Trojan Adclicker shutting down pc!

Combo Fix would not run! Bright Blue screen before Window setup screen

Hi again, tried running CF after copying the file code and it would not react! Deleted it and recopied, still didnt do anything. I also noticed that after the CTL ALT DEL and Passwd required for Windows to start a bright blue screen shows up and then it goes into the setting your personal... screen. Am i doing something wrong? Im still trying to run CF.

 

None of the removal programs are working!

Neither Combo Fix, DSS or HJT are responding. I looked at the registry and it shows default-value not set the braviax in the HKey current user run folder plus three other prog I know- HPupdater, money and adobe. Should I shut down the PC else something else keeps going bad? Oh pls I cant loose my data!

 

Hi
OK this may have been my fault, did not notice the code box didn't work.

They this code box.

Code:

File::
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wlnd.exe

Thanks
Geri

 

Nothing runs

Tks, since I saw braviax in registry again I added the line to the previous cfscript and threw it in CF and run but still no reaction. I also noticed in CF prperties security tab that it has two admin users one with an s at the end the other singular. Is that right?

 

Hi Dion
Ok lets do this again, just to make sure things are as they should be.

Do this first.

Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing the infected files there as well.

Now download this one and do the CFScript.

Download ComboFix from Here to your Desktop.

Code:

File::
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wlnd.exe

If you need to, do it in safe mode. Post the log if you get one. and a new dss log.

Thanks
Geri

 

Combofix did not run, manually deleted file, ran MBAM

Tks for wkg with me.... I see no movement in safe mode, combo did not react
so I deleted Wlnd fm the directory, deleted braviax fm registry in order to start normal and try again. There i tried unistall combofix, again no movement... But loaded new CF and script and nothing happened. I then ran MBAM, also norton alerts show corrupt or ? need to reinstall... I'll run DSS afterwards and post both logs when they're done. Could I post a screen print? The big red x is again on the clock bar and bubble says Window detects antispyware infection. I'll be back.

 

Here is MBAM log!

Wow! MBAM found lots of things! How could it get more since I have not gone on the internet? I've avoided it just to keep anymore off! Scary.
Here is the log: DSS would not run.

Malwarebytes' Anti-Malware 1.22
Database version: 982
Windows 5.0.2195 Service Pack 3

4:52:15 PM 8/1/2008
mbam-log-8-1-2008 (16-51-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 83648
Time elapsed: 42 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: c:\winnt\system32\cru629.dat -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\cru629.dat (Trojan.FakeAlert) -> No action taken.
C:\WINNT\SYSTEM32\cru629.dat (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Administrator\delself.bat (Malware.Trace) -> No action taken.
C:\WINNT\SYSTEM32\DRIVERS\beep.sys (Fake.Beep.Sys) -> No action taken.
C:\WINNT\SYSTEM32\DLLCACHE\beep.sys (Fake.Beep.Sys) -> No action taken.
C:\WINNT\SYSTEM32\univrs32.dat (Trojan.Agent) -> No action taken.
C:\WINNT\braviax.exe (Trojan.Downloader) -> No action taken.
C:\WINNT\SYSTEM32\braviax.exe (Trojan.FakeAlert) -> No action taken.

I rebooted and Norton is there now! It said it removed trojan perfcoo yet it keeps coming up with the alert over and over. DSS is now running!

 

DSS Log

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-08-01 17:06:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:55 PM, on 8/1/2008
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\basfipm.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\faxsvc.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\System32\DSentry.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\system32\hphmon06.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dynex Enhanced G Notebook Card Adapter\DynexWCUI.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [CMPDPSRV] C:\WINNT\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.05.0000.1009\en-us\msnappau.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HPHmon06] C:\WINNT\system32\hphmon06.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe "
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe "
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = C:\Program Files\Dynex Enhanced G Notebook Card Adapter\DynexWCUI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office00\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca12.custhelp.com/7530-b327h/rnl/java/RntX.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4338/mcfscan.cab
O20 - AppInit_DLLs: C:\WINNT\system32\cru629.dat
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINNT\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINNT\system32\hpboid.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\wltrysvc.exe
O24 - Desktop Component 0: (no name) - http://bp2.blogger.com/_aLkNPLFRQYo/Rr1h9-oozHI/AAAAAAAAACY/ckU6letc8OU/s320/Theotokos.jpg

--
End of file - 13322 bytes

-- Files created between 2008-07-01 and 2008-08-01 -----------------------------

2008-08-01 16:53:57 675372 ---h----- C:\WINNT\ShellIconCache
2008-07-26 15:58:41 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_990.dat
2008-07-26 15:57:32 68096 --a------ C:\WINNT\zip.exe
2008-07-26 15:57:32 49152 --a------ C:\WINNT\VFind.exe
2008-07-26 15:57:32 212480 --a------ C:\WINNT\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-26 15:57:32 136704 --a------ C:\WINNT\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-26 15:57:32 161792 --a------ C:\WINNT\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-26 15:57:32 98816 --a------ C:\WINNT\sed.exe
2008-07-26 15:57:32 80412 --a------ C:\WINNT\grep.exe
2008-07-26 15:57:32 89504 --a------ C:\WINNT\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-23 05:40:44 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_9cc.dat
2008-07-23 04:53:32 0 d-------- C:\Program Files\Trend Micro
2008-07-23 04:23:39 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-23 04:23:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-23 04:23:28 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-22 18:19:50 0 d-------- C:\WINNT\LMI48F.tmp
2008-07-22 18:19:41 0 d-------- C:\WINNT\LMI48E.tmp


-- Find3M Report ---------------------------------------------------------------

2008-08-01 17:11:19 6144 --a------ C:\WINNT\system32\cru629.dat
2008-08-01 17:00:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-07-30 04:07:51 0 d-a------ C:\Program Files\Common Files
2008-07-23 04:25:35 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-19 20:21:18 0 d-------- C:\Program Files\Norton Internet Security
2008-06-25 06:49:33 0 d-------- C:\Program Files\Intuit
2008-06-02 20:38:06 0 d-------- C:\Program Files\Symantec


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager "= "mobsync.exe" [07/24/02 01:00p C:\WINNT\SYSTEM32\MOBSYNC.EXE]
"Apoint "= "C:\Program Files\Apoint\Apoint.exe" [08/23/02 02:28a]
"ATIModeChange "= "Ati2mdxx.exe" [09/04/01 11:24p C:\WINNT\SYSTEM32\Ati2mdxx.exe]
"CARPService "= "carpserv.exe" [01/23/03 10:06p C:\WINNT\SYSTEM32\carpserv.exe]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [01/04/03 12:00a]
"PRPCMonitor "= "PRPCUI.exe" [10/07/02 10:00a C:\WINNT\SYSTEM32\prpcui.exe]
"PRONoMgr.exe "= "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [12/18/02 09:20p]
"DVDSentry "= "C:\WINNT\System32\DSentry.exe" [07/17/02 05:18p]
"CreateCD50 "= "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" [12/17/02 08:14p]
"AdaptecDirectCD "= "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [12/17/02 07:28p]
"CMPDPSRV "= "C:\WINNT\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE" [10/31/01 01:25p]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [01/05/04 11:47p]
"msnappau "= "C:\Program Files\MSN Apps\Updater\01.05.0000.1009\en-us\msnappau.exe" [06/09/05 02:56p]
"HPDJ Taskbar Utility "= "C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe" [11/03/02 05:56p]
"HPHUPD06 "= "C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [06/06/04 11:53p]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [05/12/04 03:18p]
"HPHmon06 "= "C:\WINNT\system32\hphmon06.exe" [06/06/04 11:42p]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/11/08 05:22p]
"SSC_UserPrompt "= "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [11/02/04 03:59p]
"HP Software Update "= "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [12/15/05 11:18a]
"Dell QuickSet "= "C:\Program Files\Dell\QuickSet\Quickset.exe" [12/18/02 03:16a]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder "= "C:\Program Files\Microsoft Money\System\reminder.exe" [07/24/98 11:00p]
"H/PC Connection Agent "= "C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [04/22/05 07:19p]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/06 04:45p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop "=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [8/11/2003 6:19:27 AM]
Dynex Wireless Networking Utility.lnk - C:\Program Files\Dynex Enhanced G Notebook Card Adapter\DynexWCUI.exe [11/24/2007 3:32:49 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [12/15/2005 11:40:44 AM]
HP Image Zone Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [5/28/2004 11:06:36 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office00\Office\OSA9.EXE [2/17/1999 3:05:56 PM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [10/2/2007 9:03:35 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ActiveSync]
WcesWlgn.dll 04/22/05 07:19p 7168 C:\WINNT\SYSTEM32\WcesWlgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINNT\System32\LgNotify.dll 01/13/03 12:17a 110592 C:\WINNT\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=C:\WINNT\system32\cru629.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
Domestic Security Version 4.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@= "Driver "




-- End of Deckard's System Scanner: finished at 2008-08-01 17:14:46 ------------

Ok getting closer! Let me know when I can go online and update and get a new virus protector!

