Help - trying to remove BraveSentry etc

[jholland1964]

I will check on that...I am certain there is some way this can be done.
Judy

[StckFigure]

ComboFix ran, rebooted into Normal Mode, and created C:\Combofix.txt. But this is showing up as a BATCH file, not a text file, to Windows. That makes me nervous, but is probably normal; however, before I open it to copy it here, I want to make SURE that's normal.

[PhilliePhan]

ComboFix ran, rebooted into Normal Mode, and created C:\Combofix.txt. But this is showing up as a BATCH file, not a text file, to Windows. That makes me nervous, but is probably normal; however, before I open it to copy it here, I want to make SURE that's normal.

The extension is .txt --> Text file

[StckFigure]

Right... what I see is a batch file that is called "combofile.txt". That's why I got worried. In other words, it has the .bat icon (the window with the gear in it), and not the text file icon (the notepad).

Thanks for clearing the other log, too

[PhilliePhan]

Right... what I see is a batch file that is called "combofile.txt". That's why I got worried. In other words, it has the .bat icon (the window with the gear in it), and not the text file icon (the notepad).

Thanks for clearing the other log, too

No worries!

You do not even need to open that .txt file if you don't want to - Just upload it as an attachment using the "manage attachments" button below....

I saw evidence of a few nasty trojans in the log I removed - not sure if they are remnants of what you guys already cleaned - couldn't look closely - I'm juggling a bunch of things at the moment

We'll see what the combofix log tells us.

I will be back tomorrow evening if you guys are still having problems.

Best
PP

[StckFigure]

Okay, so it appears I overreacted, since the 90+ trojans have got me questioning most every file I don't recognize. Here's the log, which popped up of its own accord

"Owner" - 2007-05-14 22:07:05 Service Pack 2 [SAFE MODE]
ComboFix 07-05.13.V - Running from: "C:\Documents and Settings\Owner\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\pdp.exe.exe
C:\WINDOWS\system32\sony.exe.exe
C:\WINDOWS\1314734.exe
C:\WINDOWS\2515765.exe
C:\WINDOWS\3716453.exe
C:\WINDOWS\4917171.exe
C:\WINDOWS\6117859.exe
C:\WINDOWS\7318578.exe
C:\WINDOWS\9129837.exe
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Temp\17O7\tmpTF.log
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt
C:\WINDOWS\system32\config\system~1\applic~1\insta ll.dat
C:\WINDOWS\system32\win32.exe
C:\WINDOWS\g32.txt
C:\WINDOWS\s32.txt
C:\WINDOWS\ws386.ini
C:\WINDOWS\system32\sony.exe
C:\WINDOWS\system32\windev-peers.ini
C:\WINDOWS\159x.exe
C:\Documents and Settings\All Users.\documents\settings
C:\Program Files\inetget2
C:\Temp\17O7
C:\Temp\tn3
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ASPI113210
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DRIVER
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NEW_DRV
-------\LEGACY_WINCOM32
-------\Driver
-------\Network Monitor
-------\new_drv
-------\RpcApi
-------\ÿÿÿÿÀÿwindbg48


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-14 ))))))))))))))))))))))))))))))))))


2007-05-13 11:16 <DIR> d-------- C:\!KillBox
2007-05-11 23:35 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\TrojanHunter
2007-05-11 23:32 <DIR> d-------- C:\TrojanHunter 4.6
2007-05-11 13:31 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-05-11 11:19 3,072 --a------ C:\WINDOWS\system32\keylog.dll
2007-05-11 11:15 <DIR> d-------- C:\HijackThis199
2007-05-09 20:48 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-09 20:44 <DIR> d-------- C:\AVG Anti-Spyware 7.5
2007-05-09 00:09 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-05-08 23:51 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-05-08 23:51 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-05-08 23:51 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-05-08 14:41 2,624 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-08 13:14 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-08 10:55 179,200 --a------ C:\WINDOWS\system32\flash.exe
2007-05-08 10:55 177,152 --a------ C:\WINDOWS\system32\click.exe
2007-05-08 10:54 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-05-08 10:54 <DIR> d-------- C:\Program Files\Ofb11
2007-05-07 23:29 90,112 --a------ C:\WINDOWS\system32\lfjbg13n.dll
2007-05-07 23:29 73,728 --a------ C:\WINDOWS\system32\lffax13n.dll
2007-05-07 23:29 453,120 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-05-07 23:29 445,440 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-05-07 23:29 388,608 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-05-07 23:29 265,216 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-05-07 23:29 246,272 --a------ C:\WINDOWS\system32\lfj2k13n.dll
2007-05-07 23:29 206,848 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-05-07 23:29 154,112 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-05-07 23:29 142,848 --a------ C:\WINDOWS\system32\lftif13n.dll
2007-05-07 23:29 1,693,696 --a------ C:\WINDOWS\system32\ltclr13n.dll
2007-05-07 23:29 <DIR> d-------- C:\Program Files\MFInstall
2007-05-07 14:19 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-05-07 14:17 6,684,672 --a------ C:\WINDOWS\system32\atioglx1.dll
2007-05-07 14:17 <DIR> d-------- C:\Diamond
2007-04-28 10:47 <DIR> d-------- C:\Gadwin Systems
2007-04-17 14:44 <DIR> d--h----- C:\DOCUME~1\Owner\APPLIC~1\Move Networks
2007-04-14 00:06 <DIR> d-------- C:\Program Files\Virtools


