CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

$9736.22 of $21422.68
left sidedonated so farneed $11686.46 donated to reach our goalright side, our goal
Help CastleCops serve the community on new servers, Donate Here to reach our goal.

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
Survey
spacer
Was 2007 a good year?

Yes it was a wonderful year
Yes, but there is always room for improvement
Status quo
It was a challenge
Other (leave comment)



Results
Polls

Votes: 934
Comments: 25
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

[DONE]Root kit: SVC: NDMONPRONTO
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
 
Post new topic   This topic is locked you cannot edit posts or make replies       All -> FavForums -> Rootkit Revelations [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
PCBruiser

SRT Team Lead
SRT Team Lead
Forums Admin

Joined: May 11, 2005
Posts: 11723

1st Responder Mentors 1st Responders Forums Admin MIRT Moderators Premium Rootkit Experts Security Experts SRT Team CC Committee

PostPosted: Mon Apr 14, 2008 8:49 pm    Post subject:
Reply with quote

Yes, the best one around today, IMHO, and the one I recommend (and use) is OnlineArmor v2 from TallEmu. There are both free and paid versions. The only difference is that the free has less ability to fine tune the settings. The paid version has many more options. The firewall and HIPS engines are identical. Having said that, most people do not need the additional flexibility the paid version gives them, and the free one is enough.

http://www.tallemu.com

the link to the free version is in the right hand column of links. Please remember to uninstall all your other firewalls, reboot, delete any remaining folders, reboot again, and then install OA.

Re sign up, you should have gotten a confirming email which you needed to respond to in order for your sign up to become effective. What user name did you pick, and I can check it for you. If necessary, I can set up an account manually for you.


_________________
Don't read? Can't learn!
Back to top
View users profile Send private message
Arc

Guest
IP: 209.167.*.*
PostPosted: Tue Apr 15, 2008 2:37 pm    Post subject:
Reply with quote

PC:

Awesome thanks for the firewall recommendation. I'll be putting it on when I have the chance.

I picked: Arc

I just tried to set up an account using the same name and it said already in use or whatever. So it's sorta in there. However, I never received an email.

If you set it up that would be great. Do you need my email? Thanks.

Regards,

Arc
Back to top
Arc

Guest
IP: 209.167.*.*
PostPosted: Tue Apr 15, 2008 2:44 pm    Post subject:
Reply with quote

Quote:
Please remember to uninstall all your other firewalls, reboot, delete any remaining folders, reboot again, and then install OA.


So just Tiny and not Avast? Can they both run at the same time? I know Avast is anti-virus but it seems like OA has anti-virus as well?

Thanks,

Arc
Back to top
PCBruiser

SRT Team Lead
SRT Team Lead
Forums Admin

Joined: May 11, 2005
Posts: 11723

1st Responder Mentors 1st Responders Forums Admin MIRT Moderators Premium Rootkit Experts Security Experts SRT Team CC Committee

PostPosted: Tue Apr 15, 2008 2:55 pm    Post subject:
Reply with quote

Hi,

Use the free version of OA or the paid version without A/V, and that will work just fine with Avast!. Neither have any anti-virus.

Regarding your registration, it looks like it was incomplete for some reason. I deleted the user completely, so try to register again, and let me know if that works. Be careful entering your email address, because if it isn't valid, you won't get the confirmation email and that means your registration will not "take".


_________________
Don't read? Can't learn!
Back to top
View users profile Send private message
Arc

Corporal
Corporal


Joined: Apr 15, 2008
Posts: 74
Location: Canada
PostPosted: Tue Apr 15, 2008 3:44 pm    Post subject:
Reply with quote

Woot woot it works! Thanks for the help. Smile

Sounds good about OA and avast. Smile

Okay, I doubt I'll have time to do any of this tonight when I get home, long day. I'll post results as soon as I'm able. Thanks PC.

Regards,

Arc
Back to top
View users profile Send private message
Arc

Corporal
Corporal


Joined: Apr 15, 2008
Posts: 74
Location: Canada
PostPosted: Thu Apr 17, 2008 11:12 pm    Post subject:
Reply with quote

Okay PC I did step one and didn't go to the next step as instructed. Again sorry for the delay between responses. At least the weekend is coming I'll be able to respond faster. Thanks again. Smile

Arc

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:50 PM, on 17/04/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Dassault Systemes\B15\intel_a\code\bin\CATSysDemon.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\System32\rsvp.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\enternet.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.yahoo.com"); (C:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\e5y90uyt.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\e5y90uyt.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {141D5717-99E7-3392-2378-84655850DA77} - C:\WINNT\system32\sdkdt32.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PRDIE - {A8FA9135-E1DD-4AA8-971A-1FE4DCEE6365} - C:\Program Files\Privacy Defender\prd.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194763853046
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\MDT5\AcDcToday.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} - http://www.movie-browser.com/tl4000.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\MDT5\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\MDT5\AcPreview.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Autodesk License Manager (AdLM) - Unknown owner - C:\WINNT\System32\ad_elmd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B15\intel_a\code\bin\CATSysDemon.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Tiny Personal Firewall (PersFw) - Tiny Software - C:\Program Files\Tiny Personal Firewall\persfw.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
O24 - Desktop Component 0: (no name) - C:\DL\Training\Schedule.htm

--
End of file - 12227 bytes
Back to top
View users profile Send private message
PCBruiser

SRT Team Lead
SRT Team Lead
Forums Admin

Joined: May 11, 2005
Posts: 11723

1st Responder Mentors 1st Responders Forums Admin MIRT Moderators Premium Rootkit Experts Security Experts SRT Team CC Committee

PostPosted: Fri Apr 18, 2008 1:08 pm    Post subject:
Reply with quote

Hi,

Your HJT log does suggest that you either have, or at least had malware other than the rootkit on your system, so the other steps are very important now to help diagnose and clean your system.

BTW, your HJT log shows you are running both AVG and Avast! real-time scanning. You must totally disable one of them. Running two A/Vs is like running no A/Vs because the conflict badly. And part of F-Protect is also running, but shouldn't be a problem. And, I will kill it later for you anyway.


_________________
Don't read? Can't learn!
Back to top
View users profile Send private message
Arc

Corporal
Corporal


Joined: Apr 15, 2008
Posts: 74
Location: Canada
PostPosted: Sat Apr 19, 2008 4:55 am    Post subject:
Reply with quote

PC:

As for AVG running that is interesting because I use msconfig.exe to disable many programs upon start up. AVG is one of them. Anyways I checked in the task manager and you're correct there is some stuff running from AVG! Mad I'd rather have avast running but I would like to keep avg for scanning purposes...I can't seem to figure out how to disable it.

I ran the computer in safe mode...takes a long time to boot up. Anyways I ran sdfix and it gave me this error part way through.

Registry Editor: Cannot import assosfix.reg: Error opening the file. There may be a disk or file system error.

The rest of the operation seemed to work. Granted everything took longer than the program stated like a lot longer.

Here is the log(again I've eliminated bmp files.)


SDFix: Version 1.172
Run by X on Fri 18/04/2008 at 11:48p

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINNT\SYSTEM32\ADDHO.EXE - Deleted
C:\WINNT\SYSTEM32\APIQJ32.EXE - Deleted
C:\WINNT\SYSTEM32\ATLGW.EXE - Deleted
C:\WINNT\SYSTEM32\CRKZ32.EXE - Deleted
C:\WINNT\SYSTEM32\CRUI.EXE - Deleted
C:\WINNT\SYSTEM32\IEME32.EXE - Deleted
C:\WINNT\SYSTEM32\IEWF32.EXE - Deleted
C:\WINNT\SYSTEM32\MFCOC.EXE - Deleted
C:\WINNT\SYSTEM32\SDKAG.EXE - Deleted
C:\WINNT\SYSTEM32\SDKZO32.EXE - Deleted
C:\WINNT\SYSTEM32\SYSUX32.EXE - Deleted
C:\WINNT\SYSTEM32\SYSVL.EXE - Deleted
C:\VDM6.TMP - Deleted
C:\_NIM4711.TMP - Deleted
C:\WINNT\system32\o - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 00:14:28
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDMONPROTO]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDMONPROTO]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NDMONPROTO]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NDMONPROTO]

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 2
hidden files: 14629


Remaining Services :



Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 19 Jul 2003 54 A.SH. --- "C:\redir.sys"
Mon 29 Nov 2004 27,136 ...H. --- "C:\DL\Rugged Training Folder\~WRL0004.tmp"
Mon 29 Nov 2004 32,256 ...H. --- "C:\DL\Rugged Training Folder\~WRL0171.tmp"
Mon 29 Nov 2004 2,882,048 ...H. --- "C:\DL\Rugged Training Folder\~WRL0279.tmp"
Mon 29 Nov 2004 29,696 ...H. --- "C:\DL\Rugged Training Folder\~WRL1207.tmp"
Mon 29 Nov 2004 29,184 ...H. --- "C:\DL\Rugged Training Folder\~WRL1877.tmp"
Mon 29 Nov 2004 28,672 ...H. --- "C:\DL\Rugged Training Folder\~WRL2378.tmp"
Mon 29 Nov 2004 2,882,048 ...H. --- "C:\DL\Rugged Training Folder\~WRL3661.tmp"
Mon 29 Nov 2004 28,160 ...H. --- "C:\DL\Rugged Training Folder\~WRL4034.tmp"
Mon 14 Apr 2003 229,888 ...H. --- "C:\DL\story\~WRL0002.tmp"
Mon 14 Apr 2003 231,424 ...H. --- "C:\DL\story\~WRL1368.tmp"
Mon 14 Apr 2003 232,960 ...H. --- "C:\DL\story\~WRL1577.tmp"
Mon 14 Apr 2003 229,376 ...H. --- "C:\DL\story\~WRL2813.tmp"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon 9 Sep 2030 1,537 A.SH. --- "C:\WINNT\page files\maxmeg.sys"
Sat 27 May 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 20 Oct 2003 73,688 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Sat 24 Jan 2004 5,120 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Sat 20 Aug 2005 121,237 A..HR --- "C:\Program Files\THQ\Dawn of War\Disk1Check.EXE"

Finished!
Back to top
View users profile Send private message
Arc

Corporal
Corporal


Joined: Apr 15, 2008
Posts: 74
Location: Canada
PostPosted: Sat Apr 19, 2008 5:39 am    Post subject:
Reply with quote

PC:

Might have been premature with saying avg was running.

From my task manager:

avgamsvr.exe
avgupsvc.exe
avgemc.exe

Not sure if they are avg or not?

Anyways, I ran combofix.exe and it crashed about 30 sec in and rebooted my computer. Please note I did not hit the mouse as instructed. Could this have anything to do with windows 2000?

I guess I'll wait on the HJT log until we...(actually that will probably be you) figure out what is going on with combofix?

Thanks again. Smile

Arc
Back to top
View users profile Send private message
PCBruiser

SRT Team Lead
SRT Team Lead
Forums Admin

Joined: May 11, 2005
Posts: 11723

1st Responder Mentors 1st Responders Forums Admin MIRT Moderators Premium Rootkit Experts Security Experts SRT Team CC Committee

PostPosted: Sat Apr 19, 2008 1:24 pm    Post subject:
Reply with quote

Hi,

Your system does have some major malware issues. The rootkit is probably being used to hide and protect the malware files. This is going to be a bit of a battle.

The files SDFix killed belong to a nasty Trojan generally called Trojan.Agent.bi, and a worm called W32/Sdbot.ftp.worm. AFAIK, the first one is rare, and this is the first case I am aware of where it may possibly be associated with a rootkit. So, I really would like to try to capture the rootkit for analysis to see what it is doing.

Try running ComboFix in Safe Mode and let's see what happens. It might just work. If it doesn't, I am going to try to kill the rootkit using GMER and then go back to ComboFix.

Those running processes files are AVG.


_________________
Don't read? Can't learn!
Back to top
View users profile Send private message
nosirrah

Security Expert
Special Response Team

Joined: Apr 19, 2006
Posts: 6293
Location: USA
MIRT MVP Premium Rootkit Responders Security Experts SRT

PostPosted: Sat Apr 19, 2008 3:15 pm    Post subject:
Reply with quote

Hello Arc

I need a favor . The following backup file was created by SDFix :

C:\SDFix\backups\backups.zip

If you could please attach that zip to a new thread here :

CastleCops Link/f81-Unknown_Files.html

It will appear to you that the attachment has failed but it hasn't . Non-staff cant see attachments to that forum .
Back to top
View users profile Send private message Send email
Arc

Corporal
Corporal


Joined: Apr 15, 2008
Posts: 74
Location: Canada
PostPosted: Sat Apr 19, 2008 4:26 pm    Post subject:
Reply with quote

nosirrah wrote:
Hello Arc

I need a favor . The following backup file was created by SDFix :

C:\SDFix\backups\backups.zip

If you could please attach that zip to a new thread here :

CastleCops Link/f81-Unknown_Files.html

It will appear to you that the attachment has failed but it hasn't . Non-staff cant see attachments to that forum .


Done. Smile

Arc
Back to top
View users profile Send private message
Arc

Corporal
Corporal


Joined: Apr 15, 2008
Posts: 74
Location: Canada
PostPosted: Sat Apr 19, 2008 4:33 pm    Post subject:
Reply with quote

PCBruiser wrote:
Hi,

Your system does have some major malware issues. The rootkit is probably being used to hide and protect the malware files. This is going to be a bit of a battle.

The files SDFix killed belong to a nasty Trojan generally called Trojan.Agent.bi, and a worm called W32/Sdbot.ftp.worm. AFAIK, the first one is rare, and this is the first case I am aware of where it may possibly be associated with a rootkit. So, I really would like to try to capture the rootkit for analysis to see what it is doing.

Try running ComboFix in Safe Mode and let's see what happens. It might just work. If it doesn't, I am going to try to kill the rootkit using GMER and then go back to ComboFix.

Those running processes files are AVG.


I'll do that and report back in a bit.

How shall I stop the avg files?

Bit of a side question here but what are the chances that this may have jumped to my laptop that runs vista via a usb drive? Also is it normal to have multiple rundll32.exe running? I saw 3 in my task manager on my laptop and I killed two.

Thanks.

Arc
Back to top
View users profile Send private message
Arc

Corporal
Corporal


Joined: Apr 15, 2008
Posts: 74
Location: Canada
PostPosted: Sat Apr 19, 2008 5:57 pm    Post subject: Combo fix log!
Reply with quote

PC you smart! It worked in safemode. Smile

Going to do another hjt.


ComboFix 08-04-18.3 - X 2008-04-19 12:44:11.1 - NTFSx86 MINIMAL
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.411 [GMT -7:00]
Running from: C:\Documents and Settings\X\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-19 12:44 . 08-04-19 12:44 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_184.dat
2008-04-19 01:14 . 08-04-19 01:14 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_240.dat
2008-04-19 01:09 . 08-04-19 01:09 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_468.dat
2008-04-19 00:39 . 08-04-19 00:39 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_488.dat
2008-04-18 23:08 . 08-04-18 23:08 <DIR> d-------- C:\WINNT\ERUNT
2008-04-18 23:02 . 08-04-19 00:38 <DIR> d-------- C:\SDFix
2008-04-11 21:20 . 08-04-11 21:20 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_474.dat
2008-04-11 17:34 . 08-04-11 23:04 250 --a------ C:\WINNT\gmer.ini
2008-03-22 13:57 . 08-03-22 13:57 <DIR> d-------- C:\WINNT\PaltalkScene
2008-03-22 13:57 . 08-03-22 13:57 <DIR> d-------- C:\Program Files\Paltalk Messenger
2008-03-22 13:57 . 08-03-22 14:00 <DIR> d-------- C:\Documents and Settings\X\Application Data\Paltalk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 05:55 --------- d-----w C:\Documents and Settings\X\Application Data\AVG7
2008-04-18 02:06 --------- d-----w C:\Program Files\Trend Micro
2008-03-29 22:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-29 22:20 --------- d-----w C:\Program Files\SpywareBlaster
2008-03-15 22:59 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-15 22:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-15 22:12 691,545 ----a-w C:\WINNT\unins000.exe
2008-03-08 19:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 19:39 --------- d-----w C:\Program Files\Microsoft Games
2008-03-08 19:38 --------- d-----w C:\Program Files\Doom 3
2008-03-06 03:41 107,888 ----a-w C:\WINNT\system32\CmdLineExt.dll
2008-03-06 03:05 --------- d-----w C:\Program Files\THQ
2003-04-13 14:57 271 ---h--w C:\Program Files\desktop.ini
2003-04-13 14:57 21,952 ---h--w C:\Program Files\folder.htt
2002-07-24 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2005-03-10 10:05 53,323 ----a-w C:\Program Files\opera\program\plugins\PlugDef.dll
.

Code:
<pre>
----a-w           931,420 2004-02-17 06:35:21  C:\DL\passcracker\Ultimate Password Cracker .exe
</pre>



------- Sigcheck -------

02-07-24 05:00 7952 9e64ad53cfd9da2d22e8a924f8c6e62c C:\WINNT\system32\svchost.exe
02-07-24 05:00 7952 9e64ad53cfd9da2d22e8a924f8c6e62c C:\WINNT\system32\dllcache\svchost.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{141D5717-99E7-3392-2378-84655850DA77}]
C:\WINNT\system32\sdkdt32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [07-09-04 16:40 6856704]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" [05-08-19 19:34 3084288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"NeroCheck"="C:\WINNT\System32\NeroCheck.exe" [02-05-22 14:46 155648]
"IPInSightLAN 01"="C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" [02-04-20 08:00 364544]
"IPInSightMonitor 01"="C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe" [02-04-20 08:00 102400]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [03-11-25 22:10 335872]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [08-03-29 10:37 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [07-11-10 15:11 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\DL\Training\Schedule.htm
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 01-11-02 10:50 24636 C:\WINNT\system32\PCANotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINNT\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bginfo.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bginfo.exe
backup=C:\WINNT\pss\Bginfo.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINNT\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetAssistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup=C:\WINNT\pss\NetAssistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 04-04-27 15:18 61440 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 08-03-15 15:32 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desk Buddy Lite]
C:\Program Files\Jalco Software\Desk Buddy Lite\DeskBud.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-StopW]
--a------ 05-02-25 11:27 300872 C:\Program Files\FSI\F-Prot\F-StopW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FRISK FP-Scheduler]
--a------ 05-02-25 11:27 370504 C:\Program Files\FSI\F-Prot\F-Sched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
--a------ 05-02-17 09:37 2903636 C:\Program Files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEXPLORE.EXE]
--a------ 02-08-29 08:14 91136 C:\Program Files\Internet Explorer\IEXPLORE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 06-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 02-10-31 09:14 327680 C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 06-03-29 23:05 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 03-06-08 01:47 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--a------ 02-02-04 23:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 08-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
c:\program files\valve\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 04-02-22 23:44 32881 C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
--a------ 03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tray Temperature]
C:\DOCUME~1\X\LOCALS~1\Temp\MiniBug.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wapc]
C:\Documents and Settings\X\Application Data\ctln.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll

R0 FPA_RTP;FPA_RTP;C:\WINNT\system32\Drivers\FSTOPW.SYS [05-02-25 11:27 ]
R1 fwdrv;Tiny Personal Firewall Driver;C:\WINNT\system32\Drivers\fwdrv.sys [01-10-22 17:54 ]
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-06-19 12:05 ]
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 12:05 ]
S1 aswSP;avast! Self Protection;C:\WINNT\system32\drivers\aswSP.sys [08-03-29 10:31 ]
S1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys [07-03-11 20:26 ]
S1 LUMDriver;LUMDriver;C:\WINNT\system32\drivers\LUMDriver.sys [05-04-23 01:21 ]
S2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys [08-01-17 08:34 ]
S2 BBDemon;Backbone Service;C:\Program Files\Dassault Systemes\B15\intel_a\code\bin\CATSysDemon.exe [05-01-29 13:12 ]
S2 PPPoEService;PPPoE Service;C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe [00-07-11 10:48 ]
S3 AdLM;Autodesk License Manager;C:\WINNT\System32\ad_elmd.exe [00-04-11 20:20 ]
S3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver;C:\WINNT\system32\DRIVERS\ntspppoe.sys [02-03-06 11:44 ]
S3 NTSTAP1;NTSTAP1;C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\NTSTAP1.SYS [02-03-06 11:42 ]
S3 RAWESR;RAWESR;C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\RAWESR.SYS [02-03-06 11:39 ]
S3 TAPBIND;TAPBIND;C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\TAPBIND1.SYS [02-03-06 11:42 ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints\D]
\Shell\AutoRun\command - D:\Autoplay.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 00:15:00 C:\WINNT\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 12:48:14
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-19 12:58:52
ComboFix-quarantined-files.txt 2008-04-19 19:58:50

Pre-Run: 14,437,662,720 bytes free
Post-Run: 14,467,252,224 bytes free

168
Back to top
View users profile Send private message
Arc

Corporal
Corporal


Joined: Apr 15, 2008
Posts: 74
Location: Canada
PostPosted: Sat Apr 19, 2008 6:06 pm    Post subject: 2nd HJT log.
Reply with quote

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:02:41 PM, on 19/04/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Dassault Systemes\B15\intel_a\code\bin\CATSysDemon.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\System32\rsvp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.yahoo.com"); (C:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\e5y90uyt.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\e5y90uyt.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {141D5717-99E7-3392-2378-84655850DA77} - C:\WINNT\system32\sdkdt32.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PRDIE - {A8FA9135-E1DD-4AA8-971A-1FE4DCEE6365} - C:\Program Files\Privacy Defender\prd.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX C