unclassified.spyware.57

  • Thread starter Thread starter brad schmidt
  • Start date Start date
B

brad schmidt

I am baffled by this one, only one i have not been able
to whack. has anyone come up with any ned info about this
spyare/malware rascal?

also, anyone recognize rzrrrr.exe ?

thanks.
 
"brad schmidt" said:
I am baffled by this one, only one i have not been able
to whack. has anyone come up with any ned info about this
spyare/malware rascal?

also, anyone recognize rzrrrr.exe ?

thanks.
Click to expand...

I saw a file named rpzzr.exe on a client's computer last week, and it
was very hard to remove.

Try this:

1. Download the F-Secure BlackLight rootkit revealer:

http://www.f-secure.com/blacklight/try.shtml

2. Boot in Safe mode.

3. Terminate all suspicious processes.

4. Run BlackLight. If it finds rootkit files, click the Rename
button, which will append ".ren" to their names.

5. Delete any suspicious entries in Msconfig | Startup.

6. Boot in Safe mode command prompt only and delete the renamed files.

7. Boot in Safe mode with networking, update and run MSAS a couple of
times, and update and run an antivirus program.

Please let us know if that procedure works. I just heard from my
client, and the file might have returned on his computer. I don't
have details yet.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
 
[i should have posted this earlier but just ran Hijackthis
for first time today. below find the logfile output.]

Logfile of HijackThis v1.99.1
Scan saved at 2:57:30 PM, on 4/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\rzimnk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC07.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG07.EXE
C:\Documents and Settings\Moonhee\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: URLSearchHook Class -
{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program
Files\NZSearch\SearchEnh1.dll
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [UserFaultCheck]
%systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ps8W3mV] gcdaddin.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rzimnk.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] winmap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Spyware Doctor -
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research -
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.sbs.co.kr
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} -
https://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} -
https://mpi.dacom.net/XPayMPI/Xecure_LiveUpdate_XPayMPIOCX.cab
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\hrj8051ue.dll
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) -
Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN
Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher
(DefWatch) - Symantec Corporation - C:\Program
Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony
Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: PACSPTISVR - Unknown owner -
C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP -
C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program
Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent
Service (default)) - Analog Devices, Inc. - C:\Program
Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony
Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation -
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VAIO Entertainment Aggregation and Control
Service - Sony Corporation - C:\Program Files\Common
Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service -
Sony Corporation - C:\Program Files\Common Files\Sony
Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration
Service - Sony Corporation - C:\Program Files\Common
Files\Sony Shared\VAIO
Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter -
Sony Corporation - C:\Program Files\Common Files\Sony
Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server
(VAIOMediaPlatform-IntegratedServer-AppServer) - Sony
Corporation - C:\Program Files\Sony\vaio media integrated
server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP)
(VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner -
C:\Program Files\Sony\vaio media integrated
server\Platform\SV_Httpd.exe"
/Service=VAIOMediaPlatform-IntegratedServer-HTTP
/RegRoot="SOFTWARE\Sony Corporation\VAIO Media
Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP
(file missing)
O23 - Service: VAIO Media Integrated Server (UPnP)
(VAIOMediaPlatform-IntegratedServer-UPnP) - Sony
Corporation - C:\Program Files\Sony\vaio media integrated
server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server
(VAIOMediaPlatform-Mobile-Gateway) - Unknown owner -
C:\Program Files\Sony\vaio media integrated
server\Platform\VmGateway.exe"
/Service=VAIOMediaPlatform-Mobile-Gateway
/RegRoot="SOFTWARE\Sony Corporation\VAIO Media
Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway"
/DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server
(VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner -
C:\Program Files\Sony\vaio media integrated
server\Video\GPVSvr.exe"
/Service=VAIOMediaPlatform-VideoServer-AppServer
/DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP)
(VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner -
C:\Program Files\Sony\vaio media integrated
server\Platform\SV_Httpd.exe"
/Service=VAIOMediaPlatform-VideoServer-HTTP
/RegRoot="SOFTWARE\Sony Corporation\VAIO Media
Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file
missing)
O23 - Service: VAIO Media Video Server (UPnP)
(VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation -
C:\Program Files\Sony\vaio media integrated
server\Platform\UPnPFramework.exe
 
Thanks to both of the previous posters. That KavSvc entry
is what i have also, apparently the software changes the
name of the .exe, but stays in the KavSvc folder. I will
try the above and see what i can eradicate.

Brad Schmidt
-----Original Message-----
[i should have posted this earlier but just ran Hijackthis
for first time today. below find the logfile output.]

