Page 1 of 2 12 LastLast
Results 1 to 10 of 13
  1. #1
    Member
    Join Date
    Nov 2007
    Posts
    7
    Points
    0

    Default ieupdr2 virus, mouse click noises

    Hello

    I recently found the ieupdr2 virus icon on my desktop which resulted in my being unable to run in anything but Safe Mode. I ran a SuperAntiSpyware check, which claimed to quarantine problem files and I have since been able to run in normal mode. I know this didn't solve the problem, and now I can hear mouse-click effects independent of my actions (like mentioned in this thead: http://www.help2go.com/component/opt...topic/p,127497)


    I ran Combofix (it hadn't been working before), and HijackThis, so I will post those two logs next. If anyone could help me solve this problem, it would be much appreciated.


    Here's the Combofix log:


    ComboFix 07-11-19.4 - Lawyer 2007-11-26 1:13:38.6 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.80 [GMT -5:00]
    Running from: C:\Documents and Settings\Lawyer\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2007-10-26 to 2007-11-26 )))))))))))))))))))))))))))))))
    .

    2007-11-25 14:01 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
    2007-11-25 14:01 d-------- C:\Documents and Settings\Lawyer\Application Data\AVG7
    2007-11-25 14:01 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2007-11-25 14:01 d-------- C:\Documents and Settings\All Users\Application Data\avg7
    2007-11-25 14:01 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
    2007-11-25 14:01 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
    2007-11-25 12:11 d---s---- C:\Documents and Settings\Administrator\UserData
    2007-11-25 01:45 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
    2007-11-25 00:25 d-------- C:\Program Files\SUPERAntiSpyware
    2007-11-25 00:25 d-------- C:\Documents and Settings\Lawyer\Application Data\SUPERAntiSpyware.com
    2007-11-25 00:25 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2007-11-25 00:23 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-11-25 00:17 41,472 --a------ C:\WINDOWS\mm_tmpregalka.exe
    2007-11-25 00:16 38,400 --a------ C:\WINDOWS\mm_tmpgr.exe
    2007-11-24 23:54 d-------- C:\Program Files\Trend Micro
    2007-11-24 23:04 29 --a------ C:\WINDOWS\system32\oooteeeg.tmp
    2007-11-24 23:03 44 --a------ C:\WINDOWS\system32\p2hhr.bat
    2007-11-24 22:07 d-------- C:\Program Files\QdrModule
    2007-11-24 22:07 d-------- C:\Program Files\QdrDrive
    2007-11-14 12:23 d-------- C:\Program Files\uTorrent
    2007-11-14 12:23 d-------- C:\Documents and Settings\Lawyer\Application Data\uTorrent
    2007-10-30 14:19 d-------- C:\CloneDVDTemp
    2007-10-30 14:15 d-------- C:\Program Files\Elaborate Bytes

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-25 18:59 41,472 ----a-w C:\WINDOWS\mmregalka.exe
    2007-11-25 18:58 38,400 ----a-w C:\WINDOWS\mmgr.exe
    2007-11-25 17:32 533,504 ----a-w C:\WINDOWS\mm_tmpc2.bin
    2007-11-25 05:18 532,992 ----a-w C:\WINDOWS\mmc2.bin
    2007-09-27 16:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C87FA4A3-2474-4a3f-B413-67D515905024}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 14:08]
    "Qlkjdaa"="C:\Documents and Settings\Lawyer\My Documents\W?nSxS\?ti2evxx.exe" []
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 08:33]
    "IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 09:07]
    "PP8 SE Reminder"="C:\Program Files\Scansoft\PaperPort\WebEreg\NAVBrowser.exe" [2002-10-28 08:24]
    "SetDefPrt"="C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe" [2003-07-10 12:56]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-25 14:01]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "main"="C:\WINDOWS\System32\drivers\sysdrv.exe" []
    "default"="C:\Documents and Settings\LocalService\scvhost.exe" []
    "Microsoft all"="C:\WINDOWS\mmall.exe" []
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 14:01]

    C:\Documents and Settings\Lawyer\Start Menu\Programs\Startup\
    Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-12-08 23:00:00]
    Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-12-08 23:00:00]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2003-02-03 10:29:12]

    [hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "qXnQrjIMs"= {F4224921-5E88-E38B-CB08-3F12C3A72762} - C:\WINDOWS\System32\ypgzj.dll [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    R3 ati2mtaa;ati2mtaa;C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys
    S2 Microsoft Inet Service;Microsoft Inet Service;C:\WINDOWS\System32\_svchost.exe -A
    S2 USBHSB;GeneLink File Transfer Driver;C:\WINDOWS\System32\Drivers\usbhsb.sys
    S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\System32\Drivers\Brfilt.sys
    S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\System32\Drivers\BrSerWdm.sys
    S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\System32\Drivers\BrUsbMdm.sys
    S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\System32\Drivers\BrUsbScn.sys

    *Newly Created Service* - AVG7ALRT
    *Newly Created Service* - AVG7CORE
    *Newly Created Service* - AVG7RSW
    *Newly Created Service* - AVG7RSXP
    *Newly Created Service* - AVG7UPDSVC
    *Newly Created Service* - AVGCLEAN
    *Newly Created Service* - AVGEMS
    *Newly Created Service* - AVGTDI
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-09-22 19:19:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-26 01:15:48
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-26 1:16:25
    .
    --- E O F ---


    [/url]

  2. #2
    Member
    Join Date
    Nov 2007
    Posts
    7
    Points
    0

    Default

    and here's the subsequent HijackThis log:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:21:03 AM, on 11/26/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\mmgr.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\mmregalka.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.markgreenelaw.com/
    O2 - BHO: Flash Module - {C87FA4A3-2474-4a3f-B413-67D515905024} - rasmoesa.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [PP8 SE Reminder] "C:\Program Files\Scansoft\PaperPort\WebEreg\NAVBrowser.exe" -r "C:\Program Files\Scansoft\PaperPort\WebEreg\navLoad.ini"
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Qlkjdaa] "C:\Documents and Settings\Lawyer\My Documents\W?nSxS\?ti2evxx.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [main] C:\WINDOWS\System32\drivers\sysdrv.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [main] C:\WINDOWS\System32\drivers\sysdrv.exe (User 'Default user')
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: SmartUI.lnk = ?
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O10 - Broken Internet access because of LSP provider 'winsck2.dll' missing
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O21 - SSODL: qXnQrjIMs - {F4224921-5E88-E38B-CB08-3F12C3A72762} - C:\WINDOWS\System32\ypgzj.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\System32\_svchost.exe (file missing)

    --
    End of file - 4467 bytes

  3. #3
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    HI

    Please run a Kaspersky Online Scan

    Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    Click Accept

    You will be promted to install an ActiveX component from Kaspersky,
    Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      [list:9c80e5534e]
    • Scan using the following Anti-Virus database:

    • Extended (if available otherwise Standard)

    • Scan Options:

    • Scan Archives Scan Mail Bases
    [*]Click OK [*]Now under select a target to scan:
    • Select My Computer
    [*]The program will start and scan your system. [*]The scan will take a while so be patient and let it run. [*]Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
    [*]Once finished, save the log to your Desktop as filename KAV.txt[/list:u:9c80e5534e]

    THEN ...

    Go here to run an online scan from ESET.

    http://www.eset.eu/online-scanner

    Note: You will need to use Internet explorer for this scan

    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the activex control to install
    4. Click Start
    5. Make sure that the option Remove found threats and the option Scan unwanted applications is checkmarked.
    6. Click Scan
    7. Wait for the scan to finish
    8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    9. Copy and paste the log into your next reply

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  4. #4
    Member
    Join Date
    Nov 2007
    Posts
    7
    Points
    0

    Default

    Thanks for the reply.

    Here is the log for the Kaspersky scan:


    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Tuesday, November 27, 2007 1:52:33 AM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 27/11/2007
    Kaspersky Anti-Virus database records: 466272
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 42293
    Number of viruses found: 3
    Number of infected objects: 12
    Number of suspicious objects: 0
    Duration of the scan process: 00:47:38

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
    C:\Documents and Settings\Lawyer\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
    C:\Documents and Settings\Lawyer\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Lawyer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Lawyer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Lawyer\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Lawyer\Local Settings\Temp\off42AC.tmp Object is locked skipped
    C:\Documents and Settings\Lawyer\Local Settings\Temp\off42AD.tmp Object is locked skipped
    C:\Documents and Settings\Lawyer\Local Settings\Temp\off42AE.tmp Object is locked skipped
    C:\Documents and Settings\Lawyer\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Lawyer\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Lawyer\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\qoobox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
    C:\qoobox\Quarantine\C\WINDOWS\system32\update243.exe.vir Infected: Trojan.Win32.Qhost.it skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP145\A0005448.exe Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP145\A0005449.exe Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP145\A0006464.exe Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP145\A0006466.exe Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP145\A0006468.exe Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP145\A0006469.exe Infected: Trojan.Win32.Qhost.it skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP145\A0006470.exe Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP145\A0006472.exe Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP145\A0006474.sys Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP145\A0006476.exe Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP145\A0006477.exe Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP145\A0006481.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP145\A0006487.sys Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP145\A0006489.sys Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP145\A0006491.sys Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP145\A0006501.dll Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP145\A0006503.dll Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP146\A0006506.dll Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP146\A0006508.dll Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP146\A0007540.sys Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP146\A0007612.exe Infected: Trojan-Downloader.Win32.Agent.fip skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP146\A0007642.exe Infected: Trojan-Downloader.Win32.Agent.fip skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP146\A0007649.sys Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP146\A0007658.exe Infected: Trojan-Downloader.Win32.Agent.fip skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP146\A0007659.exe Infected: Trojan-Downloader.Win32.Agent.fip skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP146\A0007702.exe Infected: Trojan-Downloader.Win32.Agent.fip skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP146\A0007703.exe Infected: Trojan-Downloader.Win32.Agent.fip skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP147\A0007706.exe Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP147\A0007707.exe Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP147\A0007708.exe Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP147\A0007709.dll Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP147\A0007710.dll Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP147\A0007711.dll Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP147\A0007712.dll Object is locked skipped
    C:\System Volume Information\_restore{6952FCA2-8015-4AEC-A147-CA016396CD64}\RP148\change.log Object is locked skipped
    C:\WINDOWS\Debug\oakley.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\mmregalka.exe Infected: Trojan-Downloader.Win32.Agent.fip skipped
    C:\WINDOWS\mm_tmpregalka.exe Infected: Trojan-Downloader.Win32.Agent.fip skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
    C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped

    Scan process completed.



    And here is the log from the Eset Online Scan.


    # version=4
    # OnlineScanner.ocx=1.0.0.56
    # OnlineScannerDLLA.dll=1, 0, 0, 51
    # OnlineScannerDLLW.dll=1, 0, 0, 51
    # OnlineScannerUninstaller.exe=1, 0, 0, 49
    # vers_standard_module=2686 (20071126)
    # vers_arch_module=1.059 (20071108)
    # vers_adv_heur_module=1.064 (20070717)
    # EOSSerial=aa0e7f876c0c244fa699bbd0fddcb869
    # end=finished
    # remove_checked=true
    # unwanted_checked=true
    # utc_time=2007-11-27 07:15:44
    # local_time=2007-11-27 02:15:44 (-0500, Eastern Standard Time)
    # country="United States"
    # osver=5.1.2600 NT Service Pack 1
    # scanned=104329
    # found=1
    # scan_time=1257
    C:\qoobox\Quarantine\C\WINDOWS\system32\update243.exe.vir a variant of Win32/TrojanDropper.Agent.AKO trojan (unable to clean - deleted) 00000000000000000000000000000000

  5. #5
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    HI

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:
    File::
    C:\WINDOWS\mm_tmpregalka.exe
    C:\WINDOWS\mm_tmpgr.exe
    C:\WINDOWS\system32\oooteeeg.tmp
    C:\WINDOWS\system32\p2hhr.bat
    C:\WINDOWS\mmregalka.exe
    C:\WINDOWS\mmgr.exe 
    C:\WINDOWS\mm_tmpc2.bin 
    C:\WINDOWS\mmc2.bin 
    
    Folder::
    C:\Program Files\QdrModule 
    C:\Program Files\QdrDrive
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C87FA4A3-2474-4a3f-B413-67D515905024}] 
    
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  
    "Qlkjdaa"=-
    
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "main"=-
    "default"=-
    "Microsoft all"=-
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] 
    "qXnQrjIMs"=-
    Save this as "CFScript.txt"

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.


    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  6. #6
    Member
    Join Date
    Nov 2007
    Posts
    7
    Points
    0

    Default

    Hello again.

    I don't know if it's relevant, but Combofix didn't request a reboot. Anyway, here's the Combofix Log:


    ComboFix 07-11-19.4 - Lawyer 2007-11-27 17:45:10.7 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.86 [GMT -5:00]
    Running from: C:\Documents and Settings\Lawyer\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Lawyer\Desktop\CFScript.txt
    * Created a new restore point

    FILE
    C:\WINDOWS\mm_tmpc2.bin
    C:\WINDOWS\mm_tmpgr.exe
    C:\WINDOWS\mm_tmpregalka.exe
    C:\WINDOWS\mmc2.bin
    C:\WINDOWS\mmgr.exe
    C:\WINDOWS\mmregalka.exe
    C:\WINDOWS\system32\oooteeeg.tmp
    C:\WINDOWS\system32\p2hhr.bat
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\QdrDrive
    C:\Program Files\QdrDrive\qdrloader.exe
    C:\Program Files\QdrModule
    C:\Program Files\QdrModule\dic.gz
    C:\Program Files\QdrModule\kwd.gz
    C:\WINDOWS\mm_tmpc2.bin
    C:\WINDOWS\mm_tmpgr.exe
    C:\WINDOWS\mm_tmpregalka.exe
    C:\WINDOWS\mmc2.bin
    C:\WINDOWS\mmgr.exe
    C:\WINDOWS\mmregalka.exe
    C:\WINDOWS\system32\oooteeeg.tmp
    C:\WINDOWS\system32\p2hhr.bat

    .
    ((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
    .

    2007-11-27 01:53 d-------- C:\Program Files\EsetOnlineScanner
    2007-11-27 00:55 d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-11-27 00:55 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2007-11-25 14:01 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
    2007-11-25 14:01 d-------- C:\Documents and Settings\Lawyer\Application Data\AVG7
    2007-11-25 14:01 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2007-11-25 14:01 d-------- C:\Documents and Settings\All Users\Application Data\avg7
    2007-11-25 14:01 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
    2007-11-25 14:01 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
    2007-11-25 12:11 d---s---- C:\Documents and Settings\Administrator\UserData
    2007-11-25 01:45 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
    2007-11-25 00:25 d-------- C:\Program Files\SUPERAntiSpyware
    2007-11-25 00:25 d-------- C:\Documents and Settings\Lawyer\Application Data\SUPERAntiSpyware.com
    2007-11-25 00:25 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2007-11-25 00:23 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-11-25 00:17 1 --a------ C:\WINDOWS\system32\rc.dat
    2007-11-25 00:17 1 --a------ C:\WINDOWS\system32\ps1.dat
    2007-11-24 23:54 d-------- C:\Program Files\Trend Micro
    2007-11-24 23:01 570 --a------ C:\WINDOWS\system32\sft.res
    2007-11-24 22:59 1 --a------ C:\WINDOWS\system32\RunOnce.tmp
    2007-11-14 12:23 d-------- C:\Program Files\uTorrent
    2007-11-14 12:23 d-------- C:\Documents and Settings\Lawyer\Application Data\uTorrent
    2007-10-30 14:15 d-------- C:\Program Files\Elaborate Bytes

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-09-27 16:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
    .

    ((((((((((((((((((((((((((((( snapshot@2007-11-26_ 1.15.50.85 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2007-11-25 18:57:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2007-11-26 15:02:34 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
    + 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
    + 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
    + 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
    + 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
    + 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
    + 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
    + 2007-08-02 23:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
    + 2007-08-02 23:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
    + 2007-08-08 21:30:12 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
    + 2007-06-13 16:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
    + 2004-12-07 16:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 14:08]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 08:33]
    "IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 09:07]
    "PP8 SE Reminder"="C:\Program Files\Scansoft\PaperPort\WebEreg\NAVBrowser.exe" [2002-10-28 08:24]
    "SetDefPrt"="C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe" [2003-07-10 12:56]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-25 14:01]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 14:01]

    C:\Documents and Settings\Lawyer\Start Menu\Programs\Startup\
    Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-12-08 23:00:00]
    Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-12-08 23:00:00]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2003-02-03 10:29:12]

    [hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "qXnQrjIMs"= {F4224921-5E88-E38B-CB08-3F12C3A72762} - C:\WINDOWS\System32\ypgzj.dll [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    R3 ati2mtaa;ati2mtaa;C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys
    S2 Microsoft Inet Service;Microsoft Inet Service;C:\WINDOWS\System32\_svchost.exe -A
    S2 USBHSB;GeneLink File Transfer Driver;C:\WINDOWS\System32\Drivers\usbhsb.sys
    S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\System32\Drivers\Brfilt.sys
    S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\System32\Drivers\BrSerWdm.sys
    S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\System32\Drivers\BrUsbMdm.sys
    S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\System32\Drivers\BrUsbScn.sys

    *Newly Created Service* - AVG7ALRT
    *Newly Created Service* - AVG7CORE
    *Newly Created Service* - AVG7RSW
    *Newly Created Service* - AVG7RSXP
    *Newly Created Service* - AVG7UPDSVC
    *Newly Created Service* - AVGCLEAN
    *Newly Created Service* - AVGEMS
    *Newly Created Service* - AVGTDI
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-09-22 19:19:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-27 17:46:59
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-27 17:47:45
    C:\ComboFix2.txt ... 2007-11-26 01:16
    .
    --- E O F ---





    And here's the new HijackThis log:




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:56:30 PM, on 11/27/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.markgreenelaw.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [PP8 SE Reminder] "C:\Program Files\Scansoft\PaperPort\WebEreg\NAVBrowser.exe" -r "C:\Program Files\Scansoft\PaperPort\WebEreg\navLoad.ini"
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: SmartUI.lnk = ?
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O10 - Broken Internet access because of LSP provider 'winsck2.dll' missing
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O21 - SSODL: qXnQrjIMs - {F4224921-5E88-E38B-CB08-3F12C3A72762} - C:\WINDOWS\System32\ypgzj.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\System32\_svchost.exe (file missing)

    --
    End of file - 4438 bytes

  7. #7
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    HI

    Combofix trys several ways to delete files, if it manages to delete the files without having to "delete on reboot" that's fine ...

    Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

    O21 - SSODL: qXnQrjIMs - {F4224921-5E88-E38B-CB08-3F12C3A72762} - C:\WINDOWS\System32\ypgzj.dll (file missing)

    O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\System32\_svchost.exe (file missing)


    NEXT ...

    1. Download LSPfix from here: http://www.cexx.org/lspfix.htm

    Save it to a folder on your computer.

    2. Click the Lspfix.exe file

    3. If there are any files in the "remove" side (other than the ones we are telling you to put there) make a note of their name, and exit the program with the X in the top right hand corner (do NOT click finish) - post back and tell us the name.... if not then continue ...

    4. click the "I know what I'm doing" checkbox.

    5. Check all instances of winsck2.dll (and nothing else) , and move them to the "Remove" pane. (making sure that ONLY this file is in the remove pane.

    6. click Finish.

    NEXT ...

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:
    File::
    C:\WINDOWS\system32\rc.dat 
    C:\WINDOWS\system32\ps1.dat 
    C:\WINDOWS\system32\sft.res 
    C:\WINDOWS\system32\RunOnce.tmp
    Save this as "CFScript.txt"

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.


    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  8. #8
    Member
    Join Date
    Nov 2007
    Posts
    7
    Points
    0

    Default

    When I ran Lspfix, it listed one file under 'Remove". It was winsck2.dll with a description of (protocol handler).

    Since this was listed, I did not advance to Combofix. Should I do so?

    It also listed three under "keep" (I don't know if these are helpful). They were mswsock.dll, winrnr.dll, and rsupsp.dll.

  9. #9
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    I assume you mean rsvpsp.dll, not rsupsp.dll

    Since it is on the remove side, go ahead and click the finish.

    Run the Combo fix.

    BG

  10. #10
    Member
    Join Date
    Nov 2007
    Posts
    7
    Points
    0

    Default

    Quote Originally Posted by Basementgeek
    I assume you mean rsvpsp.dll, not rsupsp.dll
    And my horrendous handwriting rears its ugly head. Sorry about that.

    Here is the Combofix log:


    ComboFix 07-11-19.4 - Lawyer 2007-11-27 21:19:00.8 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.95 [GMT -5:00]
    Running from: C:\Documents and Settings\Lawyer\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Lawyer\Desktop\CFScript.txt
    * Created a new restore point

    FILE
    C:\WINDOWS\system32\ps1.dat
    C:\WINDOWS\system32\rc.dat
    C:\WINDOWS\system32\RunOnce.tmp
    C:\WINDOWS\system32\sft.res
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\ps1.dat
    C:\WINDOWS\system32\rc.dat
    C:\WINDOWS\system32\RunOnce.tmp
    C:\WINDOWS\system32\sft.res

    .
    ((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
    .

    2007-11-27 01:53 d-------- C:\Program Files\EsetOnlineScanner
    2007-11-27 00:55 d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-11-27 00:55 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2007-11-25 14:01 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
    2007-11-25 14:01 d-------- C:\Documents and Settings\Lawyer\Application Data\AVG7
    2007-11-25 14:01 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2007-11-25 14:01 d-------- C:\Documents and Settings\All Users\Application Data\avg7
    2007-11-25 14:01 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
    2007-11-25 14:01 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
    2007-11-25 12:11 d---s---- C:\Documents and Settings\Administrator\UserData
    2007-11-25 01:45 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
    2007-11-25 00:25 d-------- C:\Program Files\SUPERAntiSpyware
    2007-11-25 00:25 d-------- C:\Documents and Settings\Lawyer\Application Data\SUPERAntiSpyware.com
    2007-11-25 00:25 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2007-11-25 00:23 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-11-24 23:54 d-------- C:\Program Files\Trend Micro
    2007-11-14 12:23 d-------- C:\Program Files\uTorrent
    2007-11-14 12:23 d-------- C:\Documents and Settings\Lawyer\Application Data\uTorrent
    2007-10-30 14:19 d-------- C:\CloneDVDTemp
    2007-10-30 14:15 d-------- C:\Program Files\Elaborate Bytes

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((( snapshot@2007-11-26_ 1.15.50.85 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2007-11-25 18:57:22 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    + 2007-11-28 00:32:17 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    - 2007-11-25 18:57:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2007-11-28 00:32:17 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2007-11-25 18:57:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2007-11-28 00:32:17 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
    + 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
    + 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
    + 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
    + 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
    + 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
    + 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
    + 2007-08-02 23:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
    + 2007-08-02 23:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
    + 2007-08-08 21:30:12 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
    + 2007-06-13 16:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
    + 2004-12-07 16:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 14:08]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 08:33]
    "IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 09:07]
    "PP8 SE Reminder"="C:\Program Files\Scansoft\PaperPort\WebEreg\NAVBrowser.exe" [2002-10-28 08:24]
    "SetDefPrt"="C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe" [2003-07-10 12:56]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-25 14:01]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 14:01]

    C:\Documents and Settings\Lawyer\Start Menu\Programs\Startup\
    Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-12-08 23:00:00]
    Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-12-08 23:00:00]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2003-02-03 10:29:12]

    [hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    R3 ati2mtaa;ati2mtaa;C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys
    S2 USBHSB;GeneLink File Transfer Driver;C:\WINDOWS\System32\Drivers\usbhsb.sys
    S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\System32\Drivers\Brfilt.sys
    S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\System32\Drivers\BrSerWdm.sys
    S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\System32\Drivers\BrUsbMdm.sys
    S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\System32\Drivers\BrUsbScn.sys
    S4 Microsoft Inet Service;Microsoft Inet Service;C:\WINDOWS\System32\_svchost.exe -A

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-09-22 19:19:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-27 21:20:59
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-27 21:21:25
    C:\ComboFix2.txt ... 2007-11-27 17:47
    C:\ComboFix3.txt ... 2007-11-26 01:16
    .
    --- E O F ---


    And here is the new HijackThis log:



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:27:44 PM, on 11/27/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.markgreenelaw.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [PP8 SE Reminder] "C:\Program Files\Scansoft\PaperPort\WebEreg\NAVBrowser.exe" -r "C:\Program Files\Scansoft\PaperPort\WebEreg\navLoad.ini"
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: SmartUI.lnk = ?
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    --
    End of file - 4148 bytes

Page 1 of 2 12 LastLast