 

Trying to run ComboFix

I rebooted and every program beeps the windows message screen such as: NIRCMD.com - bad image and the body says: The app or DLL C:\WNNT\system32\cru629.dat is not a valid windows image This pops up for every application that runs. Should I run combofix now? I dont see the entries the code box wanted to delete but Ill apply it anyways...

 

Combo Fix Log

When CF was shutting down the message registry maximum entry is too low, windows may not operate properly. Pop ups stopped now just one before the log saying that not all entries were written, some were left open? Cant recall exactly... At least it ran and no more red dot or alerts!! Tk u Tk u Tk u! Let me know when I could go online and update plus get better antivirus protection!

Here is the log:
ComboFix 08-07-31.06 - Administrator 08/01/2008 17:56:13.3 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.3.1252.1.1033.18.305 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Administrator\delself.bat
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wlnd.exe
C:\WINNT\LMI48E.tmp
C:\WINNT\LMI48F.tmp
C:\WINNT\system32\braviax.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\cru629.dat
C:\WINNT\t\

.
((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 )))))))))))))))))))))))))))))))
.

2008-08-01 16:53 . 08-08-01 17:30 676,046 ---h----- C:\WINNT\ShellIconCache
2008-07-23 05:15 . 08-07-23 05:15 <DIR> d-------- C:\Deckard
2008-07-23 04:53 . 08-07-23 04:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-23 04:23 . 08-07-23 04:23 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-23 04:23 . 08-07-23 04:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-23 04:23 . 08-07-23 04:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-23 04:23 . 08-07-20 20:21 38,472 --a------ C:\WINNT\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-07-23 04:23 . 08-07-20 20:21 17,144 --a------ C:\WINNT\SYSTEM32\DRIVERS\mbam.sys
2008-07-22 18:19 . 08-07-22 18:19 <DIR> d-------- C:\WINNT\LMI48F.tmp
2008-07-22 18:19 . 08-07-22 18:20 <DIR> d-------- C:\WINNT\LMI48E.tmp
2008-07-20 07:05 . 08-07-20 07:05 137 --a------ C:\WINNT\SYSTEM32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-01 23:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-07-23 09:25 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-20 01:21 --------- d-----w C:\Program Files\Norton Internet Security
2008-06-25 11:49 --------- d-----w C:\Program Files\Intuit
2008-06-03 01:38 805 ----a-w C:\WINNT\system32\drivers\SYMEVENT.INF
2008-06-03 01:38 123,952 ----a-w C:\WINNT\system32\drivers\SYMEVENT.SYS
2008-06-03 01:38 10,671 ----a-w C:\WINNT\system32\drivers\SYMEVENT.CAT
2008-06-03 01:38 --------- d-----w C:\Program Files\Symantec
2006-06-20 21:55 45,511,639 ----a-w C:\Program Files\NIS06910IE.exe
2006-03-30 23:05 0 ----a-w C:\Program Files\error.dat
2005-11-10 23:15 3,932 ----a-w C:\Documents and Settings\Administrator\Application Data\CMLayout.dat
2005-11-10 23:15 268 ----a-w C:\Documents and Settings\Administrator\Application Data\CMCPaper.dat
2003-01-22 22:08 271 ---ha-w C:\Program Files\DESKTOP.INI
2003-01-22 22:08 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2001-05-21 14:54 3,932 ------w C:\Documents and Settings\Default User\Application Data\CMLayout.dat
.

