• Content Count

  • Joined

  • Last visited

About Steviebone

  • Rank
    Full Member
  1. got ur pm reply... thank you... I await ur latest words of wisdom... and as always thanks a million!
  2. Ok Im mad now... lol, I set spyware detector to run again every few hours for a while... the trojan zapchast resurfaced in a restore point file... to my knowledge I have not rebooted since the last scan... so this bugger is re-asserting itself somehow... in fact the only thing run inbetween scans was dss... c:\system volume information\_restore{2201e7e1-07c6-42bd-9a3d-8ec03be3ea1a}\rp479\a0107864.dll#@#2DBB00F5E171FF1101C350516116DCBC next to last one added.... this sucker was added minutes before dss was run while I was gone (I was not home at the time). In all my years of computing I have never run across such a persistant SOB. HELP!
  3. ok I ran the scan... can I upload this file to u rather than post the results to the world? There's some sensitive data there... Steve ---- edit ----- ok you have a private message with instructions how to find the log...
  4. thanks,,, I will do as u instructed... one update... I ran an indepth scan using Spyware Detector... it found the Zapchast trojan and a keylogger again. I'm getting bounce backs from mail I havent sent so I'm pretty sure theres another dam mailbot on here again. Funny, avast and nod32 dont pick any of this stuff up! Will get back to u... shortly Thanks again!
  5. Hello again... thanks for your previous help... no more rootkits that I know of, however, I have discovered that since disinfection I am having problems with Windows Firewall. After each reboot, some important entries are lost and Remote Assistance is enabled again. I have always had Remote Assistance disabled. In fact, even in services I have all the Remote entries disabled. The services are not being re-enabled, but the Remote Assistance checkbox in Windows Firewall IS being reset each time I reboot as well as most of the other exceptions that had already been set are lost altogether. This seems very nefarious to me. I ran combofix again, no rootkits found. Below is a new hijack log: Logfile of HijackThis v1.99.1 Scan saved at 6:31:12 PM, on 6/3/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\XP\System32\smss.exe C:\XP\system32\winlogon.exe C:\XP\system32\services.exe C:\XP\system32\lsass.exe C:\XP\system32\svchost.exe C:\XP\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\XP\system32\spoolsv.exe C:\XP\Explorer.EXE C:\Program Files\Acronis\BackupServer\backupserver.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Eset\nod32krn.exe C:\XP\system32\nvsvc32.exe C:\XP\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Eset\nod32kui.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\PTSync\PTSync.exe C:\Program Files\Acronis\TrueImageEnterpriseServer\TRUEIM~3.EXE c:\program files\vvengine\vvengine.exe C:\Program Files\SpywareDetector\SDSystemTray.exe C:\Program Files\SpywareDetector\SDService.exe C:\Ascend\SCM\scm.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\keyscramblerIE.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Acrobat7\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Acrobat7\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Cooxie - {DC99E960-6594-45e3-9D5D-141D825B8096} - C:\Program Files\Cooxie Toolbar\PrvcBand.dll O4 - HKLM\..\Run: [sDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO O4 - HKLM\..\Run: [systemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO O4 - HKLM\..\RunOnce: [speedStartup] C:\Program Files\Speed Startup\speedstartup.exe runonce O4 - HKCU\..\Run: [speedStartup] C:\Program Files\Speed Startup\speedstartup.exe bootup O8 - Extra context menu item: Add to &Teleport - D:\TeleportUltra\teleport.htm O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MsOffice\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://D:\OmniPage15\PDFConverter3\IEShellExt.dll /100 O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MsOffice\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) - O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) - O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) - O17 - HKLM\System\CCS\Services\Tcpip\..\{90F742E6-14BD-42BD-B353-7487933899E6}: NameServer =, O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll O20 - Winlogon Notify: WgaLogon - C:\XP\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - C:\XP\SYSTEM32\WRLogonNTF.dll O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe O23 - Service: Acronis Backup Server Service (AcronisBackupServerService) - Acronis - C:\Program Files\Acronis\BackupServer\backupserver.exe O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Arcana Notification Agent (adnotify) - Unknown owner - C:\Program Files\Arcana Development\Notification Agent\ADNotify.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Arcana Scheduler - Arcana Development - C:\Program Files\Arcana Development\Arcana Scheduler\adscheduler.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Acronis Group Server (GroupServer) - Acronis - C:\Program Files\Acronis\GroupServer\GroupServer.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\XP\system32\drivers\KodakCCS.exe O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing) O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\XP\system32\nvsvc32.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\XP\system32\oodag.exe O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe PS: I noticed the Windows messenger crap was back... I thought I had that removed... Id like to get rid of that... perhaps that is the culprit... only messaging installed is yahoo PS2: shows how to remove W messenger
  6. couldnt find a way to restrcit the scan to c: so I let it run until most of c & d were done and the stopped it. It found three threats, all of which were identifiable by me: pskill - I use it to kill local process from a batch file before running games ipscan - I use it to scan my network for open ports lzx32 - quarantined by combofix (this was the culprit and is zipped up inside the combo quarantine folder) couple of comments, couple of questions first, I think I'll hold on to all the handy tools I have used during this process, don't see any need to to trash them... any reason I shouldn't run combofix once in a while? It seemed to find things nothing else did. Which brings me to my next question... I have installed now on this computer: Avast, Nod32, AVG, Spyware Detector, SpybotS&D, Spysweeper, KeyScrambler, KeyloggerHunter. Avast and Nod32 have always worked together. So far, no problems running Spyware Detector at the same time either. The others I keep unloaded and run a scheduled scan with each of them periodically. When running scans from the others I have to disable everything else first (something I dont like to do since it requires me disconnecting the machine from the Internet for the duration). I'm wondering why Nod32 and AVAST failed to pick up the rootkit even though in the case of AVAST I used a boot time scan. And, BTW... I could never find a way to to do a boot time scan with Nod32, making it next to useless IMO. Wish I could get my money back on that one. So in your opinion, what is the best virus scanner to leave active? I really like avasts script scanner and the fact that u can turn on verbose display of real-time scans. This allowed me to spot a yahoo mail virus once that was running undetected by everything. Funny, Avast displayed the running script in the verbose window but failed to identify it as a virus. Nevertheless, has it not been for this feature of Avast I would never have spotted it so easily excepot through careful inspection of syslogs. More importantly, in trying to understand how the infection got there in the first place... I am VERY careful NEVER to open any emails that I don't already know the origin of... even tho all the emails are scanned on inbound by at least three scanners... the ISP's, Nod32 and Avast. And I never browse the Internet at large and keep the IE settings pretty tight, following the server2003 model. I use a hardware firewall which is set to reject EVERYTHING that is not explicitly allowed. And I regularly scan my network ports to make sure no holes open up. Of course, the Windows firewall, which also next to useless IMO, was left active. Should I run a software firewall in addition to the hardware one? Recently, tho, I allowed someone to plug their laptop into my hub for a few minutes. Out of curiosity, I ran a virus check for them. Despite their assurances the system was clean, I found 42 viruses almost immediately (lol). I immediately disconnected the machine... I had assumed that since the laptop was NOT configured to address my workgroup or domain and had no log on name and passwords that it could NOT communicate with the other computers on the network all of whom have guest access removed, etc. I know that none of the computers were visible to the laptops explorer, etc. However, I must now assume that I am overlooking something... could it be port 80? Could the laptop have infected the only XP machine on the subnet by channeling thru port 80? Seems unlikely since that computer had at least two virus scanners running at the time... As far as I can tell, all the other machines on the subnet are clean (they are all running 2003 server tho). Could the rootkit have proliferated to a neighboring machine without workgroup access and logon credientials? My new rule: absolutely NO outside machines anywhere on my subnet even for a second. The only other thing I can think of is that the infection was coincidental and resulted from something I loaded on to the machine that the virus scanners failed to pick up... after all they didn't see it when combofix did. This is the only machine I surf and get email from. That is an intentional design. All of the other computers on the subnet are used for specific purposes and are configured, in most cases, for little or no access to the outside world. I know this is more security related dialogue, but any comments or suggestions? Steve
  7. kapersky on-line was slower than dog... 1% complete after 6 hours... fook that... donwloaded the latest kaspesky but it wouldnt install as long as I had avast installed... sorry I already paid for avast and I like the script monitoring feature...