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))


2007-05-11 18:22:58 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Azureus
2007-05-11 16:13:07 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\U3
2007-05-08 03:51:02 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\LimeWire
2007-04-10 00:25:24 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\SAS
2007-04-02 22:48:46 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-02 03:59:04 -------- d-----w C:\Program Files\Common Files\Real
2007-03-24 17:58:35 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\UseNeXT
2007-03-24 17:40:24 71,168 ----a-w C:\WINDOWS\ijl11.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-13 02:17:52 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-03-13 02:17:52 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Roxio
2007-03-13 02:07:34 -------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-03-13 02:03:05 -------- d-----w C:\Program Files\Lexmark
2007-03-13 02:02:23 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-01 02:17:28 286,720 ----a-w C:\WINDOWS\iun506.exe
2007-02-27 05:21:40 17 ----a-w C:\WINDOWS\popcinfo.dat
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}=C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll [2004-08-30 19:29]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll [2005-01-10 11:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"SoundMan"="SOUNDMAN.EXE"
"CTSysVol"="C:\\Creative\\SB Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"P17Helper"="Rundll32 P17.dll,P17Helper"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinFast Schedule"="C:\\WinFast\\WFTVFM\\WFWIZ.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
@=""
"ATIMACE"="MACE.exe"
"THGuard"="\"C:\\TrojanHunter 4.6\\THGuard.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [])
"CTSysVol"="C:\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"P17Helper"="P17.dll" [2005-05-03 19:38 C:\WINDOWS\system32\P17.dll])
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"WinFast Schedule"="C:\WinFast\WFTVFM\WFWIZ.exe" [2005-12-21 15:05]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-02-11 13:12]
"@"="" [])
"ATIMACE"="MACE.exe" [])
"THGuard"="C:\TrojanHunter 4.6\THGuard.exe" [2007-05-11 20:01]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" [2007-01-26 12:06]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.ex e"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.546 2\\GoogleToolbarNotifier.exe"

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"ttool"="C:\\WINDOWS\\9129837.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4 f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65 ,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,5 3,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74 ,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 09:13]


HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe reader speed launch.lnk
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^bigfix.lnk
C:\PROGRA~1\BigFix\BigFix.exe /atstartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^cisco systems vpn client.lnk
C:\VPNCLI~1\vpngui.exe "-user_logon"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^d-link airplus g dwl-g120 wireless usb.lnk
C:\PROGRA~1\D-LINK~1\120UTIL.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aim6


HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aol fast start
"C:\Program Files\America Online 9.0\AOL.EXE" -b

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aol spyware protection
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atipta
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccapp
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\chotkey
zHotkey.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\controlpanel
C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehtray
C:\WINDOWS\ehome\ehtray.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\explorer32
C:\WINDOWS\system32\efsdfgxg.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hostmanager
C:\Program Files\Common Files\AOL\1123358120\ee\AOLSoftware.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpdj taskbar utility
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 7.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hphmon04
C:\WINDOWS\system32\hphmon04.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hphupd04
"C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\is cfgwiz
C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagentexe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcupdateexe
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs
"C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nerofiltercheck
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pinnacledrivercheck
C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plaxoupdate
C:\Program Files\Plaxo\2.5.10.17\PlaxoHelper.exe -a

