Steviebone

June 7, 2007

got ur pm reply... thank you... I await ur latest words of wisdom... and as always thanks a million!

June 6, 2007

Ok Im mad now... lol, I set spyware detector to run again every few hours for a while... the trojan zapchast resurfaced in a restore point file... to my knowledge I have not rebooted since the last scan... so this bugger is re-asserting itself somehow... in fact the only thing run inbetween scans was dss...

c:\system volume information\_restore{2201e7e1-07c6-42bd-9a3d-8ec03be3ea1a}\rp479\a0107864.dll#@#2DBB00F5E171FF1101C350516116DCBC

next to last one added.... this sucker was added minutes before dss was run while I was gone (I was not home at the time).

In all my years of computing I have never run across such a persistant SOB. HELP! :blink:

June 6, 2007

ok I ran the scan... can I upload this file to u rather than post the results to the world? There's some sensitive data there...

Steve

---- edit -----

ok you have a private message with instructions how to find the log...

June 6, 2007

thanks,,,

I will do as u instructed... one update... I ran an indepth scan using Spyware Detector... it found the Zapchast trojan and a keylogger again. I'm getting bounce backs from mail I havent sent so I'm pretty sure theres another dam mailbot on here again.

:angry2:

Funny, avast and nod32 dont pick any of this stuff up! :angry:

Will get back to u... shortly

Thanks again!

June 3, 2007

Hello again... thanks for your previous help... no more rootkits that I know of, however, I have discovered that since disinfection I am having problems with Windows Firewall. After each reboot, some important entries are lost and Remote Assistance is enabled again. I have always had Remote Assistance disabled. In fact, even in services I have all the Remote entries disabled. The services are not being re-enabled, but the Remote Assistance checkbox in Windows Firewall IS being reset each time I reboot as well as most of the other exceptions that had already been set are lost altogether. This seems very nefarious to me.

I ran combofix again, no rootkits found.

Below is a new hijack log:

Logfile of HijackThis v1.99.1

Scan saved at 6:31:12 PM, on 6/3/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\XP\System32\smss.exe

C:\XP\system32\winlogon.exe

C:\XP\system32\services.exe

C:\XP\system32\lsass.exe

C:\XP\system32\svchost.exe

C:\XP\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\XP\system32\spoolsv.exe

C:\XP\Explorer.EXE

C:\Program Files\Acronis\BackupServer\backupserver.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Eset\nod32krn.exe

C:\XP\system32\nvsvc32.exe

C:\XP\System32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Eset\nod32kui.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\PTSync\PTSync.exe

C:\Program Files\Acronis\TrueImageEnterpriseServer\TRUEIM~3.EXE

c:\program files\vvengine\vvengine.exe

C:\Program Files\SpywareDetector\SDSystemTray.exe

C:\Program Files\SpywareDetector\SDService.exe

C:\Ascend\SCM\scm.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.americansingles.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\keyscramblerIE.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Acrobat7\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Acrobat7\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Cooxie - {DC99E960-6594-45e3-9D5D-141D825B8096} - C:\Program Files\Cooxie Toolbar\PrvcBand.dll

O4 - HKLM\..\Run: [sDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO

O4 - HKLM\..\Run: [systemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO

O4 - HKLM\..\RunOnce: [speedStartup] C:\Program Files\Speed Startup\speedstartup.exe runonce

O4 - HKCU\..\Run: [speedStartup] C:\Program Files\Speed Startup\speedstartup.exe bootup

O8 - Extra context menu item: Add to &Teleport - D:\TeleportUltra\teleport.htm

O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MsOffice\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://D:\OmniPage15\PDFConverter3\IEShellExt.dll /100

O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll

O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll

O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MsOffice\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145986548799

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -

O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -

O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -

O17 - HKLM\System\CCS\Services\Tcpip\..\{90F742E6-14BD-42BD-B353-7487933899E6}: NameServer = 66.254.6.2,66.254.1.2

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll

O20 - Winlogon Notify: WgaLogon - C:\XP\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - C:\XP\SYSTEM32\WRLogonNTF.dll

O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe

O23 - Service: Acronis Backup Server Service (AcronisBackupServerService) - Acronis - C:\Program Files\Acronis\BackupServer\backupserver.exe

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Arcana Notification Agent (adnotify) - Unknown owner - C:\Program Files\Arcana Development\Notification Agent\ADNotify.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Arcana Scheduler - Arcana Development - C:\Program Files\Arcana Development\Arcana Scheduler\adscheduler.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Acronis Group Server (GroupServer) - Acronis - C:\Program Files\Acronis\GroupServer\GroupServer.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\XP\system32\drivers\KodakCCS.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe

O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\XP\system32\nvsvc32.exe

O23 - Service: O&O Defrag - O&O Software GmbH - C:\XP\system32\oodag.exe

O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe

O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

PS: I noticed the Windows messenger crap was back... I thought I had that removed... Id like to get rid of that... perhaps that is the culprit... only messaging installed is yahoo

PS2: http://www.myitforum.com/articles/15/view.asp?id=7033 shows how to remove W messenger

May 25, 2007

couldnt find a way to restrcit the scan to c: so I let it run until most of c & d were done and the stopped it. It found three threats, all of which were identifiable by me:

pskill - I use it to kill local process from a batch file before running games

ipscan - I use it to scan my network for open ports

lzx32 - quarantined by combofix (this was the culprit and is zipped up inside the combo quarantine folder)

couple of comments, couple of questions

first, I think I'll hold on to all the handy tools I have used during this process, don't see any need to to trash them... any reason I shouldn't run combofix once in a while? It seemed to find things nothing else did. Which brings me to my next question...

I have installed now on this computer: Avast, Nod32, AVG, Spyware Detector, SpybotS&D, Spysweeper, KeyScrambler, KeyloggerHunter. Avast and Nod32 have always worked together. So far, no problems running Spyware Detector at the same time either. The others I keep unloaded and run a scheduled scan with each of them periodically. When running scans from the others I have to disable everything else first (something I dont like to do since it requires me disconnecting the machine from the Internet for the duration).

I'm wondering why Nod32 and AVAST failed to pick up the rootkit even though in the case of AVAST I used a boot time scan. And, BTW... I could never find a way to to do a boot time scan with Nod32, making it next to useless IMO. Wish I could get my money back on that one.

So in your opinion, what is the best virus scanner to leave active? I really like avasts script scanner and the fact that u can turn on verbose display of real-time scans. This allowed me to spot a yahoo mail virus once that was running undetected by everything. Funny, Avast displayed the running script in the verbose window but failed to identify it as a virus. Nevertheless, has it not been for this feature of Avast I would never have spotted it so easily excepot through careful inspection of syslogs.

More importantly, in trying to understand how the infection got there in the first place... I am VERY careful NEVER to open any emails that I don't already know the origin of... even tho all the emails are scanned on inbound by at least three scanners... the ISP's, Nod32 and Avast. And I never browse the Internet at large and keep the IE settings pretty tight, following the server2003 model.

I use a hardware firewall which is set to reject EVERYTHING that is not explicitly allowed. And I regularly scan my network ports to make sure no holes open up. Of course, the Windows firewall, which also next to useless IMO, was left active. Should I run a software firewall in addition to the hardware one?

Recently, tho, I allowed someone to plug their laptop into my hub for a few minutes. Out of curiosity, I ran a virus check for them. Despite their assurances the system was clean, I found 42 viruses almost immediately (lol). I immediately disconnected the machine...

I had assumed that since the laptop was NOT configured to address my workgroup or domain and had no log on name and passwords that it could NOT communicate with the other computers on the network all of whom have guest access removed, etc. I know that none of the computers were visible to the laptops explorer, etc. However, I must now assume that I am overlooking something... could it be port 80? Could the laptop have infected the only XP machine on the subnet by channeling thru port 80? Seems unlikely since that computer had at least two virus scanners running at the time... As far as I can tell, all the other machines on the subnet are clean (they are all running 2003 server tho). Could the rootkit have proliferated to a neighboring machine without workgroup access and logon credientials?