Logfile of HijackThis v1.99.1
Scan saved at 2:57:30 PM, on 4/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\rzimnk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC07.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG07.EXE
C:\Documents and Settings\Moonhee\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: URLSearchHook Class -
{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program
Files\NZSearch\SearchEnh1.dll
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2 \VPTray.exe
O4 - HKLM\..\Run: [UserFaultCheck]
%systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ps8W3mV] gcdaddin.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rzimnk.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] winmap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32 \ctfmon.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Spyware Doctor -
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research -
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.sbs.co.kr
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} -
https://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} -
https://mpi.dacom.net/XPayMPI/Xecure_LiveUpdate_XPayMPIOC X.cab
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32 \hrj8051ue.dll
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) -
Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN
Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher
(DefWatch) - Symantec Corporation - C:\Program
Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony
Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: PACSPTISVR - Unknown owner -
C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP -
C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program
Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent
Service (default)) - Analog Devices, Inc. - C:\Program
Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony
Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1 \AVLib\Sptisrv.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation -
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VAIO Entertainment Aggregation and Control
Service - Sony Corporation - C:\Program Files\Common
Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service -
Sony Corporation - C:\Program Files\Common Files\Sony
Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration
Service - Sony Corporation - C:\Program Files\Common
Files\Sony Shared\VAIO
Entertainment\VzCs\VzHardwareResourceManager\VzHardwareRe sourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter -
Sony Corporation - C:\Program Files\Common Files\Sony
Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server
(VAIOMediaPlatform-IntegratedServer-AppServer) - Sony
Corporation - C:\Program Files\Sony\vaio media integrated
server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP)
(VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner -
C:\Program Files\Sony\vaio media integrated
server\Platform\SV_Httpd.exe"
/Service=VAIOMediaPlatform-IntegratedServer-HTTP
/RegRoot="SOFTWARE\Sony Corporation\VAIO Media
Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP
(file missing)
O23 - Service: VAIO Media Integrated Server (UPnP)
(VAIOMediaPlatform-IntegratedServer-UPnP) - Sony
Corporation - C:\Program Files\Sony\vaio media integrated
server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server
(VAIOMediaPlatform-Mobile-Gateway) - Unknown owner -
C:\Program Files\Sony\vaio media integrated
server\Platform\VmGateway.exe"
/Service=VAIOMediaPlatform-Mobile-Gateway
/RegRoot="SOFTWARE\Sony Corporation\VAIO Media
Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway"
/DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server
(VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner -
C:\Program Files\Sony\vaio media integrated
server\Video\GPVSvr.exe"
/Service=VAIOMediaPlatform-VideoServer-AppServer
/DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP)
(VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner -
C:\Program Files\Sony\vaio media integrated
server\Platform\SV_Httpd.exe"
/Service=VAIOMediaPlatform-VideoServer-HTTP
/RegRoot="SOFTWARE\Sony Corporation\VAIO Media
Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file
missing)
O23 - Service: VAIO Media Video Server (UPnP)
(VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation -
C:\Program Files\Sony\vaio media integrated
server\Platform\UPnPFramework.exe


.
Click to expand...
 
I spent 8 hours on this yesterday, in safe mode i cleaned
out every user profile, ran hijack this and stopped all
wierd stuff including rzrrrr.exe that is listed in the
registry as being in a folder kavsvc . I also continually
removed DADD.exe. I ran then the blacklight program and
found 6 rootkit entries, all just a bunch of random
letters (usually 6) followed by .dll or .exe. i renamed
and deleted all of these. i then ran MS antispyware,
trend micro house call, spybot search and destroy, and
adaware. i then rebooted the machine, and antispyware
notified me the Unclassified.spyware.57 was trying to
install. i let it do it and it put rzrrrr.exe and
dadd.exe (not sure if they are related) back on the
system and in the startup folder. as soon as you block it
with either msconfig, or system stuff in MSantiSpyware,
it trys to reload immediatley. I cannot find the process
or identify the source. Any Further Ideas?

PS oh yeah, i bascially did all the above 2 times.

Brad Schmidt

-----Original Message-----
Thanks to both of the previous posters. That KavSvc entry
is what i have also, apparently the software changes the
name of the .exe, but stays in the KavSvc folder. I will
try the above and see what i can eradicate.

Brad Schmidt
-----Original Message-----
[i should have posted this earlier but just ran Hijackthis
for first time today. below find the logfile output.]

