New Problem...

Steviebone · June 3, 2007

Hello again... thanks for your previous help... no more rootkits that I know of, however, I have discovered that since disinfection I am having problems with Windows Firewall. After each reboot, some important entries are lost and Remote Assistance is enabled again. I have always had Remote Assistance disabled. In fact, even in services I have all the Remote entries disabled. The services are not being re-enabled, but the Remote Assistance checkbox in Windows Firewall IS being reset each time I reboot as well as most of the other exceptions that had already been set are lost altogether. This seems very nefarious to me.

I ran combofix again, no rootkits found.

Below is a new hijack log:

Logfile of HijackThis v1.99.1

Scan saved at 6:31:12 PM, on 6/3/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\XP\System32\smss.exe

C:\XP\system32\winlogon.exe

C:\XP\system32\services.exe

C:\XP\system32\lsass.exe

C:\XP\system32\svchost.exe

C:\XP\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\XP\system32\spoolsv.exe

C:\XP\Explorer.EXE

C:\Program Files\Acronis\BackupServer\backupserver.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Eset\nod32krn.exe

C:\XP\system32\nvsvc32.exe

C:\XP\System32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Eset\nod32kui.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\PTSync\PTSync.exe

C:\Program Files\Acronis\TrueImageEnterpriseServer\TRUEIM~3.EXE

c:\program files\vvengine\vvengine.exe

C:\Program Files\SpywareDetector\SDSystemTray.exe

C:\Program Files\SpywareDetector\SDService.exe

C:\Ascend\SCM\scm.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.americansingles.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\keyscramblerIE.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Acrobat7\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Acrobat7\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Cooxie - {DC99E960-6594-45e3-9D5D-141D825B8096} - C:\Program Files\Cooxie Toolbar\PrvcBand.dll

O4 - HKLM\..\Run: [sDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO

O4 - HKLM\..\Run: [systemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO

O4 - HKLM\..\RunOnce: [speedStartup] C:\Program Files\Speed Startup\speedstartup.exe runonce

O4 - HKCU\..\Run: [speedStartup] C:\Program Files\Speed Startup\speedstartup.exe bootup

O8 - Extra context menu item: Add to &Teleport - D:\TeleportUltra\teleport.htm

O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MsOffice\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://D:\OmniPage15\PDFConverter3\IEShellExt.dll /100

O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll

O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll

O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MsOffice\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145986548799

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -

O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -

O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -

O17 - HKLM\System\CCS\Services\Tcpip\..\{90F742E6-14BD-42BD-B353-7487933899E6}: NameServer = 66.254.6.2,66.254.1.2

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll

O20 - Winlogon Notify: WgaLogon - C:\XP\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - C:\XP\SYSTEM32\WRLogonNTF.dll

O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe

O23 - Service: Acronis Backup Server Service (AcronisBackupServerService) - Acronis - C:\Program Files\Acronis\BackupServer\backupserver.exe

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Arcana Notification Agent (adnotify) - Unknown owner - C:\Program Files\Arcana Development\Notification Agent\ADNotify.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Arcana Scheduler - Arcana Development - C:\Program Files\Arcana Development\Arcana Scheduler\adscheduler.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Acronis Group Server (GroupServer) - Acronis - C:\Program Files\Acronis\GroupServer\GroupServer.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\XP\system32\drivers\KodakCCS.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe

O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\XP\system32\nvsvc32.exe

O23 - Service: O&O Defrag - O&O Software GmbH - C:\XP\system32\oodag.exe

O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe

O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

PS: I noticed the Windows messenger crap was back... I thought I had that removed... Id like to get rid of that... perhaps that is the culprit... only messaging installed is yahoo

PS2: http://www.myitforum.com/articles/15/view.asp?id=7033 shows how to remove W messenger

Edited June 3, 2007 by Steviebone

jwbirdsong · June 4, 2007

Don't I know you from somewhere?? :lol:

First let me apologize for kinda of "losing" you over the holiday weekend. I know we had thought you were about resolved but you had asked some questions that I never got around to answering.

Just as a reminder

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

Download

Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.

2. Double-click on dss.exe to run it, and follow the prompts.

3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized

4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply.

Let's have a look a few things.

Steviebone · June 6, 2007

thanks,,,

I will do as u instructed... one update... I ran an indepth scan using Spyware Detector... it found the Zapchast trojan and a keylogger again. I'm getting bounce backs from mail I havent sent so I'm pretty sure theres another dam mailbot on here again.

:angry2:

Funny, avast and nod32 dont pick any of this stuff up! :angry:

Will get back to u... shortly

Thanks again!

Steviebone · June 6, 2007

ok I ran the scan... can I upload this file to u rather than post the results to the world? There's some sensitive data there...

Steve

---- edit -----

ok you have a private message with instructions how to find the log...

Edited June 6, 2007 by Steviebone

Steviebone · June 6, 2007

Ok Im mad now... lol, I set spyware detector to run again every few hours for a while... the trojan zapchast resurfaced in a restore point file... to my knowledge I have not rebooted since the last scan... so this bugger is re-asserting itself somehow... in fact the only thing run inbetween scans was dss...

c:\system volume information\_restore{2201e7e1-07c6-42bd-9a3d-8ec03be3ea1a}\rp479\a0107864.dll#@#2DBB00F5E171FF1101C350516116DCBC

next to last one added.... this sucker was added minutes before dss was run while I was gone (I was not home at the time).

In all my years of computing I have never run across such a persistant SOB. HELP! :blink:

Edited June 6, 2007 by Steviebone

Steviebone · June 7, 2007

got ur pm reply... thank you... I await ur latest words of wisdom... and as always thanks a million!

jwbirdsong · June 12, 2007

Well I guess since it's been 3 yrs since you posted this question i'll get areound to answering it now...Although I'm afraid I'm gonna ask more questions than give answers just now.

When you are getting the Zapchast trojan warning is it JUST in _restore or elsewhere too?? Give locations if possible.

The Firewall/Remote issue is not surprising as they are closelt related AND often affected by various infections.

The following steps will reset to the DEFAULT settings.

Copy the following to a new Notepad and save to the Desktop as "fwdef.reg" Make sure to use the quotes when you are naming the file, just like I typed it, else it will not run.

Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"DependOnGroup"=hex(7):00,00
"DependOnService"=hex(7):4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,57,00,69,00,\
6e,00,4d,00,67,00,6d,00,74,00,00,00,00,00
"Description"="Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network."
"DisplayName"="Windows Firewall/Internet Connection Sharing (ICS)"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
"Epoch"=dword:00002cd0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\
00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"All"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]
"0"="Root\\LEGACY_SHAREDACCESS\\ 0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

If saved correctly it will have an icon like

Right click on fwdef.reg and choose Merge> answer Yes to Are you sure you.......... Close the window.

Go to Start>Run>type cmd and hit Enter.

Enter the following line

netsh firewall reset

Close THAT window..

Now on a reboot does every thing still change now??

Let's see if we make any progess on this issue before we move on to some others.

I'm again able to respond in a timely manner now so you won't have to wait 9 months for a reply

PS thanks for your kind words in PM.

Sign In

New Problem...

Recommended Posts

Steviebone

Link to post

Share on other sites

jwbirdsong

Link to post

Share on other sites

Steviebone

Link to post

Share on other sites

Steviebone

Link to post

Share on other sites

Steviebone

Link to post

Share on other sites

Steviebone

Link to post

Share on other sites

jwbirdsong

Link to post

Share on other sites

Join the conversation

Browse

Activity