My new rule: absolutely NO outside machines anywhere on my subnet even for a second.

The only other thing I can think of is that the infection was coincidental and resulted from something I loaded on to the machine that the virus scanners failed to pick up... after all they didn't see it when combofix did. This is the only machine I surf and get email from. That is an intentional design. All of the other computers on the subnet are used for specific purposes and are configured, in most cases, for little or no access to the outside world.

I know this is more security related dialogue, but any comments or suggestions?

Steve

May 24, 2007

lol, will do....

May 24, 2007

kapersky on-line was slower than dog... 1% complete after 6 hours... fook that... donwloaded the latest kaspesky but it wouldnt install as long as I had avast installed... sorry I already paid for avast and I like the script monitoring feature...

May 23, 2007

oops, forgot I had run avenger where I had already killed those files:

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\fjobmayi

*******************

Script file located at: \??\C:\Program Files\kroancfe.txt

Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\XP\system32\71430B71.exe deleted successfully.

File C:\chdir.bat not found!

Deletion of file C:\chdir.bat failed!

Could not process line:

C:\chdir.bat

Status: 0xc0000034

File C:\XP\system32\drivers\k^nymapg.sys deleted successfully.

File C:\xqsjepbn.bat deleted successfully.

File C:\XP\system32\IE_Backup.reg deleted successfully.

File C:\XP\system32\Windows_Backup.reg deleted successfully.

File C:\XP\system32\startupBackup.reg deleted successfully.

File C:\XP\system\SysSD.dll deleted successfully.

File C:\XP\system32\CloseAll.exe deleted successfully.

File C:\XP\system32\CheckDll.dll deleted successfully.

File C:\XP\iun6002ev.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

May 23, 2007

ok, will do...

the newtasks I created... I was just trying to get the task scheduler to work... wanted to see if I deleted a task and recreated it... but no luck... i have those tasks backed up so I am prolly about to delete all of them... at present they keep trying to run but just generate 'could not start' messages...

will work the java over next...

get back to u later today...

and as always, thanks

May 22, 2007

lol, I just saw the vfp start thing in the registry report which u had me fix with the reg file... that should stop that bad boy from resurfacing, thanks. Can't believe I didnt think to scan the report for mentions of vfp... :wacko:

--- On second look, Y is the CD drive and those files are only on the CD... so something else was running first...

May 22, 2007

************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************

Tue 05/22/2007 13:56:46.09

No Rustock.b-rootkits found

******************************* End of Logfile ********************************

May 22, 2007

running the rustbfix thingy again next

May 22, 2007

ok, second combofix scan with all protective programs off did better (see below). Perhaps the combo was picking up on something in spydetector?

Anyway it found no lzx32 this time... curious....

As for the task manager thingy: 0x80090016: Keysey does not exist. I have googled the hell out of that one and tried every fix I could find including deletion of the RSA files, etc. There are no registry entries that MS talks about. I did find a few people complaining about this problem after applying updates.

"Staypuffer" - 2007-05-22 9:58:48 Service Pack 2

ComboFix 07-05.20.9.V - Running from: "J:\Spywaredetector\"

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-22 ))))))))))))))))))))))))))))))))))