Logfile of HijackThis v1.99.1
Scan saved at 2:57:30 PM, on 4/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\rzimnk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC07.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG07.EXE
C:\Documents and Settings\Moonhee\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: URLSearchHook Class -
{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program
Files\NZSearch\SearchEnh1.dll
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2 \VPTray.exe
O4 - HKLM\..\Run: [UserFaultCheck]
%systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ps8W3mV] gcdaddin.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32 \rzimnk.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] winmap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32 \ctfmon.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Spyware Doctor -
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research -
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.sbs.co.kr
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} -
https://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} -
https://mpi.dacom.net/XPayMPI/Xecure_LiveUpdate_XPayMPIO
Click to expand...
C
X.cab
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32 \hrj8051ue.dll
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) -
Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN
Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher
(DefWatch) - Symantec Corporation - C:\Program
Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony
Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: PACSPTISVR - Unknown owner -
C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP -
C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program
Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent
Service (default)) - Analog Devices, Inc. - C:\Program
Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony
Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1 \AVLib\Sptisrv.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation -
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VAIO Entertainment Aggregation and Control
Service - Sony Corporation - C:\Program Files\Common
Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service -
Sony Corporation - C:\Program Files\Common Files\Sony
Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration
Service - Sony Corporation - C:\Program Files\Common
Files\Sony Shared\VAIO
Entertainment\VzCs\VzHardwareResourceManager\VzHardwareR
Click to expand...
e
sourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter -
Sony Corporation - C:\Program Files\Common Files\Sony
Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server
(VAIOMediaPlatform-IntegratedServer-AppServer) - Sony
Corporation - C:\Program Files\Sony\vaio media integrated
server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP)
(VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner -
C:\Program Files\Sony\vaio media integrated
server\Platform\SV_Httpd.exe"
/Service=VAIOMediaPlatform-IntegratedServer-HTTP
/RegRoot="SOFTWARE\Sony Corporation\VAIO Media
Platform\2.0" /RegExt="Applications\IntegratedServer\HTT P
(file missing)
O23 - Service: VAIO Media Integrated Server (UPnP)
(VAIOMediaPlatform-IntegratedServer-UPnP) - Sony
Corporation - C:\Program Files\Sony\vaio media integrated
server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server
(VAIOMediaPlatform-Mobile-Gateway) - Unknown owner -
C:\Program Files\Sony\vaio media integrated
server\Platform\VmGateway.exe"
/Service=VAIOMediaPlatform-Mobile-Gateway
/RegRoot="SOFTWARE\Sony Corporation\VAIO Media
Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway"
/DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server
(VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner -
C:\Program Files\Sony\vaio media integrated
server\Video\GPVSvr.exe"
/Service=VAIOMediaPlatform-VideoServer-AppServer
/DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP)
(VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner -
C:\Program Files\Sony\vaio media integrated
server\Platform\SV_Httpd.exe"
/Service=VAIOMediaPlatform-VideoServer-HTTP
/RegRoot="SOFTWARE\Sony Corporation\VAIO Media
Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file
missing)
O23 - Service: VAIO Media Video Server (UPnP)
(VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation -
C:\Program Files\Sony\vaio media integrated
server\Platform\UPnPFramework.exe


.
Click to expand...
.
Click to expand...
 
I can't speak to your specific bug--but many of these bugs have three parts,
and you must kill all three pieces simultaneously to get clean.

Don't leave the antivirus vendors out of your protection/testing--I'm glad
you used blacklight--but you might also use a good online scanner which does
adware as well as viruses--http://houscall.trendmicro.com for example.

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Brad Schmidt said:
I spent 8 hours on this yesterday, in safe mode i cleaned
out every user profile, ran hijack this and stopped all
wierd stuff including rzrrrr.exe that is listed in the
registry as being in a folder kavsvc . I also continually
removed DADD.exe. I ran then the blacklight program and
found 6 rootkit entries, all just a bunch of random
letters (usually 6) followed by .dll or .exe. i renamed
and deleted all of these. i then ran MS antispyware,
trend micro house call, spybot search and destroy, and
adaware. i then rebooted the machine, and antispyware
notified me the Unclassified.spyware.57 was trying to
install. i let it do it and it put rzrrrr.exe and
dadd.exe (not sure if they are related) back on the
system and in the startup folder. as soon as you block it
with either msconfig, or system stuff in MSantiSpyware,
it trys to reload immediatley. I cannot find the process
or identify the source. Any Further Ideas?

PS oh yeah, i bascially did all the above 2 times.