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\recguard
%WINDIR%\SMINST\RECGUARD.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\reminder
%WINDIR%\Creator\Remind_XP.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\remotecontrol
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\roxiodragtodisc
"C:\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\roxwatchtray
"C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\run
C:\WINDOWS\inet20099\services.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spysheriff
C:\Program Files\SpySheriff\SpySheriff.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ssc_userprompt
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stickit


HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stickit note launcher (required to load stickit notes on windows startup)
C:\Stickit\StickItLauncher.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunkistem
C:\Program Files\Digital Media Reader\shwiconem.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunserver
C:\CounterSpy\Consumer\sunserver.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\urllstck.exe
C:\Program Files\Norton Internet Security\UrlLstCk.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows installer
C:\winstall.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xp_system
C:\WINDOWS\inet20099\services.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_antispyware
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=dword:00000002
"svcWRSSSDK"=dword:00000002
"RoxWatch"=dword:00000002
"RoxUpnpServer"=dword:00000002
"RoxUPnPRenderer"=dword:00000003
"RoxMediaDB"=dword:00000003
"RoxLiveShare"=dword:00000002
"AOL TopSpeedMonitor"=dword:00000002
"AOL ACS"=dword:00000002

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
Usnsvc usnsvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\K]
Shell\AutoRun\command K:\LaunchU3.exe -a

[HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\Z]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070513-174500-742
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxx.dll
backup-20070513-174305-613
O4 - HKLM\..\Run: [qwertybot.exe] C:\WINDOWS\system32\qwertybot.exe
backup-20070513-174305-593
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\ISP signup reminder 3.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Owner.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{0BECA80B-B388-4AE3-AF65-66E87AAB161E}.job

************************************************** ******************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-14 22:21:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


************************************************** ******************

Completion time: 2007-05-14 22:25:49 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-14 22:25

[PhilliePhan]

Okay, so it appears I overreacted, since the 90+ trojans have got me questioning most every file I don't recognize. Here's the log, which popped up of its own accord

OK - Combofix removed a bunch.

Also, those drivers/services listed are fairly nasty! Hopefully they have been completely removed. You have/had a lot of nasty crap on this machine....

Also looks like a few baddies have been stopped from runniing via MSCONFIG - You guys'll need to weed them out and remove them.

Gotta run - Back tomorrow.

Best Luck!
PP

Hey Judy -- Run Bill James' RegSearch and have it look for the following and post the results:

ASPI113210
CMDSERVICE
CORE
DRIVER
NETWORK_MONITOR
NEW_DRV
WINCOM32
Network Monitor
new_drv
RpcApi
windbg48

[StckFigure]

Not sure exactly what you mean:

"Also looks like a few baddies have been stopped from runniing via MSCONFIG - You guys'll need to weed them out and remove them."

Thanks so much for your help so far!

[PhilliePhan]

Not sure exactly what you mean:

"Also looks like a few baddies have been stopped from runniing via MSCONFIG - You guys'll need to weed them out and remove them."

Thanks so much for your help so far!

Happy to help! Wish I had more time these days, but very busy.

Judy knows what I am referring to:

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\controlpanel
C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\explorer32
C:\WINDOWS\system32\efsdfgxg.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\run
C:\WINDOWS\inet20099\services.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spysheriff
C:\Program Files\SpySheriff\SpySheriff.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows installer
C:\winstall.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xp_system
C:\WINDOWS\inet20099\services.exe

These have been stopped from running, but they should be completely removed.


G'Night!
PP

[jholland1964]

Download regsrch.zip to your Desktop.
1. Unzip the contents of RegSrch.zip to a convenient location.
2. Double-click on RegSrch.vbs.
3. If you have an anti-virus installed it might prompt you about a running script.
4. Please ignore this warning and allow the script to run.
5. In the "Enter search string (case insensitive) and click OK..." box, paste each string:
ASPI113210
CMDSERVICE
CORE
DRIVER
NETWORK_MONITOR
NEW_DRV
WINCOM32
Network Monitor
new_drv
RpcApi
windbg48

6. Click "OK" to search the registry for that string.
7. Wait for a few minutes while it completes the search.
8. Click "OK" to open the results in WordPad.
9. Copy and paste the entire results into your next post.

Do the above. I will get back with you shortly on those msconfig items. What PP means is that those items were disabled using msconfig, but they are still on the machine.