  8. oops, forgot I had run avenger where I had already killed those files: Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\fjobmayi ******************* Script file located at: \??\C:\Program Files\kroancfe.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\XP\system32\71430B71.exe deleted successfully. File C:\chdir.bat not found! Deletion of file C:\chdir.bat failed! Could not process line: C:\chdir.bat Status: 0xc0000034 File C:\XP\system32\drivers\k^nymapg.sys deleted successfully. File C:\xqsjepbn.bat deleted successfully. File C:\XP\system32\IE_Backup.reg deleted successfully. File C:\XP\system32\Windows_Backup.reg deleted successfully. File C:\XP\system32\startupBackup.reg deleted successfully. File C:\XP\system\SysSD.dll deleted successfully. File C:\XP\system32\CloseAll.exe deleted successfully. File C:\XP\system32\CheckDll.dll deleted successfully. File C:\XP\iun6002ev.exe deleted successfully. Completed script processing. ******************* Finished! Terminate.
  9. ok, will do... the newtasks I created... I was just trying to get the task scheduler to work... wanted to see if I deleted a task and recreated it... but no luck... i have those tasks backed up so I am prolly about to delete all of them... at present they keep trying to run but just generate 'could not start' messages... will work the java over next... get back to u later today... and as always, thanks
  10. lol, I just saw the vfp start thing in the registry report which u had me fix with the reg file... that should stop that bad boy from resurfacing, thanks. Can't believe I didnt think to scan the report for mentions of vfp... --- On second look, Y is the CD drive and those files are only on the CD... so something else was running first...
  11. ************************* Rustock.b-fix v. 1.01 -- By ejvindh ************************* Tue 05/22/2007 13:56:46.09 No Rustock.b-rootkits found ******************************* End of Logfile ********************************
  12. running the rustbfix thingy again next
  13. ok, second combofix scan with all protective programs off did better (see below). Perhaps the combo was picking up on something in spydetector? Anyway it found no lzx32 this time... curious.... As for the task manager thingy: 0x80090016: Keysey does not exist. I have googled the hell out of that one and tried every fix I could find including deletion of the RSA files, etc. There are no registry entries that MS talks about. I did find a few people complaining about this problem after applying updates. "Staypuffer" - 2007-05-22 9:58:48 Service Pack 2 ComboFix 07-05.20.9.V - Running from: "J:\Spywaredetector\" ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-22 )))))))))))))))))))))))))))))))))) 2007-05-21 23:15 <DIR> d-------- C:\ProcessExplorer 2007-05-21 09:17 5,632 --a------ C:\XP\system32\71430B71.exe 2007-05-21 08:57 <DIR> d-------- C:\RkUnhooker 2007-05-21 01:33 3,968 --a------ C:\XP\system32\drivers\AvgArCln.sys 2007-05-21 01:20 <DIR> d-------- C:\avenger 2007-05-21 00:59 16 --a------ C:\chdir.bat 2007-05-20 17:30 <DIR> d-------- C:\DOCUME~1\NETWOR~1.NTA\APPLIC~1\Webroot 2007-05-20 17:18 3,968 --a------ C:\XP\system32\drivers\AvgAsCln.sys 2007-05-20 14:53 60,416 --a------ C:\XP\system32\drivers\k^nymapg.sys 2007-05-20 14:53 1,075 --a------ C:\xqsjepbn.bat 2007-05-20 14:04 49,152 --a------ C:\XP\nircmd.exe 2007-05-20 06:42 2,922 --a------ C:\XP\system32\IE_Backup.reg 2007-05-20 06:42 2,846,854 --a------ C:\XP\system32\Windows_Backup.reg 2007-05-20 06:42 2,588 --a------ C:\XP\system32\startupBackup.reg 2007-05-20 02:27 123 --a------ C:\XP\system\SysSD.dll 2007-05-20 02:26 63,192 --a------ C:\XP\system32\CloseAll.exe 2007-05-20 02:26 270,336 --a------ C:\XP\system32\CheckDll.dll 2007-05-20 02:26 1,019,904 --a------ C:\XP\system32\VchReg.dll 2007-05-20 02:25 <DIR> d-------- C:\Program Files\SpywareDetector 2007-05-19 18:15 22,080 --a------ C:\XP\system32\drivers\sshrmd.sys 2007-05-19 18:15 21,056 --a------ C:\XP\system32\drivers\sskbfd.sys 2007-05-19 18:15 20,544 --a------ C:\XP\system32\drivers\SSFS0509.sys 2007-05-19 18:15 144,960 --a------ C:\XP\system32\drivers\ssidrv.sys 2007-05-19 18:15 <DIR> d-------- C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\Webroot 2007-05-19 18:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.XP\APPLIC~1\Webroot 2007-05-19 18:08 164 --a------ C:\install.dat 2007-05-19 18:08 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Webroot 2007-05-18 11:43 <DIR> d--h----- C:\XP\system32\GroupPolicy 2007-05-17 22:04 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Texture Maker 2007-05-17 22:03 <DIR> d-------- C:\Program Files\Texture Maker 2007-05-17 17:39 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Google 2007-05-15 13:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.XP\APPLIC~1\Spybot - Search & Destroy 2007-05-08 01:29 <DIR> d-------- C:\Program Files\Network Chemistry 2007-05-08 01:17 <DIR> d-------- C:\Program Files\WinPcap 2007-05-08 01:17 <DIR> d-------- C:\Program Files\Nmap 2007-04-26 18:37 298,496 --a------ C:\XP\uninst.exe (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-22 14:08:10 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\dvdcss 2007-05-21 05:50:19 -------- d-----w C:\Program Files\Common Files\Merge Modules 2007-05-17 22:39:02 -------- d-----w C:\Program Files\Google 2007-05-16 04:57:49 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\WeatherBug 2007-05-15 18:38:06 -------- d-----w C:\Program Files\MySpace 2007-05-07 17:28:32 -------- d-----w C:\Program Files\EPSON Print CD 2007-05-07 13:39:36 298,104 ----a-w C:\XP\system32\imon.dll 2007-05-07 13:39:34 512,096 ----a-w C:\XP\system32\drivers\amon.sys 2007-05-07 13:39:33 15,424 ----a-w C:\XP\system32\drivers\nod32drv.sys 2007-05-03 05:49:55 -------- d-----w C:\Program Files\LeapFTP 2007-04-30 15:46:10 745,600 ----a-w C:\XP\system32\aswBoot.exe 2007-04-30 15:41:55 85,952 ----a-w C:\XP\system32\drivers\aswmon.sys 2007-04-30 15:41:42 94,552 ----a-w C:\XP\system32\drivers\aswmon2.sys 2007-04-30 15:39:41 23,416 ----a-w C:\XP\system32\drivers\aswRdr.sys 2007-04-30 15:38:51 43,176 ----a-w C:\XP\system32\drivers\aswTdi.sys 2007-04-30 15:37:23 26,888 ----a-w C:\XP\system32\drivers\aavmker4.sys 2007-04-30 15:35:28 95,872 ----a-w C:\XP\system32\AVASTSS.scr 2007-04-30 08:55:32 -------- d-----w C:\Program Files\ViceVersa Pro 2 2007-04-26 23:09:43 -------- d-----w C:\Program Files\IsoBuster 2007-04-25 08:04:12 88,952 ----a-w C:\XP\system32\packet.dll 2007-04-25 08:04:12 68,480 ----a-w C:\XP\system32\wanpacket.dll 2007-04-25 08:04:12 42,000 ----a-w C:\XP\system32\drivers\npf.sys 2007-04-25 08:04:12 240,496 ----a-w C:\XP\system32\wpcap.dll 2007-04-21 03:30:35 -------- d-----w C:\Program Files\Speed Startup 2007-04-20 03:28:54 1,040,384 ----a-w C:\XP\system32\libeay32.dll 2007-04-20 03:27:57 196,608 ----a-w C:\XP\system32\ssleay32.dll 2007-04-16 06:45:33 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\MySpace 2007-04-09 04:37:55 -------- d-----w C:\Program Files\SlySoft 2007-04-09 03:42:45 29,392 ----a-w C:\XP\system32\drivers\secdrv.sys 2007-04-08 22:59:29 -------- d-----w C:\Program Files\PowerISO 2007-04-06 21:14:04 542 ----a-w C:\hrlist.scr 2007-04-06 20:32:08 371 ----a-w C:\getbilldirs.scr 2007-04-06 20:31:54 371 ----a-w C:\gethbdirs.scr 2007-04-06 20:28:28 139 ----a-w C:\tryftp.scr 2007-04-06 05:46:37 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\Zeon 2007-04-06 05:02:00 -------- d-----w C:\Program Files\G-Lock Software 2007-04-05 15:31:07 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\G-Lock Software 2007-04-04 10:33:04 -------- d-----w C:\Program Files\Yahoo! 2007-03-18 17:28:30 5,885 ----a-w C:\XP\mozver.dat 2007-03-17 13:43:01 292,864 ----a-w C:\XP\system32\winsrv.dll 2007-03-15 19:35:33 -------- d-----w C:\Program Files\Tracker 2007-03-15 10:52:51 -------- d-----w C:\Program Files\Registry Watch 2007-03-15 10:14:59 720,896 ----a-w C:\XP\iun6002ev.exe 2007-03-15 04:18:10 -------- d-----w C:\Program Files\Salive 2007-03-15 04:17:28 -------- d--h--r C:\DOCUME~1\STAYPU~1\APPLIC~1\yahoo! 2007-03-08 15:36:28 577,536 ----a-w C:\XP\system32\user32.dll 2007-03-08 15:36:28 40,960 ----a-w C:\XP\system32\mf3216.dll 2007-03-08 15:36:28 281,600 ----a-w C:\XP\system32\gdi32.dll 2007-03-08 13:47:48 1,843,584 ----a-w C:\XP\system32\win32k.sys 2007-03-08 04:59:59 -------- d-----w C:\Program Files\DirPrn 2007-03-07 09:16:28 -------- d-----w C:\Program Files\'Net Monitor 2007-03-07 09:13:15 -------- d-----w C:\Program Files\PTZone 2007-03-07 09:10:26 -------- d-----w C:\Program Files\WinWatch 2007-03-07 09:10:21 249,856 ------w C:\XP\Setup1.exe 2007-03-07 09:10:09 -------- d-----w C:\Program Files\LanMon 2007-03-07 09:09:11 73,216 ------w C:\XP\ST6UNST.EXE 2007-02-28 08:59:01 26,000 ----a-w C:\XP\system32\E3TL.DLL 2007-02-05 20:17:02 185,344 ----a-w C:\XP\system32\upnphost.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21] {AE7CD045-E861-484f-8273-0445EE161910}=D:\Acrobat7\Acrobat\AcroIEFavClient.dll [2005-09-24 00:41] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\XP\system32\NvCpl.dll" [2005-10-28 16:06] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpeedStartup"="C:\Program Files\Speed Startup\speedstartup.exe" [2006-12-14 17:12] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] "SpeedStartup"=C:\Program Files\Speed Startup\speedstartup.exe runonce [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="D:\Internet\eudora\EuShlExt.dll" [2005-11-14 16:15] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 09:13] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify] C:\Program Files\SpywareDetector\SDNotify.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages msv1_0 relog_ap [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Y] AutoRun\command- Y:\vfpstart.exe IE5="vfpstart.hta" IELess="vfpstart.htm" Contents of the 'Scheduled Tasks' folder 2007-05-22 12:48:24 C:\XP\tasks\New Task 2.job 2007-05-22 10:54:10 C:\XP\tasks\New Task.job 2007-05-22 10:50:00 C:\XP\tasks\_viceversapr2_task_Bashful2Booby.job 2007-05-22 11:30:00 C:\XP\tasks\_viceversapr2_task_batch.job 2007-05-22 15:00:00 C:\XP\tasks\_viceversapr2_task_Bills.job 2007-03-26 09:40:18 C:\XP\tasks\_viceversapr2_task_documents_and_settings.job 2007-05-22 11:10:00 C:\XP\tasks\_viceversapr2_task_Eudora.job 2007-05-22 15:00:00 C:\XP\tasks\_viceversapr2_task_hits prg to Tweetie D.job 2007-05-22 06:00:00 C:\XP\tasks\_viceversapr2_task_HITSSOURCES.job 2007-05-22 14:00:00 C:\XP\tasks\_viceversapr2_task_HITSVEN.job 2007-05-22 13:15:00 C:\XP\tasks\_viceversapr2_task_Idisk.job 2007-05-22 13:00:00 C:\XP\tasks\_viceversapr2_task_Links.job 2007-03-26 09:33:37 C:\XP\tasks\_viceversapr2_task_madden.job 2007-05-22 09:59:49 C:\XP\tasks\_viceversapr2_task_newag.job 2007-05-22 10:30:00 C:\XP\tasks\_viceversapr2_task_OHITS.job 2007-05-22 11:34:00 C:\XP\tasks\_viceversapr2_task_personal.job 2007-05-22 14:00:00 C:\XP\tasks\_viceversapr2_task_ServersAlive.job 2007-05-22 12:00:53 C:\XP\tasks\_viceversapr2_task_Steviebone.job 2007-03-26 11:38:02 C:\XP\tasks\_viceversapr2_task_Torrents.job 2007-05-22 14:15:00 C:\XP\tasks\_viceversapr2_task_txdot.job 2007-05-22 11:20:00 C:\XP\tasks\_viceversapr2_task_visaversaprofiles.job ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, Rootkit scan 2007-05-22 10:06:49 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2007-05-22 10:08:30 C:\ComboFix-quarantined-files.txt ... 2007-05-22 10:08 C:\ComboFix2.txt ... 2007-05-22 09:39 C:\ComboFix3.txt ... 2007-05-20 14:38 --- E O F --- 2006-04-26 00:31 775 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\STAYPU~1\Desktop\Internet Explorer.lnk.vir 2006-05-05 03:30 300 --a------ C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir 2007-05-20 10:22 77725 --a------ C:\Qoobox\Quarantine\ 2007-05-22 09:27 500 --a------ C:\Qoobox\Quarantine\catchme.log Folder PATH listing for volume PrimaryC Volume serial number is 747C-9F49 C:\QOOBOX \---Quarantine | catchme.log | | +---C | +---DOCUME~1 | | \---STAYPU~1 | | \---Desktop | | Internet Explorer.lnk.vir | | | \---Program Files | INSTALL.LOG.vir | \---Registry_backups
  14. oh and btw, fwiw, somewhere in this whole process my task scheduler got broke... always gives me an 0x80090016 error... tried all the published fixes for it to no avail the taskscheduler can no longer see or set credentials...