Page 1 of 2 12 LastLast
Results 1 to 10 of 19
  1. #1
    Member
    Join Date
    Dec 2007
    Posts
    10
    Points
    0

    Default Bad Stuff. Here is my Hijack this log, please help.

    My computer is obviously infected, I think it is the Zlob.DNS Changer, could be more than that though as now it has deactivated my Symantec Antivirus software (real time).

    Anyway, I thought about trying to remove this myself as I have done similar things in the past, but this one seems especially nasty and realized it was a better idea to get some help. I will admit that I "fixed" the mmall.exe files which I knew were not there before.

    Any help would absolutely rule. Thanks.


    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 11:40:51 PM, on 12/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\JA\Desktop\HiJackThis_v2.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
    R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\system32\shellexp.exe en
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Microsoft all2] C:\WINDOWS\mmall2.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Picture Package Menu.lnk = ?
    O4 - Global Startup: Picture Package VCD Maker.lnk = ?
    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
    O18 - Filter hijack: text/html - (no CLSID) - (no file)
    O20 - Winlogon Notify: ivn4reg - C:\Documents and Settings\All Users\Documents\Settings\ivn4.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: AutoDisc Ware - {89aef01d-d237-49c7-84dc-4e1904c1fd31} - (no file)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
    O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    --
    End of file - 7065 bytes

  2. #2
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Download Superantispyware.

    http://www.superantispyware.com/

    Once downloaded and installed update the definitions
    and then run a full system scan quarantine what it finds!

    * Double-click SUPERAntiSypware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

    http://www.superantispyware.com/definitions.html

    * Under "Configuration and Preferences", click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    o Close browsers before scanning.
    o Scan for tracking cookies.
    o Terminate memory threats before quarantining.
    * Click the "Close" button to leave the control center screen.
    * Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under "Complete Scan", choose Perform Complete Scan.
    * Click "Next" to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    * Make sure everything has a checkmark next to it and click "Next".
    * A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    * If asked if you want to reboot, click "Yes".
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    o Click Preferences, then click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    o Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.

    THEN ...

    Please download Combofix: http://download.bleepingcomputer.com...a/ComboFix.exe
    and save to the desktop.

    1. Double click on combo.exe & follow the prompts.
    2. When finished, it will produce a logfile located at C:\ComboFix.txt.
    3. Post the contents of that log in your next reply with a new hijackthis log.

    Notes:
    * Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
    * Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

    Please remember to post :-

    1. SUPERAntiSpyware Scan Log
    2. C:\ComboFix.txt
    3. a new hijackthis log.( run after everything else)

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  3. #3
    Member
    Join Date
    Dec 2007
    Posts
    10
    Points
    0

    Default

    Cool. Thanks, installing now. Will return with results.

    I am very appreciative!

    777

  4. #4
    Member
    Join Date
    Dec 2007
    Posts
    10
    Points
    0

    Default

    O.K., I ran SuperAntiSpyWare, and the results are below. But Combofix didn't seem to want to work all the way. It would get to
    Deleting File/Folders:, and just sit there idle. I let it sit for a few hours, nothing changed. I ran it again after rebooting and got the same resuls.
    It went throug many stages, then at one stage it said "cannot fix...accessed by another program". Or something like that.

    Here is the SASW Scan log:

    UPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 12/14/2007 at 06:46 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3361
    Trace Rules Database Version: 1360

    Scan type : Complete Scan
    Total Scan Time : 01:35:19

    Memory items scanned : 322
    Memory threats detected : 0
    Registry items scanned : 4610
    Registry threats detected : 28
    File items scanned : 82329
    File threats detected : 125

    Trojan.SpyFalcon
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{89aef01d-d237-49c7-84dc-4e1904c1fd31}

    Trojan.IP6FW/Rootkit
    HKLM\System\ControlSet001\Services\ip6fw
    C:\WINDOWS\SYSTEM32\DRIVERS\IP6FW.SYS
    HKLM\System\ControlSet003\Services\ip6fw
    HKLM\System\CurrentControlSet\Services\ip6fw

    Adware.Tracking Cookie
    C:\Documents and Settings\JA\Cookies\ja@clickaider[1].txt
    C:\Documents and Settings\JA\Cookies\ja@www.stopzilla[2].txt
    C:\Documents and Settings\JA\Cookies\ja@revsci[2].txt
    C:\Documents and Settings\JA\Cookies\ja@server.iad.liveperson[1].txt
    C:\Documents and Settings\JA\Cookies\ja@19452074[2].txt
    C:\Documents and Settings\JA\Cookies\ja@richmedia.yahoo[1].txt
    C:\Documents and Settings\JA\Cookies\ja@1072588149[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@2o7[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@3.adbrite[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@a.findarticles[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@ad.greenmarquee[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@ad.thewheelof[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@ad.yieldmanager[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@ad.zanox[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@ad2.adnetinteractive[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@adecn[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@admarketplace[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@adopt.specificclick[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@ads.adbrite[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@ads.as4x.tmcs.ticketmaster[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@ads.as4x.tmcs[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@ads.belointeractive[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@ads.cnn[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@ads.greenerworldmedia[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@ads.monster[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@ads.planetactive[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@ads.traderonline[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@ads.us.e-planning[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@anad.tacoda[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@analytics.clickpathmedia[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@anat.tacoda[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@atwola[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@azoogleads[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@bannerspace[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@banner[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@belnk[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@burstnet[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@caselaw.lp.findlaw[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@client.roiadtracker[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@count4.exitexchange[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@counter.surfcounters[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@cpvfeed[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@data1.perf.overture[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@data2.perf.overture[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@data3.perf.overture[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@dist.belnk[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@drivecleaner[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@eas.apm.emediate[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@ecnext.advertserve[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@ehg-nestleusainc.hitbox[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@enterprise.clickdefense[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@entrepreneur[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@exitexchange[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@feed.validclick[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@find.intelius[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@findarticles[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@findlaw[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@findnews[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@h.starware[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@homeclick[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@icc.intellisrv[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@images.crossmediaservices[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@interclick[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@kheph777.tripod[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@m1.webstats4u[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@media.hotels[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@media.myfoxdfw[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@media.www.dailytexanonline[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@metareward[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@mlsfinder[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@mvt.traffic[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@my.traffic[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@nextag.co[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@nextag[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@og.advertserve[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@partner2profit[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@primedia.us.intellitxt[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@pt.crossmediaservices[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@qnsr[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@reztrack[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@roi.clicklab[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@roi2.clicklab[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@sales.liveperson[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@sec1.liveperson[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@stats.crossmediaservices[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@stats.drivecleaner[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@stats.manticoretechnology[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@Stats[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@superstats[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@thunderbolt.adjuggler[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@ticketcity[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@track.bestbuy[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@track.searchignite[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@tracking.homeportfolio[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@traffic[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@www.burstbeacon[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@www.drivecleaner[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@www.gamestracker.co[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@www.homeclick[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@www.homefinder[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@www.mlsfinder[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@www.thirteen[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@www.ticketcity[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@www.traffic[1].txt
    C:\Documents and Settings\SAM\Cookies\sam@www.yogafinder[2].txt
    C:\Documents and Settings\SAM\Cookies\sam@xiti[1].txt

    Rootkit.RunTime2/CTLW32
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ctl_w32.sys
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ctl_w32.sys
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32#NextInstance
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32\0000
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32\0000#Service
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32\0000#Legacy
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32\0000#ConfigFlags
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32\0000#Class
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32\0000#ClassGUID
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32\0000#DeviceDesc
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32\0000#Capabilities
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32\0000\LogConf
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32\0000\Control
    HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32
    HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32#ImagePath
    HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32#Type
    HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32#Start
    HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32#DependOnGroup
    HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32\Enum
    HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32\Enum#0
    HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32\Enum#Count
    HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32\Enum#NextInstance
    HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32\Enum#INITSTARTFAILED

    Rootkit.RunTime2/CTLW32-Installer
    C:\DOCUMENTS AND SETTINGS\JA\LOCAL SETTINGS\TEMP\76343.EXE

    Trace.Known Threat Sources
    C:\Documents and Settings\SAM\Local Settings\Temporary Internet Files\Content.IE5\1QVIFXT5\ext_accs[1].php
    C:\Documents and Settings\SAM\Local Settings\Temporary Internet Files\Content.IE5\QVOZ65G3\ext_accs[1].php
    C:\Documents and Settings\SAM\Local Settings\Temporary Internet Files\Content.IE5\KXW8SXQ9\ext_accs[1].php
    C:\Documents and Settings\SAM\Local Settings\Temporary Internet Files\Content.IE5\KLI70XI3\ext_accs[3].php
    C:\Documents and Settings\SAM\Local Settings\Temporary Internet Files\Content.IE5\KLI70XI3\ext_accs[2].php
    C:\Documents and Settings\SAM\Local Settings\Temporary Internet Files\Content.IE5\UP0ZAD8X\ext_accs[1].php
    C:\Documents and Settings\SAM\Local Settings\Temporary Internet Files\Content.IE5\UP0ZAD8X\ext_accs[2].php
    C:\Documents and Settings\SAM\Local Settings\Temporary Internet Files\Content.IE5\KLI70XI3\ext_accs[1].php
    C:\Documents and Settings\SAM\Local Settings\Temporary Internet Files\Content.IE5\UFSN7WLK\oc[1].bin
    C:\Documents and Settings\SAM\Local Settings\Temporary Internet Files\Content.IE5\KXW8SXQ9\versions[1].txt
    C:\Documents and Settings\SAM\Local Settings\Temporary Internet Files\Content.IE5\1QVIFXT5\ext_accs[2].php
    C:\Documents and Settings\SAM\Local Settings\Temporary Internet Files\Content.IE5\UP0ZAD8X\c2[1].bin
    C:\Documents and Settings\SAM\Local Settings\Temporary Internet Files\Content.IE5\SI13T2PK\ext_accs[2].php
    C:\Documents and Settings\SAM\Local Settings\Temporary Internet Files\Content.IE5\1QVIFXT5\ext_accs[3].php
    C:\Documents and Settings\SAM\Local Settings\Temporary Internet Files\Content.IE5\QVOZ65G3\id[1].fcgi
    C:\Documents and Settings\SAM\Local Settings\Temporary Internet Files\Content.IE5\UFSN7WLK\hr[1].exe
    C:\Documents and Settings\SAM\Local Settings\Temporary Internet Files\Content.IE5\4Z6JI125\gr[1].exe



    ---------Here is the newest HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 21:04, on 2007-12-14
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\JA\Desktop\HiJackThis_v2.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
    R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Microsoft all2] C:\WINDOWS\mmall2.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Microsoft all2] C:\WINDOWS\mmall2.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Picture Package Menu.lnk = ?
    O4 - Global Startup: Picture Package VCD Maker.lnk = ?
    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: ivn4reg - C:\Documents and Settings\All Users\Documents\Settings\ivn4.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
    O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    --
    End of file - 7156 bytes



    My Symantec Antivirus Realtime protection is still disabled.

    Thanks for looking at this.

  5. #5
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    HI Rael

    Even though Combofix did not appear to complete (it maybe needed you to reboot, because it was having trouble rebooting on it's own, to remove certain files) ... there may still have been a log created ... it will greatly help me to help you, if there is one ... please look here C:\ComboFix.txt & see if there is one ...

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  6. #6
    Member
    Join Date
    Dec 2007
    Posts
    10
    Points
    0

    Default

    Checked the ComboFix folder and searched for the txt file, but there wasn't one. I may try to uninstall the one I have and reinstall it, then run it again to see what happens.

    I'll try again and get back to you.

    Thanks.

  7. #7
    Member
    Join Date
    Dec 2007
    Posts
    10
    Points
    0

    Default

    I downloaded ComboFix again, and when I ran it, I received a message:

    swreg.cfexe - Application Error
    The instructions at "0x7c9111de" referenced memory at 0x0074006c". The memory could not be "read".

    Click OK to terminate the program. -


    I clicked ok. That may be a problem? I don't know.

    Anyway, just wanted to report that.

    ...

  8. #8
    Member
    Join Date
    Dec 2007
    Posts
    10
    Points
    0

    Default

    Steam,

    I'm not sure this ComboFix is very good. What's up? I have heard bad things about running it.

    Seems worse now that I have attempted to use it.

    Still won't produce that txt file.

    What's up?

  9. #9
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    I'm not sure this ComboFix is very good. What's up? I have heard bad things about running it.
    What have you heard bad about it? It has been used tens of thousands of times.

    Have you been getting help from some place else also?

    Like any other program there can be problems, but it is very rare.

    BG

  10. #10
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    When you get the error and the message which says :-

    Click on OK to terminate the program. ... IGNORE it ... do NOT click OK ... Combofix should still run to completion & produce the log ... this has always been the case with this error in the past ...

    My guess is Combofix is finding a lot of malware on your computer ...

    What do you mean by this :-

    Seems worse now that I have attempted to use it.

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

Page 1 of 2 12 LastLast