2007-05-21 23:15 <DIR> d-------- C:\ProcessExplorer

2007-05-21 09:17 5,632 --a------ C:\XP\system32\71430B71.exe

2007-05-21 08:57 <DIR> d-------- C:\RkUnhooker

2007-05-21 01:33 3,968 --a------ C:\XP\system32\drivers\AvgArCln.sys

2007-05-21 01:20 <DIR> d-------- C:\avenger

2007-05-21 00:59 16 --a------ C:\chdir.bat

2007-05-20 17:30 <DIR> d-------- C:\DOCUME~1\NETWOR~1.NTA\APPLIC~1\Webroot

2007-05-20 17:18 3,968 --a------ C:\XP\system32\drivers\AvgAsCln.sys

2007-05-20 14:53 60,416 --a------ C:\XP\system32\drivers\k^nymapg.sys

2007-05-20 14:53 1,075 --a------ C:\xqsjepbn.bat

2007-05-20 14:04 49,152 --a------ C:\XP\nircmd.exe

2007-05-20 06:42 2,922 --a------ C:\XP\system32\IE_Backup.reg

2007-05-20 06:42 2,846,854 --a------ C:\XP\system32\Windows_Backup.reg

2007-05-20 06:42 2,588 --a------ C:\XP\system32\startupBackup.reg

2007-05-20 02:27 123 --a------ C:\XP\system\SysSD.dll

2007-05-20 02:26 63,192 --a------ C:\XP\system32\CloseAll.exe

2007-05-20 02:26 270,336 --a------ C:\XP\system32\CheckDll.dll

2007-05-20 02:26 1,019,904 --a------ C:\XP\system32\VchReg.dll

2007-05-20 02:25 <DIR> d-------- C:\Program Files\SpywareDetector

2007-05-19 18:15 22,080 --a------ C:\XP\system32\drivers\sshrmd.sys

2007-05-19 18:15 21,056 --a------ C:\XP\system32\drivers\sskbfd.sys

2007-05-19 18:15 20,544 --a------ C:\XP\system32\drivers\SSFS0509.sys

2007-05-19 18:15 144,960 --a------ C:\XP\system32\drivers\ssidrv.sys

2007-05-19 18:15 <DIR> d-------- C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\Webroot

2007-05-19 18:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.XP\APPLIC~1\Webroot

2007-05-19 18:08 164 --a------ C:\install.dat

2007-05-19 18:08 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Webroot

2007-05-18 11:43 <DIR> d--h----- C:\XP\system32\GroupPolicy

2007-05-17 22:04 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Texture Maker

2007-05-17 22:03 <DIR> d-------- C:\Program Files\Texture Maker

2007-05-17 17:39 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Google

2007-05-15 13:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.XP\APPLIC~1\Spybot - Search & Destroy

2007-05-08 01:29 <DIR> d-------- C:\Program Files\Network Chemistry

2007-05-08 01:17 <DIR> d-------- C:\Program Files\WinPcap

2007-05-08 01:17 <DIR> d-------- C:\Program Files\Nmap

2007-04-26 18:37 298,496 --a------ C:\XP\uninst.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-22 14:08:10 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\dvdcss

2007-05-21 05:50:19 -------- d-----w C:\Program Files\Common Files\Merge Modules

2007-05-17 22:39:02 -------- d-----w C:\Program Files\Google

2007-05-16 04:57:49 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\WeatherBug

2007-05-15 18:38:06 -------- d-----w C:\Program Files\MySpace

2007-05-07 17:28:32 -------- d-----w C:\Program Files\EPSON Print CD

2007-05-07 13:39:36 298,104 ----a-w C:\XP\system32\imon.dll

2007-05-07 13:39:34 512,096 ----a-w C:\XP\system32\drivers\amon.sys

2007-05-07 13:39:33 15,424 ----a-w C:\XP\system32\drivers\nod32drv.sys

2007-05-03 05:49:55 -------- d-----w C:\Program Files\LeapFTP

2007-04-30 15:46:10 745,600 ----a-w C:\XP\system32\aswBoot.exe

2007-04-30 15:41:55 85,952 ----a-w C:\XP\system32\drivers\aswmon.sys

2007-04-30 15:41:42 94,552 ----a-w C:\XP\system32\drivers\aswmon2.sys

2007-04-30 15:39:41 23,416 ----a-w C:\XP\system32\drivers\aswRdr.sys

2007-04-30 15:38:51 43,176 ----a-w C:\XP\system32\drivers\aswTdi.sys

2007-04-30 15:37:23 26,888 ----a-w C:\XP\system32\drivers\aavmker4.sys

2007-04-30 15:35:28 95,872 ----a-w C:\XP\system32\AVASTSS.scr

2007-04-30 08:55:32 -------- d-----w C:\Program Files\ViceVersa Pro 2

2007-04-26 23:09:43 -------- d-----w C:\Program Files\IsoBuster

2007-04-25 08:04:12 88,952 ----a-w C:\XP\system32\packet.dll

2007-04-25 08:04:12 68,480 ----a-w C:\XP\system32\wanpacket.dll

2007-04-25 08:04:12 42,000 ----a-w C:\XP\system32\drivers\npf.sys

2007-04-25 08:04:12 240,496 ----a-w C:\XP\system32\wpcap.dll

2007-04-21 03:30:35 -------- d-----w C:\Program Files\Speed Startup

2007-04-20 03:28:54 1,040,384 ----a-w C:\XP\system32\libeay32.dll

2007-04-20 03:27:57 196,608 ----a-w C:\XP\system32\ssleay32.dll

2007-04-16 06:45:33 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\MySpace

2007-04-09 04:37:55 -------- d-----w C:\Program Files\SlySoft

2007-04-09 03:42:45 29,392 ----a-w C:\XP\system32\drivers\secdrv.sys

2007-04-08 22:59:29 -------- d-----w C:\Program Files\PowerISO

2007-04-06 21:14:04 542 ----a-w C:\hrlist.scr

2007-04-06 20:32:08 371 ----a-w C:\getbilldirs.scr

2007-04-06 20:31:54 371 ----a-w C:\gethbdirs.scr

2007-04-06 20:28:28 139 ----a-w C:\tryftp.scr

2007-04-06 05:46:37 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\Zeon

2007-04-06 05:02:00 -------- d-----w C:\Program Files\G-Lock Software

2007-04-05 15:31:07 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\G-Lock Software

2007-04-04 10:33:04 -------- d-----w C:\Program Files\Yahoo!

2007-03-18 17:28:30 5,885 ----a-w C:\XP\mozver.dat

2007-03-17 13:43:01 292,864 ----a-w C:\XP\system32\winsrv.dll

2007-03-15 19:35:33 -------- d-----w C:\Program Files\Tracker

2007-03-15 10:52:51 -------- d-----w C:\Program Files\Registry Watch

2007-03-15 10:14:59 720,896 ----a-w C:\XP\iun6002ev.exe

2007-03-15 04:18:10 -------- d-----w C:\Program Files\Salive

2007-03-15 04:17:28 -------- d--h--r C:\DOCUME~1\STAYPU~1\APPLIC~1\yahoo!

2007-03-08 15:36:28 577,536 ----a-w C:\XP\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\XP\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\XP\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\XP\system32\win32k.sys

2007-03-08 04:59:59 -------- d-----w C:\Program Files\DirPrn

2007-03-07 09:16:28 -------- d-----w C:\Program Files\'Net Monitor

2007-03-07 09:13:15 -------- d-----w C:\Program Files\PTZone

2007-03-07 09:10:26 -------- d-----w C:\Program Files\WinWatch

2007-03-07 09:10:21 249,856 ------w C:\XP\Setup1.exe

2007-03-07 09:10:09 -------- d-----w C:\Program Files\LanMon

2007-03-07 09:09:11 73,216 ------w C:\XP\ST6UNST.EXE

2007-02-28 08:59:01 26,000 ----a-w C:\XP\system32\E3TL.DLL

2007-02-05 20:17:02 185,344 ----a-w C:\XP\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]

{AE7CD045-E861-484f-8273-0445EE161910}=D:\Acrobat7\Acrobat\AcroIEFavClient.dll [2005-09-24 00:41]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\XP\system32\NvCpl.dll" [2005-10-28 16:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpeedStartup"="C:\Program Files\Speed Startup\speedstartup.exe" [2006-12-14 17:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

"SpeedStartup"=C:\Program Files\Speed Startup\speedstartup.exe runonce

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="D:\Internet\eudora\EuShlExt.dll" [2005-11-14 16:15]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 09:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]

C:\Program Files\SpywareDetector\SDNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Y]

AutoRun\command- Y:\vfpstart.exe IE5="vfpstart.hta" IELess="vfpstart.htm"

Contents of the 'Scheduled Tasks' folder

2007-05-22 12:48:24 C:\XP\tasks\New Task 2.job

2007-05-22 10:54:10 C:\XP\tasks\New Task.job

2007-05-22 10:50:00 C:\XP\tasks\_viceversapr2_task_Bashful2Booby.job

2007-05-22 11:30:00 C:\XP\tasks\_viceversapr2_task_batch.job

2007-05-22 15:00:00 C:\XP\tasks\_viceversapr2_task_Bills.job

2007-03-26 09:40:18 C:\XP\tasks\_viceversapr2_task_documents_and_settings.job

2007-05-22 11:10:00 C:\XP\tasks\_viceversapr2_task_Eudora.job

2007-05-22 15:00:00 C:\XP\tasks\_viceversapr2_task_hits prg to Tweetie D.job

2007-05-22 06:00:00 C:\XP\tasks\_viceversapr2_task_HITSSOURCES.job

2007-05-22 14:00:00 C:\XP\tasks\_viceversapr2_task_HITSVEN.job

2007-05-22 13:15:00 C:\XP\tasks\_viceversapr2_task_Idisk.job

2007-05-22 13:00:00 C:\XP\tasks\_viceversapr2_task_Links.job

2007-03-26 09:33:37 C:\XP\tasks\_viceversapr2_task_madden.job

2007-05-22 09:59:49 C:\XP\tasks\_viceversapr2_task_newag.job

2007-05-22 10:30:00 C:\XP\tasks\_viceversapr2_task_OHITS.job

2007-05-22 11:34:00 C:\XP\tasks\_viceversapr2_task_personal.job

2007-05-22 14:00:00 C:\XP\tasks\_viceversapr2_task_ServersAlive.job

2007-05-22 12:00:53 C:\XP\tasks\_viceversapr2_task_Steviebone.job

2007-03-26 11:38:02 C:\XP\tasks\_viceversapr2_task_Torrents.job

2007-05-22 14:15:00 C:\XP\tasks\_viceversapr2_task_txdot.job

2007-05-22 11:20:00 C:\XP\tasks\_viceversapr2_task_visaversaprofiles.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-22 10:06:49

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

********************************************************************

Completion time: 2007-05-22 10:08:30

C:\ComboFix-quarantined-files.txt ... 2007-05-22 10:08

C:\ComboFix2.txt ... 2007-05-22 09:39

C:\ComboFix3.txt ... 2007-05-20 14:38

--- E O F ---

2006-04-26 00:31	  775	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\STAYPU~1\Desktop\Internet Explorer.lnk.vir
2006-05-05 03:30	  300	--a------	C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir
2007-05-20 10:22	  77725	--a------	C:\Qoobox\Quarantine\catchme2007-05-20_135445.26.zip
2007-05-22 09:27	  500	--a------	C:\Qoobox\Quarantine\catchme.log


Folder PATH listing for volume PrimaryC
Volume serial number is 747C-9F49
C:\QOOBOX
\---Quarantine
	|   catchme.log
	|   catchme2007-05-20_135445.26.zip
	|   
	+---C
	|   +---DOCUME~1
	|   |   \---STAYPU~1
	|   |	   \---Desktop
	|   |			   Internet Explorer.lnk.vir
	|   |			   
	|   \---Program Files
	|		   INSTALL.LOG.vir
	|		   
	\---Registry_backups

May 22, 2007

oh and btw, fwiw, somewhere in this whole process my task scheduler got broke... always gives me an 0x80090016 error... tried all the published fixes for it to no avail the taskscheduler can no longer see or set credentials...

May 22, 2007

well chit...

I ran combofix, but I forgot to turn off all my protective programs first. Immediately upon execution spydetector popped up window that said "Rustock.b successfully removed". Then towards the end of the scan another popup saying Trojan.Agent removed. Then combo said disinfecting and rebooting. After reboot, the following log was generated:

"Staypuffer" - 2007-05-22 9:18:29 Service Pack 2

ComboFix 07-05.20.9.V - Running from: "J:\Spywaredetector\"

Rootkit driver lzx32 is present. A rootkit scan is required