((((((((((((((((((((((((((((( snapshot@Sat 2008-07-26_16.03.06.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w C:\WINNT\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder "= "C:\Program Files\Microsoft Money\System\reminder.exe" [98-07-24 23:00 36352]
"H/PC Connection Agent "= "C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [05-04-22 19:19 1196032]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [06-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint "= "C:\Program Files\Apoint\Apoint.exe" [02-08-23 02:28 143360]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [03-01-04 00:00 294912]
"PRONoMgr.exe "= "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [02-12-18 21:20 86016]
"DVDSentry "= "C:\WINNT\System32\DSentry.exe" [02-07-17 17:18 28672]
"CreateCD50 "= "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" [02-12-17 20:14 131157]
"AdaptecDirectCD "= "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [02-12-17 19:28 684032]
"CMPDPSRV "= "C:\WINNT\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE" [01-10-31 13:25 45056]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [04-01-05 23:47 98304]
"msnappau "= "C:\Program Files\MSN Apps\Updater\01.05.0000.1009\en-us\msnappau.exe" [05-06-09 14:56 219648]
"HPDJ Taskbar Utility "= "C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe" [02-11-03 17:56 188416]
"HPHUPD06 "= "C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [04-06-06 23:53 49152]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [04-05-12 15:18 241664]
"HPHmon06 "= "C:\WINNT\system32\hphmon06.exe" [04-06-06 23:42 659456]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [08-02-11 17:22 53096]
"SSC_UserPrompt "= "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [04-11-02 15:59 218240]
"HP Software Update "= "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [05-12-15 11:18 49152]
"Dell QuickSet "= "C:\Program Files\Dell\QuickSet\Quickset.exe" [02-12-18 03:16 360448]
"Synchronization Manager "= "mobsync.exe" [02-07-24 13:00 111376 C:\WINNT\SYSTEM32\MOBSYNC.EXE]
"ATIModeChange "= "Ati2mdxx.exe" [01-09-04 23:24 28672 C:\WINNT\SYSTEM32\Ati2mdxx.exe]
"CARPService "= "carpserv.exe" [03-01-23 22:06 4608 C:\WINNT\SYSTEM32\carpserv.exe]
"PRPCMonitor "= "PRPCUI.exe" [02-10-07 10:00 45568 C:\WINNT\SYSTEM32\prpcui.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop "= "C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [02-07-24 13:00 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-08-11 06:19:27 24576]
Dynex Wireless Networking Utility.lnk - C:\Program Files\Dynex Enhanced G Notebook Card Adapter\DynexWCUI.exe [2007-11-24 03:32:49 1454080]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36 53248]
Microsoft Office.lnk - C:\Program Files\Microsoft Office00\Office\OSA9.EXE [1999-02-17 15:05:56 65588]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-10-02 21:03:35 815104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
03-01-13 00:17 110592 C:\WINNT\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ActiveSync]
05-04-22 19:19 7168 C:\WINNT\SYSTEM32\WcesWlgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux "= mmdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
Domestic Security Version 4.00

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys [03-01-22 16:52 ]
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys [99-09-25 18:11 ]
R0 mraid2k;mraid2k;C:\WINNT\system32\DRIVERS\mraid2k.sys [03-01-22 16:52 ]
R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [02-12-17 19:29 ]
R2 PRPC;PRPC;C:\WINNT\system32\drivers\PRPC.sys [02-10-07 10:00 ]
R3 MIPMN;Intel Adapter Switching Driver;C:\WINNT\system32\DRIVERS\mipmn2k.sys [02-11-22 21:09 ]
R3 usbhub20;USB Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-01-15 18:46 ]
R3 w70n5;Intel(R) PRO/Wireless 7100 Adapter Driver;C:\WINNT\system32\DRIVERS\w70n5.sys [03-01-12 21:11 ]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINNT\system32\Drivers\BrSerIf.sys [04-06-12 00:27 ]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINNT\system32\Drivers\BrUsbSer.sys [04-01-09 23:28 ]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 19:22 ]
S3 HPPLSBULK;HPPLSBULK;C:\WINNT\system32\drivers\hpplsbulk.sys [05-02-02 18:29 ]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINNT\system32\Drivers\PCASp50.sys []
S3 usb_rndisy;USB RNDIS Adapter;C:\WINNT\system32\DRIVERS\usb8023y.sys [05-02-28 16:45 ]
.
Contents of the 'Scheduled Tasks' folder

2008-05-19 C:\WINNT\Tasks\DFRG.job
- C:\WINNT\SYSTEM32\DFRG.MSC [07-04-04 09:35 ]

2008-07-02 C:\WINNT\Tasks\Studiopa 1094706297.job
- C:\Program Files\Intuit\QuickBooks Pro\AutoBackupEXE.exe [07-10-02 20:00 ]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 18:08:03
Windows 5.0.2195 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-01 18:16:44 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-08-01 23:16:26
ComboFix2.txt 2008-07-30 09:10:33
ComboFix3.txt 2008-07-26 21:03:34

Pre-Run: 26,989,099,520 bytes free
Post-Run: 26,907,384,832 bytes free

143 --- E O F --- 2008-07-20 12:07:44

 

Hi Dion
OK go on-line and run MBAM again.