Brad Schmidt

-----Original Message-----
Thanks to both of the previous posters. That KavSvc entry
is what i have also, apparently the software changes the
name of the .exe, but stays in the KavSvc folder. I will
try the above and see what i can eradicate.

Brad Schmidt
-----Original Message-----
[i should have posted this earlier but just ran Hijackthis
for first time today. below find the logfile output.]

Logfile of HijackThis v1.99.1
Scan saved at 2:57:30 PM, on 4/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\rzimnk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC07.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG07.EXE
C:\Documents and Settings\Moonhee\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: URLSearchHook Class -
{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program
Files\NZSearch\SearchEnh1.dll
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2 \VPTray.exe
O4 - HKLM\..\Run: [UserFaultCheck]
%systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ps8W3mV] gcdaddin.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32 \rzimnk.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] winmap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32 \ctfmon.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Spyware Doctor -
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research -
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.sbs.co.kr
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} -
https://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} -
https://mpi.dacom.net/XPayMPI/Xecure_LiveUpdate_XPayMPIO
Click to expand...
C
X.cab
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32 \hrj8051ue.dll
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) -
Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN
Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher
(DefWatch) - Symantec Corporation - C:\Program
Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony
Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: PACSPTISVR - Unknown owner -
C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP -
C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program
Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent
Service (default)) - Analog Devices, Inc. - C:\Program
Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony
Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1 \AVLib\Sptisrv.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation -
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VAIO Entertainment Aggregation and Control
Service - Sony Corporation - C:\Program Files\Common
Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service -
Sony Corporation - C:\Program Files\Common Files\Sony
Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration
Service - Sony Corporation - C:\Program Files\Common
Files\Sony Shared\VAIO
Entertainment\VzCs\VzHardwareResourceManager\VzHardwareR
Click to expand...
e
sourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter -
Sony Corporation - C:\Program Files\Common Files\Sony
Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server
(VAIOMediaPlatform-IntegratedServer-AppServer) - Sony
Corporation - C:\Program Files\Sony\vaio media integrated
server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP)
(VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner -
C:\Program Files\Sony\vaio media integrated
server\Platform\SV_Httpd.exe"
/Service=VAIOMediaPlatform-IntegratedServer-HTTP
/RegRoot="SOFTWARE\Sony Corporation\VAIO Media
Platform\2.0" /RegExt="Applications\IntegratedServer\HTT P
(file missing)
O23 - Service: VAIO Media Integrated Server (UPnP)
(VAIOMediaPlatform-IntegratedServer-UPnP) - Sony
Corporation - C:\Program Files\Sony\vaio media integrated
server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server
(VAIOMediaPlatform-Mobile-Gateway) - Unknown owner -
C:\Program Files\Sony\vaio media integrated
server\Platform\VmGateway.exe"
/Service=VAIOMediaPlatform-Mobile-Gateway
/RegRoot="SOFTWARE\Sony Corporation\VAIO Media
Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway"
/DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server
(VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner -
C:\Program Files\Sony\vaio media integrated
server\Video\GPVSvr.exe"
/Service=VAIOMediaPlatform-VideoServer-AppServer
/DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP)
(VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner -
C:\Program Files\Sony\vaio media integrated
server\Platform\SV_Httpd.exe"
/Service=VAIOMediaPlatform-VideoServer-HTTP
/RegRoot="SOFTWARE\Sony Corporation\VAIO Media
Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file
missing)
O23 - Service: VAIO Media Video Server (UPnP)
(VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation -
C:\Program Files\Sony\vaio media integrated
server\Platform\UPnPFramework.exe


.
Click to expand...
.
Click to expand...
Click to expand...
 
As we continue to fight the arms race here, we will see a convergence of
spyware and virus characteristics with a particular infection. Please submit
a suspected spyware report, then run AV and AS in safe mode in order to help
eradicate a particular threat.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
Bill Sanderson said:
I can't speak to your specific bug--but many of these bugs have three
parts, and you must kill all three pieces simultaneously to get clean.

Don't leave the antivirus vendors out of your protection/testing--I'm glad
you used blacklight--but you might also use a good online scanner which
does adware as well as viruses--http://houscall.trendmicro.com for
example.

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Brad Schmidt said:
I spent 8 hours on this yesterday, in safe mode i cleaned
out every user profile, ran hijack this and stopped all
wierd stuff including rzrrrr.exe that is listed in the
registry as being in a folder kavsvc . I also continually
removed DADD.exe. I ran then the blacklight program and
found 6 rootkit entries, all just a bunch of random
letters (usually 6) followed by .dll or .exe. i renamed
and deleted all of these. i then ran MS antispyware,
trend micro house call, spybot search and destroy, and
adaware. i then rebooted the machine, and antispyware
notified me the Unclassified.spyware.57 was trying to
install. i let it do it and it put rzrrrr.exe and
dadd.exe (not sure if they are related) back on the
system and in the startup folder. as soon as you block it
with either msconfig, or system stuff in MSantiSpyware,
it trys to reload immediatley. I cannot find the process
or identify the source. Any Further Ideas?

PS oh yeah, i bascially did all the above 2 times.

Brad Schmidt

-----Original Message-----
Thanks to both of the previous posters. That KavSvc entry
is what i have also, apparently the software changes the
name of the .exe, but stays in the KavSvc folder. I will
try the above and see what i can eradicate.

Brad Schmidt
-----Original Message-----
[i should have posted this earlier but just ran
Hijackthis
for first time today. below find the logfile output.]

Logfile of HijackThis v1.99.1
Scan saved at 2:57:30 PM, on 4/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\rzimnk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC07.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG07.EXE
C:\Documents and Settings\Moonhee\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: URLSearchHook Class -
{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program
Files\NZSearch\SearchEnh1.dll
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2
\VPTray.exe
O4 - HKLM\..\Run: [UserFaultCheck]
%systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ps8W3mV] gcdaddin.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32 \rzimnk.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall]
winmap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32
\ctfmon.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft
Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Spyware Doctor -
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research -
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.sbs.co.kr
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {2C197E55-080B-42A4-BFD0-9595B3534CF4} -
https://www.vpay.co.kr/KVPplugin01.cab
O16 - DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} -
https://mpi.dacom.net/XPayMPI/Xecure_LiveUpdate_XPayMPIO C
X.cab
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32
\hrj8051ue.dll
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) -
Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) -
Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN
Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher
(DefWatch) - Symantec Corporation - C:\Program
Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) -
Sony
Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: PACSPTISVR - Unknown owner -
C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP -
C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program
Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service
(SNDSrvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent
Service (default)) - Analog Devices, Inc. - C:\Program
Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony
Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1
\AVLib\Sptisrv.exe
O23 - Service: Symantec AntiVirus - Symantec
Corporation -
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VAIO Entertainment Aggregation and Control
Service - Sony Corporation - C:\Program Files\Common
Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service -
Sony Corporation - C:\Program Files\Common Files\Sony
Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration
Service - Sony Corporation - C:\Program Files\Common
Files\Sony Shared\VAIO
Entertainment\VzCs\VzHardwareResourceManager\VzHardwareR e
sourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter -
Sony Corporation - C:\Program Files\Common Files\Sony
Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server
(VAIOMediaPlatform-IntegratedServer-AppServer) - Sony
Corporation - C:\Program Files\Sony\vaio media integrated
server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP)
(VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown
owner -
C:\Program Files\Sony\vaio media integrated
server\Platform\SV_Httpd.exe"
/Service=VAIOMediaPlatform-IntegratedServer-HTTP
/RegRoot="SOFTWARE\Sony Corporation\VAIO Media
Platform\2.0" /RegExt="Applications\IntegratedServer\HTT P
(file missing)
O23 - Service: VAIO Media Integrated Server (UPnP)
(VAIOMediaPlatform-IntegratedServer-UPnP) - Sony
Corporation - C:\Program Files\Sony\vaio media integrated
server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server
(VAIOMediaPlatform-Mobile-Gateway) - Unknown owner -
C:\Program Files\Sony\vaio media integrated
server\Platform\VmGateway.exe"
/Service=VAIOMediaPlatform-Mobile-Gateway
/RegRoot="SOFTWARE\Sony Corporation\VAIO Media
Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway"
/DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server
(VAIOMediaPlatform-VideoServer-AppServer) - Unknown
owner -
C:\Program Files\Sony\vaio media integrated
server\Video\GPVSvr.exe"
/Service=VAIOMediaPlatform-VideoServer-AppServer
/DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP)
(VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner -
C:\Program Files\Sony\vaio media integrated
server\Platform\SV_Httpd.exe"
/Service=VAIOMediaPlatform-VideoServer-HTTP
/RegRoot="SOFTWARE\Sony Corporation\VAIO Media
Platform\2.0" /RegExt="\Applications\VideoServer\HTTP
(file
missing)
O23 - Service: VAIO Media Video Server (UPnP)
(VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation -
C:\Program Files\Sony\vaio media integrated
server\Platform\UPnPFramework.exe


.

.
Click to expand...
Click to expand...
Click to expand...
 
Back
Top