Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Weird antivirus spam :) (SOLVED) [RESOLVED]

Started by jack5 , Aug 22 2006 05:51 PM

  • This topic is locked This topic is locked

#1
jack5
Posted 22 August 2006 - 05:51 PM

jack5

    Member

  • Member
  • PipPip
  • 15 posts
Hey all, i have installed xp about 2 moths ago, and ever since the 1st week i've been having weird problems with it. First of all i got a iexplore.exe process running when no IE is open. Then my explorer.exe process eats up 30 megs of memory right since startup. Also once in a while a get stupid popups of WindowsAntivirus2006 or something like that, but i already got one installed (Zone Alarm suite). And finally, every time i start my windows it takes from 30secs to 5 mins to get through windows logo ccreen (the 1 where you see the bar). That bout susm it :blink:

my system:
Athlon 3800+
Geforce 7800gt video card
Sata2 200g hdd
and i use a router to connect to the web.

Anyhelp will be very very appreciated.

Here is my highjack log, just in case you'll need one. done about 5 mins ago. And no i have no IE window open(using girefox) but have iexplore.exe running. :whistling:


Logfile of HijackThis v1.99.1
Scan saved at 7:42:47 PM, on 8/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloads\software\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Logitech Desktop Messenger] C:\Program Files\Logitech\Desktop Messenger\8876480\Users\John Doe\NewVersion\setup-8876480.exe -ReportOnly
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Закачать все при помощи FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.amaena.com
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1151171277015
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\regsvr32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by jack5, 27 August 2006 - 02:01 PM.

  • 0

Advertisements

#2
Buckeye_Sam
Posted 22 August 2006 - 11:36 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :whistling:


Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
  • 0

#3
jack5
Posted 23 August 2006 - 01:02 PM

jack5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey, Sam
1st of all thanks for your support :whistling:

I ran vundo fix yesterday (noticed those winantivirus posts right after posting mine :help: ) and it said to have deleted everything except sspql.dll file in system32. I tried to delete at startup, in safe mode, in normal mode --- nada. it just doesnt want to go, all the other files were said to be deleted (but i suspect they'll come back sooner or later...) Also, i noticed vundofix creates a directory where it stores backups of the files it deletes. so i just added .old extension to all of them... just in case... hehe

Right now im at work, but when i will come home ill post the new highjack log and the vundofix log.

Once again thanks for teh help.. great site you have here :blink:

Edited by jack5, 23 August 2006 - 01:03 PM.

  • 0

#4
Buckeye_Sam
Posted 23 August 2006 - 01:09 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Vundo has been a real stinker to deal with lately, but we'll get it all.
Just post the logs when you can and we'll go from there. :whistling:
  • 0

#5
jack5
Posted 23 August 2006 - 04:39 PM

jack5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
ok, im back home and here are my vundo log from yesterday after trying to remove vundo and an actual hjt log i just made


VundoFix V6.1.2

Checking Java version...

Java version is 1.4.2.4

Java version is 1.5.0.7

Scan started at 8:48:42 PM 8/22/2006

Listing files found while scanning....

C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\opqss.bak2
C:\WINDOWS\system32\ajmlxcbm.exe
C:\WINDOWS\system32\icwnsgxt.exe
C:\WINDOWS\system32\nggbesyr.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ssqpo.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\opqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\opqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\opqss.bak2
C:\WINDOWS\system32\opqss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ajmlxcbm.exe
C:\WINDOWS\system32\ajmlxcbm.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\icwnsgxt.exe
C:\WINDOWS\system32\icwnsgxt.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\nggbesyr.exe
C:\WINDOWS\system32\nggbesyr.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.2

Checking Java version...

Java version is 1.4.2.4

Java version is 1.5.0.7

Scan started at 9:05:28 PM 8/22/2006

Listing files found while scanning....

C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\opqss.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ssqpo.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\opqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\opqss.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.2

Checking Java version...

Java version is 1.4.2.4

Java version is 1.5.0.7

Scan started at 9:31:22 PM 8/22/2006

Listing files found while scanning....

C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\opqss.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ssqpo.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\opqss.ini Has been deleted!

Performing Repairs to the registry.
Done!


*******************************************************************************
*******************************************************************************
HJT LOG:

Logfile of HijackThis v1.99.1
Scan saved at 6:38:35 PM, on 8/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloads\software\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Logitech Desktop Messenger] C:\Program Files\Logitech\Desktop Messenger\8876480\Users\John Doe\NewVersion\setup-8876480.exe -ReportOnly
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Закачать все при помощи FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.amaena.com
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1151171277015
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\regsvr32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#6
Buckeye_Sam
Posted 23 August 2006 - 06:02 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O15 - Trusted Zone: http://www.amaena.com
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com



Download KillBox and unzip it to your desktop.

Open Killbox and select the Delete on reboot option.
Copy and paste the following file to the field labeled "Full path of file to delete"


C:\WINDOWS\system32\ssqpo.dll


Press the Delete button (the button that looks like a red circle with a white X in it).
A first dialog box will ask if you want to delete the file on reboot, press the YES button.
A second dialog box will ask you if you want to REBOOT now. Press the YES button.

Your computer will reboot.




Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#7
jack5
Posted 23 August 2006 - 06:51 PM

jack5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
when i run killbox, it says:
pendingfilerenameoperations registry data has been removed by external process!

and it doesnt delet the file nor attemps to reboot :whistling: that where im stuck. (deleted the trusted zones links though)

EDIT: just thought of something : do i have to check "unregister dll before deleting" for it to work correctly or (another idea)could this be a regular windows file?

Also i tried the standard file kill option and it did not work....

Edited by jack5, 23 August 2006 - 06:57 PM.

  • 0

#8
Buckeye_Sam
Posted 24 August 2006 - 05:24 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Can you run Vundofix once more for me? It should run on reboot.
Please post the log at C:\vundofix.txt once it completes.

Also post a log from Combofix.
  • 0

#9
jack5
Posted 24 August 2006 - 11:38 PM

jack5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
ok here are both logs :blink:
and watta ya know ssqpo.dll got deleted :whistling:



VundoFix V6.1.2

Checking Java version...

Java version is 1.4.2.4

Java version is 1.5.0.7

Scan started at 1:15:43 AM 8/25/2006

Listing files found while scanning....

C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\opqss.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ssqpo.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\opqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\opqss.bak2
C:\WINDOWS\system32\opqss.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.2

Checking Java version...

Java version is 1.4.2.4

Java version is 1.5.0.7

Scan started at 1:22:59 AM 8/25/2006

Listing files found while scanning....

C:\WINDOWS\system32\ssqpo.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ssqpo.dll Has been deleted!

Performing Repairs to the registry.
Done!





John Doe - 06-08-25 1:33:35.37
ComboFix 06.08.24 - Running from: C:\Documents and Settings\John Doe\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\John Doe\My Documents\MANTEC~1
C:\QooBox\Purity\Program Files\CROSOF~1
C:\QooBox\Purity\WINDOWS\SSTEM~1


((((((((((((((((((((((((((((((( Files Created from 2006-07-25 to 2006-08-25 ))))))))))))))))))))))))))))))))))


2006-08-25 01:28 9,216 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2006-08-24 22:11 13,844 --a------ C:\WINDOWS\system32\shymuxba.exe
2006-08-15 15:25 12,308 --a------ C:\WINDOWS\system32\fdbxkjkm.exe
2006-08-14 15:25 2,580 --a------ C:\WINDOWS\system32\cncxfatu.exe
2006-08-14 15:25 12,308 --a------ C:\WINDOWS\system32\lmstmjqq.exe
2006-08-06 16:36 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-07-28 18:46 77,824 --a------ C:\WINDOWS\system32\driverif.dll
2006-07-28 18:46 75,776 --a------ C:\WINDOWS\zllsputility.exe
2006-07-28 18:46 733,236 --a------ C:\WINDOWS\system32\vete.dll
2006-07-28 18:46 653,072 --a------ C:\WINDOWS\system32\imsinstall.dll
2006-07-28 18:46 12,288 --a------ C:\WINDOWS\system32\vetntmsg.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-25 01:32 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-24 17:25 -------- d-------- C:\Documents and Settings\John Doe\Application Data\uTorrent
2006-08-24 16:15 -------- d-------- C:\Documents and Settings\John Doe\Application Data\Adobe
2006-08-22 18:57 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-22 10:33 -------- d-------- C:\Program Files\Microsoft Games
2006-08-22 10:24 -------- d---s---- C:\Documents and Settings\John Doe\Application Data\Microsoft
2006-08-19 18:56 -------- d-------- C:\Program Files\Wings of POWER II WWII FIGHTERS
2006-08-17 23:38 -------- d-------- C:\Program Files\mIRC
2006-08-16 12:22 -------- d-------- C:\Program Files\Windows Media Player
2006-08-15 12:19 -------- d-------- C:\Program Files\FlashGet
2006-08-13 14:54 -------- d-------- C:\Program Files\Microsoft IntelliType Pro
2006-08-10 01:30 -------- d-------- C:\Program Files\MSXML 4.0
2006-08-10 01:26 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-03 18:17 -------- d-------- C:\Program Files\Return to Castle Wolfenstein
2006-07-28 18:50 -------- d-------- C:\Documents and Settings\John Doe\Application Data\MailFrontier
2006-07-28 18:46 -------- d-------- C:\Program Files\Zone Labs
2006-07-27 17:35 -------- d-------- C:\Documents and Settings\John Doe\Application Data\Ahead
2006-07-24 23:32 65556 --a------ C:\WINDOWS\system32\samuuvut.exe
2006-07-23 22:16 -------- d-------- C:\Documents and Settings\John Doe\Application Data\dvdcss
2006-07-23 22:13 -------- d-------- C:\Program Files\Advanced JPEG Compressor
2006-07-23 22:06 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-07-23 22:05 -------- d-------- C:\Program Files\WinRAR
2006-07-23 22:05 -------- d-------- C:\Program Files\PowerISO
2006-07-23 22:05 -------- d-------- C:\Program Files\Microsoft.NET
2006-07-23 22:05 -------- d-------- C:\Program Files\Microsoft Works
2006-07-23 22:05 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-07-23 22:05 -------- d-------- C:\Program Files\Common Files\System
2006-07-23 22:05 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-07-23 22:05 -------- d-------- C:\Program Files\Common Files
2006-07-20 19:23 -------- d-------- C:\Program Files\Xilisoft
2006-07-18 20:33 -------- d-------- C:\Program Files\Microsoft Office
2006-07-16 23:48 737280 --a------ C:\WINDOWS\iun6002.exe
2006-07-16 00:27 18048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2006-07-16 00:27 165376 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2006-07-15 23:59 -------- d-------- C:\Program Files\Smart Projects
2006-07-10 19:36 -------- d-------- C:\Program Files\uTorrent
2006-07-08 20:01 -------- d-------- C:\Documents and Settings\John Doe\Application Data\ArcSoft
2006-07-08 19:57 -------- d-------- C:\Program Files\ArcSoft
2006-07-08 19:48 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-07-08 19:47 -------- d-------- C:\Program Files\Common Files\Adobe
2006-07-08 19:46 -------- d-------- C:\Program Files\Adobe
2006-07-08 19:35 -------- d-------- C:\Program Files\Jasc Software Inc
2006-07-08 19:35 -------- d-------- C:\Documents and Settings\John Doe\Application Data\Jasc Software Inc
2006-07-08 19:34 -------- d-------- C:\Program Files\Common Files\SWF Studio
2006-07-07 18:42 -------- d-------- C:\Program Files\Nero
2006-07-07 18:42 -------- d-------- C:\Program Files\Common Files\Ahead
2006-06-30 15:48 -------- d-------- C:\Documents and Settings\John Doe\Application Data\Leadertech
2006-06-29 19:43 51472 --a------ C:\WINDOWS\system32\imagecfg.exe
2006-06-29 19:02 -------- d-------- C:\Documents and Settings\John Doe\Application Data\Google
2006-06-29 14:34 2 --a------ C:\WINDOWS\system32\wnscptr.exe
2006-06-28 01:26 -------- d-------- C:\Program Files\On2 Technologies
2006-06-28 01:24 -------- d-------- C:\Program Files\DivX
2006-06-27 19:38 -------- d-------- C:\Program Files\SpywareGuard
2006-06-27 19:28 -------- d-------- C:\Program Files\Lavasoft
2006-06-27 19:28 -------- d-------- C:\Documents and Settings\John Doe\Application Data\Lavasoft
2006-06-27 11:05 -------- d-------- C:\Documents and Settings\John Doe\Application Data\vlc
2006-06-27 10:58 -------- d-------- C:\Program Files\VideoLAN
2006-06-26 01:57 -------- d-------- C:\Program Files\Java
2006-06-25 17:51 -------- d-------- C:\Program Files\EA SPORTS
2006-06-25 16:13 -------- d-------- C:\Documents and Settings\John Doe\Application Data\AdobeUM
2006-06-25 16:11 1561 --a------ C:\Documents and Settings\John Doe\Application Data\AdobeDLM.log
2006-06-25 16:11 0 --a------ C:\Documents and Settings\John Doe\Application Data\dm.ini
2006-06-25 16:10 -------- d-------- C:\Program Files\Yahoo!
2006-06-24 15:06 81920 -r------- C:\WINDOWS\bwUnin-6.1.4.61-8876480L.exe
2006-06-24 03:13 0 -rahs---- C:\MSDOS.SYS
2006-06-24 03:13 0 -rahs---- C:\IO.SYS
2006-06-24 03:13 0 --a------ C:\CONFIG.SYS
2006-06-24 03:13 0 --a------ C:\AUTOEXEC.BAT
2006-06-23 23:01 62 --ahs---- C:\Documents and Settings\John Doe\Application Data\desktop.ini
2006-06-16 14:34 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-06-15 17:55 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-06-15 17:55 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-06-15 17:55 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-06-15 17:55 620180 --a------ C:\WINDOWS\system32\DivX.dll
2006-06-15 12:14 53248 --a------ C:\WINDOWS\system32\cdh00.dll
2006-06-14 13:49 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-06-13 00:39 1388544 --a------ C:\WINDOWS\system32\MSVBVM60.dll
2006-06-12 15:22 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-05-31 17:17 32768 --a------ C:\WINDOWS\system32\MetarDownload.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"SoundMan"="SOUNDMAN.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"NWEReboot"=""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Steam"=""
"Logitech Desktop Messenger"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Users\\John Doe\\NewVersion\\setup-8876480.exe -ReportOnly"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wintfj32



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20060823-203705-544
O15 - Trusted Zone: http://www.winantiviruspro.com
backup-20060823-203705-600
O15 - Trusted Zone: http://download.cdn.winsoftware.com
backup-20060823-203705-344
O15 - Trusted Zone: http://www.winantivirus.com
backup-20060823-203705-241
O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com
backup-20060823-203705-149
O15 - Trusted Zone: http://www.amaena.com
backup-20060823-203705-846
O15 - Trusted Zone: http://locator.cdn.imageservr.com
backup-20060823-203705-878
O15 - Trusted Zone: http://scanner.sysprotect.com
backup-20060823-203705-145
O15 - Trusted Zone: http://*.systemdoctor.com

Completion time: Fri 08/25/2006 1:34:50.79
ComboFix.txt
  • 0

#10
Buckeye_Sam
Posted 25 August 2006 - 06:21 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I had a feeling Vundofix might pull through for us. :whistling:


Open up Killbox.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\system32\shymuxba.exe
    C:\WINDOWS\system32\fdbxkjkm.exe
    C:\WINDOWS\system32\cncxfatu.exe
    C:\WINDOWS\system32\lmstmjqq.exe
    C:\WINDOWS\system32\samuuvut.exe
    C:\WINDOWS\iun6002.exe
    C:\WINDOWS\system32\wnscptr.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.

===========


Please post a new hijackthis log.
  • 0

Advertisements

#11
jack5
Posted 25 August 2006 - 01:03 PM

jack5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Ok, i opened killbox chose delete on reboot, it close my windows, restarted it and nothing more happened. I didnt see killbox deleting any files (???)


Anyway here are both log:

__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as John Doe(Administrator)
was started @ Friday, August 25, 2006, 2:51 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\shymuxba.exe


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\fdbxkjkm.exe


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\cncxfatu.exe


# 4 [Delete on Reboot]
Path = C:\WINDOWS\system32\lmstmjqq.exe


# 5 [Delete on Reboot]
Path = C:\WINDOWS\system32\samuuvut.exe


# 6 [Delete on Reboot]
Path = C:\WINDOWS\iun6002.exe


# 7 [Delete on Reboot]
Path = C:\WINDOWS\system32\wnscptr.exe


I Rebooted @ 2:53:08 PM
Killbox Closed(Exit) @ 2:53:09 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as John Doe(Administrator)
was started @ Friday, August 25, 2006, 2:59 PM






Logfile of HijackThis v1.99.1
Scan saved at 3:03:09 PM, on 8/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloads\software\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {18D070D0-BCD6-4BF8-B13E-83517CEBB7B8} - C:\WINDOWS\system32\ssqpo.dll (file missing)
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {9C042905-3B21-401D-8279-A1FC0CFCB2DD} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Logitech Desktop Messenger] C:\Program Files\Logitech\Desktop Messenger\8876480\Users\John Doe\NewVersion\setup-8876480.exe -ReportOnly
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Закачать все при помощи FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner....leanerstart.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1151171277015
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\regsvr32.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wintfj32 - wintfj32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#12
Buckeye_Sam
Posted 25 August 2006 - 09:00 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Killbox deletes the files on reboot, so you don't actually see it happening.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: (no name) - {18D070D0-BCD6-4BF8-B13E-83517CEBB7B8} - C:\WINDOWS\system32\ssqpo.dll (file missing)
O2 - BHO: (no name) - {9C042905-3B21-401D-8279-A1FC0CFCB2DD} - (no file)
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner....leanerstart.cab
O20 - Winlogon Notify: wintfj32 - wintfj32.dll (file missing)


==========


I'd like to get some additional info on a file that seems suspicious to me.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:



    C:\WINDOWS\system32\regsvr32.dll



  • Disable your firewall if you are using one.
  • Click on the submit button
  • Reenable your firewall as soon as you get results.
  • Please post the results in your next reply.

Please post a new hijackthis log also.
  • 0

#13
jack5
Posted 25 August 2006 - 09:48 PM

jack5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
1st of all tnx alot for your help, my pc is running much faster and much more stable now :blink: you are DA BEST :whistling::notworthy:


now... there is no such file in my system32 directory : regsvr32.dll .... there is however a regsvr32.exe is this the one you wanted ?


As usual here is my hew hjt log :help: :
Logfile of HijackThis v1.99.1
Scan saved at 11:48:48 PM, on 8/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Downloads\software\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Logitech Desktop Messenger] C:\Program Files\Logitech\Desktop Messenger\8876480\Users\John Doe\NewVersion\setup-8876480.exe -ReportOnly
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Закачать все при помощи FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1151171277015
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\regsvr32.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by jack5, 25 August 2006 - 09:50 PM.

  • 0

#14
Buckeye_Sam
Posted 26 August 2006 - 06:27 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
No it's definitely the dll file that I'm concerned about. It's likely that the file is there, but just hidden.

At Jotti, did you try to browse to it, or just paste the filepath?
  • 0

#15
jack5
Posted 26 August 2006 - 12:37 PM

jack5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
i tried both... when i pasted the path --submit button remained disabled ...so i tried browsing for the file and realized that i dont see it in system32 folder.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP