Pop up alerts and Windows INternet Explorer messages

I getting serveral spyware messages on Windows Internet Explore messages and "Alert! Adult files found on your PC. Delete files!" on a Windows XP SP2 computer. I've ran HJT and smitfraud scans. See logs. Please review and further assist me. Thanks.
SmitFraudFix v2.274
 
Scan done at 18:51:07.76, 01/25/2008
Run from C:\Documents and Settings\kfountain\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
 
»»»»»»»»»»»»»»»»»»»»»»»» Process
 
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\EqmStart.Exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\cmd.exe
 
»»»»»»»»»»»»»»»»»»»»»»»» hosts
 
 
»»»»»»»»»»»»»»»»»»»»»»»» C:\
 
 
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
 
 
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
 
 
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
 
 
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
 
 
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\kfountain
 
 
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\kfountain\Application Data
 
 
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
 
 
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\KFOUNT~1\FAVORI~1
 
 
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
 
 
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files 
 
 
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
 
 
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
 
 
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
 
 
 
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
 
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
 
 
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
 
 
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
 
 
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
 
 
 
»»»»»»»»»»»»»»»»»»»»»»»» DNS
 
Description: Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.200
DNS Server Search Order: 192.168.1.201
 
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6D312A45-3E75-475C-BBE0-54E8F0029D55}: NameServer=192.168.1.200,192.168.1.201
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6D312A45-3E75-475C-BBE0-54E8F0029D55}: NameServer=192.168.1.200,192.168.1.201
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6D312A45-3E75-475C-BBE0-54E8F0029D55}: NameServer=192.168.1.200,192.168.1.201
 
 
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
 
 
»»»»»»»»»»»»»»»»»»»»»»»» End
 
 
Logfile of HijackThis v1.99.1
Scan saved at 18:47:29, on 01/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\EqmStart.Exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\kfountain\Desktop\hijackthis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3D40EE62-1CEB-47C6-A1CD-300F4CCFFBAA} - C:\WINDOWS\system32\cscdl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RDL.local
O17 - HKLM\Software\..\Telephony: DomainName = RDL.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D312A45-3E75-475C-BBE0-54E8F0029D55}: NameServer = 192.168.1.200,192.168.1.201
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RDL.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{6D312A45-3E75-475C-BBE0-54E8F0029D55}: NameServer = 192.168.1.200,192.168.1.201
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Equinox EV Plus Service (eqmstart) - Equinox Systems Inc. - C:\WINDOWS\system32\EqmStart.Exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Open in new window

bsbarnettAsked:
Who is Participating?
 
rpggamergirlConnect With a Mentor Commented:
O2 - BHO: (no name) - {3D40EE62-1CEB-47C6-A1CD-300F4CCFFBAA} - C:\WINDOWS\system32\cscdl.dll

The above entry is the only obvious bad entry showing there. Usually when Hijackthis fixes that line it also deletes the relevant file, but sometimes it can't so make sure that the file --> C:\WINDOWS\system32\cscdl.dll is gone.


OR: download and run Combofix.
Please download ComboFix by sUBs from either of these locations:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe


You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
0
 
bsbarnettAuthor Commented:
Unfortunately this PC is at a remote site. I started the ComboFix. I disconnected remote session and connected 15 minutes later, logged user into PC. Now, I cant connect using  remote app. I will update you tomorrow.
0
 
bsbarnettAuthor Commented:
Here's the log files after ComboFix run.
ComboFix 08-01-23.1C - kfountain 2008-01-25 19:50:33.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.228 [GMT -5:00]
Running from: C:\Documents and Settings\kfountain\Desktop\ComboFix.exe
 * Created a new restore point
 
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\WINDOWS\system32\cscdl.dll
C:\WINDOWS\system32\drivers\giidbffm.dat
 
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
 
.
-------\LEGACY_JKFUEJKD
-------\jkfuejkd
 
 
(((((((((((((((((((((((((   Files Created from 2007-12-26 to 2008-01-26  )))))))))))))))))))))))))))))))
.
 
2008-01-25 19:48 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\Nircmd.exe
2008-01-24 21:36 . 2007-12-20 23:11	81,920	--a------	C:\WINDOWS\system32\IEDFix.exe
2008-01-24 21:36 . 2008-01-25 18:51	2,692	--a------	C:\WINDOWS\system32\tmp.reg
2008-01-24 21:04 . 2008-01-24 21:36	<DIR>	d--------	C:\SmitfraudFix
2008-01-24 21:04 . 2007-09-05 23:22	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe
2008-01-24 21:04 . 2006-04-27 16:49	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2008-01-24 21:04 . 2003-06-05 20:13	53,248	--a------	C:\WINDOWS\system32\Process.exe
2008-01-24 21:04 . 2004-07-31 17:50	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2008-01-24 21:04 . 2007-10-03 23:36	25,600	--a------	C:\WINDOWS\system32\WS2Fix.exe
2008-01-24 21:03 . 2008-01-24 21:03	1,129,580	--a------	C:\SmitfraudFix.exe
2008-01-24 20:58 . 2008-01-24 20:59	<DIR>	d--------	C:\Program Files\RogueRemover FREE
2008-01-24 12:17 . 2006-09-06 17:43	22,752	--a------	C:\WINDOWS\system32\spupdsvc.exe
2008-01-24 12:15 . 2008-01-24 12:20	1,374	--a------	C:\WINDOWS\imsins.BAK
2008-01-24 12:14 . 2007-10-10 18:55	6,065,664	---------	C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-24 12:14 . 2007-06-30 22:31	2,455,488	---------	C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-24 12:14 . 2007-06-30 22:36	991,232	---------	C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-24 12:14 . 2007-10-10 18:55	459,264	---------	C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-24 12:14 . 2007-10-10 18:55	383,488	---------	C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-24 12:14 . 2007-10-10 18:55	267,776	---------	C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-24 12:14 . 2007-10-10 18:55	63,488	---------	C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-24 12:14 . 2007-10-10 18:55	52,224	---------	C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-24 12:14 . 2007-10-10 05:59	13,824	---------	C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-24 12:13 . 2007-08-13 18:54	33,792	--a------	C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-24 10:52 . 2008-01-24 10:52	<DIR>	d--------	C:\Program Files\CCleaner
2008-01-24 10:48 . 2008-01-24 10:48	2,724,328	--a------	C:\ccsetup203.exe
2008-01-24 10:36 . 2008-01-24 11:02	<DIR>	d--------	C:\Program Files\HijackThis 1.99.1
2008-01-24 09:04 . 2008-01-24 11:02	<DIR>	d--------	C:\Program Files\SUPERAntiSpyware
2008-01-23 21:57 . 2008-01-23 21:57	<DIR>	d--------	C:\Program Files\Lavasoft
2008-01-23 20:20 . 2008-01-23 20:20	<DIR>	d--------	C:\Program Files\Windows Defender
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-26 00:53	---------	d-----w	C:\Program Files\Symantec AntiVirus
2007-11-26 22:34	---------	d-----w	C:\Program Files\Java
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 14:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 14:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 14:36 114688]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 18:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 14:52 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 11:30 85184]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 04:00 143360]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2005-05-20 10:51 8704 C:\WINDOWS\system32\PCANotify.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2357803701-4047863271-3832774210-1117\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\RDL.local\sysvol\RDL.local\scripts\Regional Setting.bat
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2357803701-4047863271-3832774210-1145\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\RDL.local\sysvol\RDL.local\scripts\Regional Setting.bat
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2357803701-4047863271-3832774210-1161\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\RDL.local\sysvol\RDL.local\scripts\Regional Setting.bat
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2357803701-4047863271-3832774210-1163\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\RDL.local\sysvol\RDL.local\scripts\Regional Setting.bat
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2357803701-4047863271-3832774210-1166\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\RDL.local\sysvol\RDL.local\scripts\Regional Setting.bat
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2357803701-4047863271-3832774210-1167\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\RDL.local\sysvol\RDL.local\scripts\Regional Setting.bat
 
R2 eqmstart;Equinox EV Plus Service;C:\WINDOWS\system32\EqmStart.Exe [2005-12-15 14:39]
R2 WinDriver;WinDriver;C:\WINDOWS\system32\drivers\windrvr.sys [1999-04-29 19:30]
R3 eqn;Equinox SST Driver;C:\WINDOWS\system32\DRIVERS\eqn.sys [2005-12-19 08:20]
 
.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 00:56:24 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
 
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 20:07:20
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully 
hidden files: 0 
 
**************************************************************************
.
Completion time: 2008-01-25 20:08:20 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-26 01:08:17
 
 
Logfile of HijackThis v1.99.1
Scan saved at 09:28:38, on 01/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\EqmStart.Exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\kfountain\Desktop\hijackthis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RDL.local
O17 - HKLM\Software\..\Telephony: DomainName = RDL.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D312A45-3E75-475C-BBE0-54E8F0029D55}: NameServer = 192.168.1.200,192.168.1.201
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RDL.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{6D312A45-3E75-475C-BBE0-54E8F0029D55}: NameServer = 192.168.1.200,192.168.1.201
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Equinox EV Plus Service (eqmstart) - Equinox Systems Inc. - C:\WINDOWS\system32\EqmStart.Exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Open in new window

0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
rpggamergirlCommented:
Thanks for the logs.

Combofix deleted the bad files showing in your hijackthis log and other file and driver/service.
Just this one below that you can also delete. You can just delete it manually via explorer or using combofix script function.
C:\WINDOWS\imsins.BAK


Open notepad and copy/paste the text inside the lines below into it
--------------------------------------------------------------
File::
C:\WINDOWS\imsins.BAK
--------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
then drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Follow the prompts.
0
 
bsbarnettAuthor Commented:
I deleted imsins.BAK as you suggested. Things look good. Thanks for your help.
0
 
bsbarnettAuthor Commented:
Thanks for your assistance with this. Havent seen any strange messages, however I dont use the PC, its in a remote office. If a problem occurs Monday during normal business hour, I'll just post another comment.
Thanks again
0
 
rpggamergirlCommented:
No problem, glad to help.
If problem occurs again, just post back.

Thanks!
0
 
bsbarnettAuthor Commented:
Look like it happening to another PC (PC2) at the same remote office. Should I be concern with it being on the server? I ran the HJT on PC2, see snippet.
 
Logfile of HijackThis v1.99.1
Scan saved at 13:05:44, on 01/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
S:\Microreporter\REPORTER.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dllhost.exe
C:\DOCUME~1\bmoore\APPLIC~1\RACLE~1\nopdb.exe
C:\WINDOWS\M?crosoft\s?ool32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\bmoore\Desktop\hijackthis\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://office.microsoft.com/search/redir.aspx?assetid=HA011359731033&CTT=4&Origin=EC010230061033
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tair] "C:\DOCUME~1\bmoore\APPLIC~1\RACLE~1\nopdb.exe" -vt yazb
O4 - HKCU\..\Run: [Agpiltsk] C:\WINDOWS\M?crosoft\s?ool32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Shortcut to REPORTER.exe.lnk = Microreporter\REPORTER.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RDL.local
O17 - HKLM\Software\..\Telephony: DomainName = RDL.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{9ADF8D79-0B99-4C4C-80D6-C948B68F69F5}: NameServer = 192.168.1.200,192.168.1.201
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RDL.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{9ADF8D79-0B99-4C4C-80D6-C948B68F69F5}: NameServer = 192.168.1.200,192.168.1.201
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Open in new window

0
 
rpggamergirlCommented:
That logfile is showing entries infected with purityscan, you also need to run combofix on that one and show us the logfile if you need with it.
Purityscan is just malware, not like viruses or rootkits but there might be other bad files that are not showing in the logfile, some nasties can hide from Hijackthis scan.
0
 
bsbarnettAuthor Commented:
I ran combofix. See log. Have run HJT since combofix scan. Looks like combofix got the nopdb.exe, which was detected by Symantec AV. Thank again for you help. Should I do anything to the remote server?
ComboFix 08-01-23.1C - bmoore 2008-01-29 23:17:22.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.228 [GMT -5:00]
Running from: C:\Documents and Settings\bmoore\Desktop\ComboFix.exe
 * Created a new restore point
 
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\bmoore\Application Data\RACLE~1
C:\Documents and Settings\bmoore\Application Data\RACLE~1\?racle\
C:\Documents and Settings\bmoore\Application Data\RACLE~1\nopdb.exe
C:\WINDOWS\mcroso~1
C:\WINDOWS\mcroso~1\s?ool32.exe
C:\WINDOWS\system32\byxusst.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljhggg.dll
C:\WINDOWS\system32\orqss.ini
C:\WINDOWS\system32\orqss.ini2
C:\WINDOWS\system32\ssqro.dll
 
----- BITS: Possible infected sites -----
 
hxxp://java.sun.com
.
(((((((((((((((((((((((((   Files Created from 2007-12-28 to 2008-01-30  )))))))))))))))))))))))))))))))
.
 
2008-01-29 23:15 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\Nircmd.exe
2008-01-29 22:13 . 2008-01-29 22:13	<DIR>	d--------	C:\Program Files\Lavasoft
2008-01-29 20:07 . 2006-09-06 17:43	22,752	--a------	C:\WINDOWS\system32\spupdsvc.exe
2008-01-29 20:07 . 2008-01-29 20:08	1,374	--a------	C:\WINDOWS\imsins.BAK
2008-01-29 13:30 . 2008-01-29 13:30	<DIR>	d--------	C:\Program Files\CCleaner
2008-01-29 13:16 . 2008-01-29 13:16	<DIR>	d--------	C:\Program Files\Windows Defender
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 04:21	---------	d-----w	C:\Program Files\Symantec AntiVirus
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-28 07:44 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Agpiltsk"="C:\WINDOWS\M?crosoft\s?ool32.exe" [ ]
"Tair"="C:\DOCUME~1\bmoore\APPLIC~1\RACLE~1\nopdb.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 16:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 16:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 16:36 114688]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42 1404928]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30 85184]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 06:00 143360]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
 
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50 217193]
Shortcut to REPORTER.exe.lnk - S:\Microreporter\REPORTER.exe [2006-02-03 08:56:02 100864]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2005-05-20 11:51 8704 C:\WINDOWS\system32\PCANotify.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2357803701-4047863271-3832774210-1117\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\RDL.local\sysvol\RDL.local\scripts\Regional Setting.bat
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2357803701-4047863271-3832774210-1145\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\RDL.local\sysvol\RDL.local\scripts\Regional Setting.bat
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2357803701-4047863271-3832774210-1161\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\RDL.local\sysvol\RDL.local\scripts\Regional Setting.bat
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2357803701-4047863271-3832774210-1163\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\RDL.local\sysvol\RDL.local\scripts\Regional Setting.bat
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2357803701-4047863271-3832774210-1166\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\RDL.local\sysvol\RDL.local\scripts\Regional Setting.bat
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2357803701-4047863271-3832774210-1168\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\RDL.local\sysvol\RDL.local\scripts\Regional Setting.bat
 
R2 WinDriver;WinDriver;C:\WINDOWS\system32\drivers\windrvr.sys [1999-04-29 20:30]
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a23c5565-9752-11db-aa89-00123fc4aa07}]
\Shell\AutoRun\command - E:\LaunchU3.exe
 
.
Contents of the 'Scheduled Tasks' folder
"2008-01-30 04:24:08 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
 
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 23:33:13
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully 
hidden files: 0 
 
**************************************************************************
.
Completion time: 2008-01-29 23:34:00 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-30 04:33:58

Open in new window

0
 
rpggamergirlCommented:
Okay, so this is the logfile from the other pc, combofix did removed some nasties yeah a few vundo/conhook files but mostly purityscan.
Please run this sCFScript like you did with the other pc to remove one file and orphaned reg entries.
---------------------------------------------------------
File::
C:\WINDOWS\imsins.BAK

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Agpiltsk"=-
"Tair"=-
0
 
rpggamergirlCommented:
When both pcs are clean everything should be okay,
Just make sure you check for updates often, Windows updates etc,
The second PC's version of java, is very vulnerable to vundo and conhook infection, please update to a later or latest version.

Updating Java:
Go to Start > Control Panel > Add/Remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select and click Remove.

Then Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp
0
 
bsbarnettAuthor Commented:
I have completed your suggestions. Thanks again for your help.
0
 
rpggamergirlCommented:
No problem, glad to help, ;)
0
All Courses

From novice to tech pro — start learning today.