It's important to make sure you check for updates before running the scan.

Also, you did not let MBAM clean the infection, see here...
C:\WINNT\cru629.dat (Trojan.FakeAlert) -> No action taken.
Here are the instructions for MBAM.

• Click the Update tab, then click Check for updates.
• Once the program has updated click the scanner tab, select 'Perform Quick Scan', then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Post the entire report in your next reply along with a fresh HijackThis log.

Please post the MBAM log.
What anti-virus are you planning on going to?
Make sure you let me know before you remove Norton, there is a removal tool you will need to use.

Thanks
Geri

 

New MBAM, HJT log

Hi Geri, thanks for your patience again. The PC had gone on night mode and when I put it on it came up from start up, I didn't know how to pull up the "fix" button again without rescanning and I so wanted to post the log! sorry. I just ran the updated quick scan and here is the MBAM, HJT logs:

 

Cant open my thread! Has the page icon?

I tried to post to my thread and couldnt! Could you pls combine or continue here! Merged
These are the MBAM and HJT logs sent from Lovely PC now!
Malwarebytes' Anti-Malware 1.24
Database version: 1015
Windows 5.0.2195 Service Pack 3

7:12:13 AM 8/2/2008
mbam-log-8-2-2008 (07-12-13).txt

Scan type: Quick Scan
Objects scanned: 36388
Time elapsed: 5 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ias (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Malwarebytes' Anti-Malware 1.24
Database version: 1015
Windows 5.0.2195 Service Pack 3

7:12:13 AM 8/2/2008
mbam-log-8-2-2008 (07-12-13).txt

Scan type: Quick Scan
Objects scanned: 36388
Time elapsed: 5 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ias (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:42 AM, on 8/2/2008
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\basfipm.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\faxsvc.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\System32\DSentry.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\system32\hphmon06.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Dynex Enhanced G Notebook Card Adapter\DynexWCUI.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [CMPDPSRV] C:\WINNT\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.05.0000.1009\en-us\msnappau.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HPHmon06] C:\WINNT\system32\hphmon06.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe "
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe "
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = C:\Program Files\Dynex Enhanced G Notebook Card Adapter\DynexWCUI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office00\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca12.custhelp.com/7530-b327h/rnl/java/RntX.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4338/mcfscan.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINNT\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINNT\system32\hpboid.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\wltrysvc.exe
O24 - Desktop Component 0: (no name) - http://bp2.blogger.com/_aLkNPLFRQYo/Rr1h9-oozHI/AAAAAAAAACY/ckU6letc8OU/s320/Theotokos.jpg

--
End of file - 13467 bytes

 

New Antivirus

Oh yes, Geri, I would like to go with AVGfree or if it better with pay I would go there too. I sure need to remove Norton. This last time it restarted it said my subscription expired and it locked up -big lock screen saying i must activate! and yet now its back on again. MBAM just found another trojan that it didnt alert. Need better protection now!! Pls advise

 

Hi Dion

AVGFree is a good AV, I'm of the opinion that you get what you pay for. I buy eTrust AV and I have for a number of years, noahdfear also uses eTrust and we both recommend it if you are going to buy a AV.
http://shop.ca.com/virus/antivirus.aspx

Which ever one you go with you will need to run Norton removal tool before installing any other AV.
Go here and run the Norton Removal Tool for the product version you have.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

Now we need to do a few things.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O24 - Desktop Component 0: (no name) - http://bp2.blogger.com/_aLkNPLFRQYo/.../Theotokos.jpg <<If you don't know what this is fix it.

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now lets get a on-line scan.

Scanning with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Please post the Kaspersky results.

Thanks
Geri

 

I can finally post! Kaspersrky lic expire?

Hello again I have tried to view and post from the fixed pc but the thread wont show up just the multi pages icon and profile comes up!! I finally was able to see the thread on this pc today! Did the ATF, now trying to run Kaspersky it said a windows msg pop up said K license expired? Is that real or a virus again? I also looked for the AV link and I found its now CA I'll give it a try for sure. Let me know if I should keep trying Kaspersky, to post it I may have to start another thread! Tks!!

 

Hi Dion
OK Kaspersky has discontinued that version. Please try this one.

Please do an online scan with Kaspersky WebScanner

Click on "Accept" If your pop "“up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the "Scan Report" On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri