account and delete them manually. If they are there.
C:\DOCUME~1\Pete\APPLIC~1\DriveCleaner Free
C:\DOCUME~1\STEPHA~1\APPLIC~1\DriveCleaner Free

They will be here.
C:\Documents and Settings\Stephanie\Applacation Data\Drivecleaner Free
C:\Documents and Settings\Pete\Applacation Data\Drivecleaner Free

Do you have any idea what this is? I can find no info on it.
C:\Program Files\Common Files\iuuk

(note) I was told that it needs to go. Please delete it when you delete the drivecleaner ones.

We are almost done here, I believe , then I will want some logs from Petes account.

Geri

 

Ok, all the folders are now gone. What's the next step?

 

Hi Bill

OK log into Pete's account and give me a HJT log and a Combofix log.

Thanks
Geri

 

Hi Geri,

Here you go.

Logfile of HijackThis v1.99.1
Scan saved at 4:34:57 PM, on 7/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Hijackthis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {2514E651-23B9-2311-C13D-270791A0BBB7} - (no file)
R3 - URLSearchHook: (no name) - {814422C7-E374-EDD7-0654-E11BC00213E3} - (no file)
R3 - URLSearchHook: (no name) - {2A0D9D60-0ED2-5520-F09B-0DD58C26B5BA} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yxb] C:\Program Files\?asks\n?pdb.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iuuk] C:\PROGRA~1\COMMON~1\iuuk\iuukm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS



ComboFix 07-06-18.2 - C:\Documents and Settings\Pete\Desktop\ComboFix.exe
"Pete" - 2007-07-01 16:32:19 - Service Pack 1 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Pete\MYDOCU~1.\fnts~1
C:\DOCUME~1\Pete\MYDOCU~1.\sstem3~1


((((((((((((((((((((((((( Files Created from 2007-06-01 to 2007-07-01 )))))))))))))))))))))))))))))))


2007-06-30 20:43 5,090 --a------ C:\dnsbak.reg
2007-06-30 15:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-30 15:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-29 18:33 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-27 08:40 <DIR> d-------- C:\!KillBox
2007-06-26 11:47 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-25 22:28 <DIR> d-------- C:\Program Files\RogueRemover
2007-06-25 22:19 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-25 22:16 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-25 22:16 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-25 22:16 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-25 18:48 <DIR> d-------- C:\I386
2007-06-25 17:41 3,026 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-25 12:15 <DIR> d-------- C:\VundoFix Backups
2007-06-25 12:03 <DIR> d-------- C:\DOCUME~1\Pete\APPLIC~1\Lavasoft
2007-06-24 18:15 <DIR> d-------- C:\Hijackthis
2007-06-24 16:13 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-06-24 13:22 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-24 10:01 33,792 --a------ C:\WINDOWS\system32\drivers\disk.sys
2007-06-24 09:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-24 09:49 <DIR> d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\Lavasoft
2007-06-23 18:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-22 00:29 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2007-06-22 00:29 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2007-06-20 17:57 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2007-06-20 17:57 <DIR> d-------- C:\Intel
2007-06-20 17:54 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
2007-06-20 17:54 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2007-06-20 17:22 33,792 --a------ C:\WINDOWS\ieuninst.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-24 13:51:26 -------- d-----w C:\Program Files\LimeWire
2007-06-24 13:49:16 -------- d-----w C:\Program Files\Lavasoft
2007-06-23 22:59:38 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-07 23:02:55 15,891 ----a-w C:\WINDOWS\system32\msratnit.dll
2007-05-12 00:37:10 -------- d-----w C:\Program Files\Audible
2007-05-12 00:35:43 -------- d-----w C:\DOCUME~1\Pete\APPLIC~1\Sammsoft
2007-05-12 00:31:35 -------- d-----w C:\DOCUME~1\Pete\APPLIC~1\ArcSoft
2007-05-11 23:59:55 -------- d-----w C:\Program Files\Google
2007-05-05 03:17:24 13 ----a-w C:\WINDOWS\system32\rasqervy.dll
2007-04-25 01:16:16 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-20 18:37]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-29 16:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"Yxb "= "C:\Program Files\?asks\n?pdb.exe" []
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08]
"iuuk "= "C:\PROGRA~1\COMMON~1\iuuk\iuukm.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator "=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-06-29 16:37]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-01 16:33:12
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-01 16:33:35
C:\ComboFix ... 2007-07-01 16:33
C:\ComboFix-quarantined-files.txt ... 2007-07-01 16:33
C:\ComboFix2.txt ... 2007-06-30 22:44
C:\ComboFix3.txt ... 2007-06-30 20:49

--- E O F ---

 

Hi Bill

OK Just a few things.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {2514E651-23B9-2311-C13D-270791A0BBB7} - (no file)
R3 - URLSearchHook: (no name) - {814422C7-E374-EDD7-0654-E11BC00213E3} - (no file)
R3 - URLSearchHook: (no name) - {2A0D9D60-0ED2-5520-F09B-0DD58C26B5BA} - (no file)
O4 - HKCU\..\Run: [Yxb] C:\Program Files\?asks\n?pdb.exe
O4 - HKCU\..\Run: [iuuk] C:\PROGRA~1\COMMON~1\iuuk\iuukm.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these folders (if present):

C:\Program Files\?asks <<Note the ? mark
C:\PROGRAM FILES\COMMON FILES\iuuk

After that, Reboot.

Please post a New HJT Log into this Thread.

Let me know how things are running.

Geri

 

Hi Geri,

I cleaned up the entries in HJT, but the folders you mentioned weren't there. Overall, things are pretty good with the machine, a big improvement over when I got it. There is one problem I haven't been able to figure out yet. When logged on with Stephanie's acct., I can change the desktop wallpaper by right clicking on the desktop, making the change and it works just fine. Under Pete's acct., when I right click on the desktop and click on properties, it give me the display you see in the attached jpg file. If I go to Control Panel and open Display and change it there, it seems to take but all I get is a white desktop. When the machine is booting under Pete's acct. I can see the desktop that I set until the icons load, then it changes to just plain white again. Not sure why this is happening. Here's the latest HJT log;

Logfile of HijackThis v1.99.1
Scan saved at 9:42:13 PM, on 7/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

 

Hi Bill

OK

While logged into Petes account please run SDfix and post the log.

Geri

 

Hi Geri,

Here's the SDFix report;

SDFix: Version 1.88

Run by Pete on Mon 07/02/2007 at 11:41 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\Documents and Settings\Pete\Desktop\phandler.php.url - Deleted



Removing Temp Files...

ADS Check:

Checking C:\WINDOWS
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Program Files\Windows Media Player\mplayer2.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\LastGood.Tmp\INF\dxbda.inf
C:\WINDOWS\LastGood.Tmp\INF\dxbda.PNF
C:\WINDOWS\LastGood.Tmp\INF\dxdllreg.inf
C:\WINDOWS\LastGood.Tmp\INF\dxdllreg.PNF
C:\WINDOWS\LastGood.Tmp\INF\dxxp.inf
C:\WINDOWS\LastGood.Tmp\INF\dxxp.PNF
C:\WINDOWS\LastGood.Tmp\INF\js56nen.inf
C:\WINDOWS\LastGood.Tmp\INF\js56nen.PNF
C:\WINDOWS\LastGood.Tmp\INF\mm20.inf
C:\WINDOWS\LastGood.Tmp\INF\mm20.PNF
C:\WINDOWS\LastGood.Tmp\INF\mm20ex.inf
C:\WINDOWS\LastGood.Tmp\INF\mm20ex.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem0.inf
C:\WINDOWS\LastGood.Tmp\INF\oem0.PNF
C:\WINDOWS\LastGood.Tmp\INF\q330994.inf
C:\WINDOWS\LastGood.Tmp\INF\q330994.PNF
C:\WINDOWS\LastGood.Tmp\INF\q822925.inf
C:\WINDOWS\LastGood.Tmp\INF\q822925.PNF
C:\WINDOWS\LastGood.Tmp\INF\vbs56nen.inf
C:\WINDOWS\LastGood.Tmp\INF\vbs56nen.PNF
C:\WINDOWS\LastGood.Tmp\INF\wm819639.inf
C:\WINDOWS\LastGood.Tmp\INF\wm819639.PNF
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Listing User Accounts:


Administrator ASPNET Guest
HelpAssistant Pete Stephanie
SUPPORT_388945a0


Finished

 

Hi Bill
Well I'm just gurssing, But that don't look like it solved the problem?

OK If not Do this.

While on Pete acct, go to Control Panel>Display>Desktop tab>Customize Desktop button>Web tab and delete the privacy_danger entry. Apply and OK your way out.
There should not be any of the boxes in there checked. Let me know if you see anyting that looks strange.

Then test and see if you can change the desk top.

Geri

 

That fixed it, I can change the desktop background now. How does everything else look in the logs? I can't believe this machine is running as well as it is now. I really thought it was going to take wiping it and reloading Windows to fix it. This had to be about the worst I've seen when I got it.

 

Hi Bill

OK lets do a couple things then we will clean up.

Please give me a Kasperspy on-line scan I want to make sure there is nothing lurking.

Run ATF just before doing the scan, that should cut down on the cookies that show up.
If the scan looks good then we will finish up with the rest of the clean up.

Geri

 

Hi Geri,

I'm attaching a zip file with the Kaspersky scan results in it.