Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Dialer.Trojan and Toolbar888


  • Please log in to reply

#1
crusaderofrock

crusaderofrock

    New Member

  • Member
  • Pip
  • 7 posts
Hello, I'm a newbie here. My frustrations with Dialer.Trojan has led me here. I was infected by this trojan and Toolbar888 recently. I think I have eliminated Toolbar888 using AVG Anti Spyware, but I'm not completely sure that my system has been flushed of Toolbar888. What I'm certain of is that Dialer.Trojan is still in the system. It has been futile using Norton antivirus and other programs, they just fail to remove the darned thing.

Below is a post of my Hijack This log. Note that this is a company laptop. Any help will be greatly appreciated. FYI, I'll be posting my own laptop's Hijack This log in a new thread soon because I think my own laptop has been infected too. Again, thanks in advance for the help.

Logfile of HijackThis v1.99.1
Scan saved at 10:23:07 AM, on 10/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\KPMG\Global Desktop\MBL\Base\MBLTrigger.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\a-squared Anti-Dialer\a2adguard.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\DOCUME~1\User\LOCALS~1\Temp\Rar$EX00.709\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.kworld.kp...asp?hide_tabs=1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kworld.kpmg.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kworld.kpmg.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.kworld.kpmg.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by KPMG
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://kpmgproxy.com/kpmg_ie6.ins
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [a-squared Anti-Dialer] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Sound Pilot] "C:\Program Files\Sound Pilot\SndPilot.exe"
O4 - Global Startup: BTTray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.kworld.kpmg.com
O15 - Trusted Zone: http://*.kclient.kworld.kpmg.com
O15 - Trusted Zone: http://abcv.kworld.kpmg.com
O15 - Trusted Zone: http://conf.kworld.kpmg.com
O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com
O15 - Trusted Zone: http://maint.kworld.kpmg.com
O15 - Trusted Zone: http://search.kworld.kpmg.com
O15 - Trusted Zone: http://suggestions.kworld.kpmg.com
O15 - Trusted Zone: http://training1.us.kworld.kpmg.com
O15 - Trusted Zone: http://www.kworld.kpmg.com
O15 - Trusted Zone: http://*.kpmgconsulting.com
O15 - Trusted Zone: http://*.meomweb14
O15 - Trusted Zone: http://kworld2.newsedge-web.com
O15 - Trusted Zone: http://*.kclient.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://abcv.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://conf.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://maint.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://search.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://suggestions.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://training1.us.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://www.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://*.kpmgconsulting.com (HKLM)
O15 - Trusted Zone: http://*.meomweb14 (HKLM)
O15 - Trusted Zone: http://kworld2.newsedge-web.com (HKLM)
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetal...r/dlControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{D426A0A6-D2E5-4C28-9C43-50BB6D558B8E}: NameServer = 202.188.0.132,202.188.1.5
O18 - Protocol: cw - {774E529C-2458-48A2-8F57-3ED3105D8612} - C:\Program Files\CaseWare\cwproto.dll
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\System32\btxppanel.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: winije32 - C:\WINDOWS\SYSTEM32\winije32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KPMG GD MBL Trigger (mblTrigger) - KPMG - C:\Program Files\KPMG\Global Desktop\MBL\Base\MBLTrigger.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
  • 0

Advertisements


#2
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
crusaderofrock,

Welcome to the GTG Forums, I will be reviewing your HJT log.
Please read "ALL" of the instructions before proceeding:

You will need to print out these instructions for a reference or you can
save them by copying and pasting them into notepad and saving the text file to the desktop.

This process will take a few steps, please take your time and follow the directions in the order posted.
If you don't understand something please ask before performing any task..


Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Thanks,
rstones12
  • 0

#3
crusaderofrock

crusaderofrock

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi, this is the result of the scan:

Logfile of HijackThis v1.99.1
Scan saved at 2:07:00 PM, on 10/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\KPMG\Global Desktop\MBL\Base\MBLTrigger.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\a-squared Anti-Dialer\a2adguard.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.kworld.kp...asp?hide_tabs=1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kworld.kpmg.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kworld.kpmg.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.kworld.kpmg.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by KPMG
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://kpmgproxy.com/kpmg_ie6.ins
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [a-squared Anti-Dialer] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Sound Pilot] "C:\Program Files\Sound Pilot\SndPilot.exe"
O4 - Global Startup: BTTray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.kworld.kpmg.com
O15 - Trusted Zone: http://*.kclient.kworld.kpmg.com
O15 - Trusted Zone: http://abcv.kworld.kpmg.com
O15 - Trusted Zone: http://conf.kworld.kpmg.com
O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com
O15 - Trusted Zone: http://maint.kworld.kpmg.com
O15 - Trusted Zone: http://search.kworld.kpmg.com
O15 - Trusted Zone: http://suggestions.kworld.kpmg.com
O15 - Trusted Zone: http://training1.us.kworld.kpmg.com
O15 - Trusted Zone: http://www.kworld.kpmg.com
O15 - Trusted Zone: http://*.kpmgconsulting.com
O15 - Trusted Zone: http://*.meomweb14
O15 - Trusted Zone: http://kworld2.newsedge-web.com
O15 - Trusted Zone: http://*.kclient.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://abcv.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://conf.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://maint.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://search.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://suggestions.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://training1.us.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://www.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://*.kpmgconsulting.com (HKLM)
O15 - Trusted Zone: http://*.meomweb14 (HKLM)
O15 - Trusted Zone: http://kworld2.newsedge-web.com (HKLM)
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetal...r/dlControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{D426A0A6-D2E5-4C28-9C43-50BB6D558B8E}: NameServer = 202.188.0.132,202.188.1.5
O18 - Protocol: cw - {774E529C-2458-48A2-8F57-3ED3105D8612} - C:\Program Files\CaseWare\cwproto.dll
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\System32\btxppanel.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: winije32 - C:\WINDOWS\SYSTEM32\winije32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KPMG GD MBL Trigger (mblTrigger) - KPMG - C:\Program Files\KPMG\Global Desktop\MBL\Base\MBLTrigger.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
  • 0

#4
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
crusaderofrock,

OK, thanks. Now lets move on.

Please read "ALL" of the instructions before proceeding:

You will need to print out these instructions for a reference or you can
save them by copying and pasting them into notepad and saving the text file to the desktop.

This process will take a few steps, please take your time and follow the directions in the order posted.
If you don't understand something please ask before performing any task..

We need to download a few programs first, then we will move on.

Please download the Killbox by Option^Explicit and save it to your desktop. Do not run it just yet, we will shortly.

Please download ATF Cleaner by Atribune and save this to your desktop as well.
This program is for XP and Windows 2000 only


Now open HijackThis and perform a scan only, then place a checkmark next to each of the following items:

O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL

O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)

O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe

O20 - Winlogon Notify: winije32 - C:\WINDOWS\SYSTEM32\winije32.dll

Now close all browsers and open windows except for HijackThis, then click the Fix Checked button. Once that completes close HijackThis.

Go to MyComputer and find and remove the following:

C:\PROGRA~1\PRINTV~1\ < -- Folder

It will be in your C:\PROGRAM FILES\ directory

Now lets run Killbox
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\SYSTEM32\winije32.dll

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Once your restarted your computer post a new HijackThis log by using Add Reply

Thanks,
rstones12
  • 0

#5
crusaderofrock

crusaderofrock

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Okay, I've done all the steps listed here. Smooth going, no messages such as "PendingFileRename..." or "Component xxxxx or one of its components not correctly registered...". Below is my Hijack This log after all the steps. Appreciate what you're doing, man.

Logfile of HijackThis v1.99.1
Scan saved at 3:22:03 PM, on 10/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program

Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins

.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7

DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\KPMG\Global

Desktop\MBL\Base\MBLTrigger.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Symantec_Client_Security\Symantec

AntiVirus\vptray.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.

exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\a-squared Anti-Dialer\a2adguard.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar = http://www.kworld.kpmg.com/

usearch/usearch.asp?hide_tabs=1
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.kworld.kpmg.com/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = http://www.kworld.kpmg

.com
R1 - HKCU\Software\Microsoft\Internet Connection

Wizard,ShellNext = http://www.kworld.kpmg.com/
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Window Title = Microsoft Internet Explorer

provided by KPMG
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,AutoConfigURL = http://kpmgproxy.com/kpmg_ie6.

ins
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87

D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0

\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4

DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv

.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9

FAA-8377850BF205} - C:\Program Files\Free Download

Manager\iefdmcks.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64

B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0

\en-us\msntb.dll
O4 - HKLM\..\Run: [vptray] C:\Program

Files\Symantec_Client_Security\Symantec

AntiVirus\vptray.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1

\LManager.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1

\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1

\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32

\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32

\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32

\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [a-squared Anti-Dialer] "C:\Program

Files\a-squared Anti-Dialer\a2adguard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32

\ctfmon.exe
O4 - HKCU\..\Run: [Sound Pilot] "C:\Program Files\Sound

Pilot\SndPilot.exe"
O4 - Global Startup: BTTray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet

Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet

Explorer\Control Panel present
O8 - Extra context menu item: Download all with Free

Download Manager - file://C:\Program Files\Free Download

Manager\dlall.htm
O8 - Extra context menu item: Download selected with

Free Download Manager - file://C:\Program Files\Free

Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free

Download Manager - file://C:\Program Files\Free Download

Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel

- res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5

-00401C608501} - C:\Program Files\Java\jre1.5.0_06

\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5

C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-

3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.

DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46

ef-9331-5C8D4460577F} - C:\Program

Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281

CA-C863-46ef-9331-5C8D4460577F} - C:\Program

Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.kworld.

kpmg.com
O15 - Trusted Zone: http://*.kclient.kworld.kpmg.com
O15 - Trusted Zone: http://abcv.kworld.kpmg.com
O15 - Trusted Zone: http://conf.kworld.kpmg.com
O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com
O15 - Trusted Zone: http://maint.kworld.kpmg.com
O15 - Trusted Zone: http://search.kworld.kpmg.com
O15 - Trusted Zone: http://suggestions.kworld.kpmg.com
O15 - Trusted Zone: http://training1.us.kworld.kpmg.com
O15 - Trusted Zone: http://www.kworld.kpmg.com
O15 - Trusted Zone: http://*.kpmgconsulting.com
O15 - Trusted Zone: http://*.meomweb14
O15 - Trusted Zone: http://kworld2.newsedge-web.com
O15 - Trusted Zone: http://*.kclient.kworld.kpmg.com (

HKLM)
O15 - Trusted Zone: http://abcv.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://conf.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com (

HKLM)
O15 - Trusted Zone: http://maint.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://search.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://suggestions.kworld.kpmg.com

(HKLM)
O15 - Trusted Zone: http://training1.us.kworld.kpmg.com

(HKLM)
O15 - Trusted Zone: http://www.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://*.kpmgconsulting.com (HKLM)
O15 - Trusted Zone: http://*.meomweb14 (HKLM)
O15 - Trusted Zone: http://kworld2.newsedge-web.com (

HKLM)
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-

squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (

dlControl.UserControl1) - http://www.livemetallica.com/

nugster/dlControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{D426A0A6-D2E5-

4C28-9C43-50BB6D558B8E}: NameServer = 202.188.0.132,202

.188.1.5
O18 - Protocol: cw - {774E529C-2458-48A2-8F57-3ED3105D

8612} - C:\Program Files\CaseWare\cwproto.dll
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B

0D3C3BA} - C:\WINDOWS\System32\btxppanel.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32

\NavLogon.dll
O20 - Winlogon Notify: winije32 - winije32.dll (file

missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc.

- C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware

Development a.s. - C:\Program Files\Grisoft\AVG Anti-

Spyware 7.5\guard.exe
O23 - Service: BlackICE - Internet Security Systems,

Inc. - C:\Program

Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM,

Inc. - C:\Program Files\WIDCOMM\Bluetooth

Software\bin\btwdins.exe
O23 - Service: DefWatch - Symantec Corporation - C:

\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Groove Installer Service (

GrooveInstallerService) - Groove Networks, Inc. - C:

\Program Files\Groove

Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:

\Program Files\iPod\bin\iPodService.exe
O23 - Service: KPMG GD MBL Trigger (mblTrigger) - KPMG -

C:\Program Files\KPMG\Global

Desktop\MBL\Base\MBLTrigger.exe
O23 - Service: Symantec AntiVirus Client (Norton

AntiVirus Server) - Symantec Corporation - C:\PROGRA~1

\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc.

- C:\Program

Files\ISS\issSensors\DesktopProtection\RapApp.exe
  • 0

#6
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
crusaderofrock,

OK, can you please repost your HijackThis log again, in Notepad turn off wordwrap..

Format > Word Wrap

Just uncheck it.

Thanks,
rstones12
  • 0

#7
crusaderofrock

crusaderofrock

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Sorry, didn't know. My technical knowledge sucks. :whistling:

Logfile of HijackThis v1.99.1
Scan saved at 3:22:03 PM, on 10/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\KPMG\Global Desktop\MBL\Base\MBLTrigger.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\a-squared Anti-Dialer\a2adguard.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.kworld.kp...asp?hide_tabs=1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kworld.kpmg.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kworld.kpmg.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.kworld.kpmg.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by KPMG
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://kpmgproxy.com/kpmg_ie6.ins
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [a-squared Anti-Dialer] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Sound Pilot] "C:\Program Files\Sound Pilot\SndPilot.exe"
O4 - Global Startup: BTTray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.kworld.kpmg.com
O15 - Trusted Zone: http://*.kclient.kworld.kpmg.com
O15 - Trusted Zone: http://abcv.kworld.kpmg.com
O15 - Trusted Zone: http://conf.kworld.kpmg.com
O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com
O15 - Trusted Zone: http://maint.kworld.kpmg.com
O15 - Trusted Zone: http://search.kworld.kpmg.com
O15 - Trusted Zone: http://suggestions.kworld.kpmg.com
O15 - Trusted Zone: http://training1.us.kworld.kpmg.com
O15 - Trusted Zone: http://www.kworld.kpmg.com
O15 - Trusted Zone: http://*.kpmgconsulting.com
O15 - Trusted Zone: http://*.meomweb14
O15 - Trusted Zone: http://kworld2.newsedge-web.com
O15 - Trusted Zone: http://*.kclient.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://abcv.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://conf.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://maint.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://search.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://suggestions.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://training1.us.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://www.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://*.kpmgconsulting.com (HKLM)
O15 - Trusted Zone: http://*.meomweb14 (HKLM)
O15 - Trusted Zone: http://kworld2.newsedge-web.com (HKLM)
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetal...r/dlControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{D426A0A6-D2E5-4C28-9C43-50BB6D558B8E}: NameServer = 202.188.0.132,202.188.1.5
O18 - Protocol: cw - {774E529C-2458-48A2-8F57-3ED3105D8612} - C:\Program Files\CaseWare\cwproto.dll
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\System32\btxppanel.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: winije32 - winije32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KPMG GD MBL Trigger (mblTrigger) - KPMG - C:\Program Files\KPMG\Global Desktop\MBL\Base\MBLTrigger.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
  • 0

#8
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
crusaderofrock,

OK, thats looking better. Now lets make sure things are cleaned up.

Please read "ALL" of the instructions before proceeding:

Have you run both the AVG Anti-Spyware and A2 Programs?? Have they identified any issues?

Lets check one other thing as well:
For the uninstall list:
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Go ahead and post that list by using Add Reply

Thanks,
rstones12
  • 0

#9
crusaderofrock

crusaderofrock

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
No issues with a2. It's clean according to a2. I'm running AVG Anti Spyware now, may take awhile. Meanwhile, here's the uninstall list:

µTorrent
a-squared Anti-Dialer 2.0
ATI Display Driver
AVG Anti-Spyware 7.5
BookWorm Deluxe 1.03
Caseware Working Papers 2004.5
Click N Slide v2.0a
Colored Tetris ads support
Don't Touch My Computer 2 Screen Saver
Feeding Frenzy 2 1.0
FLV Player 1.3.3
Free Download Manager 2.1
Global Desktop Background Images
Global Desktop Background Images
Groove
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for MDAC 2.80 (KB911562)
IsoBuster 1.7
iTunes
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_01
KAM 6.0
K-Lite Codec Pack 2.77 Full
KPMG .NET Framework Enterprise Code Access Security Policy
KPMG Standard CaseWare Template
KTP Ware PS/2-WDM 5.0.1.2
Launch Manager
LimeWire 4.12.3
LiveUpdate 1.80 (Symantec Corporation)
Luxor
Macromedia Flash Player 8
MBL
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB836616)
Microsoft Visual Basic 6.0 Professional Edition
Microsoft Web Publishing Wizard 1.53
mIRC
MP3 Cutter Joiner 2.00
MSN Messenger 7.0
MSN Toolbar
Nero 7
NTI Backup NOW! 4
NTI CD & DVD-Maker
Post-it® Software Notes Lite
PowerDVD
QuickTime
Raja Dadah
RealPlayer
Rummi 4.0.35
S400
SCRABBLE
screensaver01
screensaver02
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
SoftV90 Data Fax Modem with SmartCP
Super TextTwist
Symantec AntiVirus Client
ToolBar888
Trivia Machine
Update for Windows XP (KB898461)
VIZTOPIA Practice Management - Workstation
Walls of Jericho
WIDCOMM Bluetooth Software
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Series
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB826942
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB896688
Windows XP Hotfix - KB896727
Windows XP Hotfix - KB905915
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB912812
Windows XP Hotfix - KB916281
Windows XP Hotfix - KB918439
Windows XP Hotfix (SP2) q329623
Windows XP Hotfix (SP2) Q819696
WinRAR archiver
Zoom Player (remove only)
  • 0

#10
crusaderofrock

crusaderofrock

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Update on the AVG scan...here's the log for it...there's a high-risk Trojan.Dialer.qs still present according to the scan. Appreciate it if you could give me some advice. Thanks for your patience.

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:26:20 PM 10/6/2006

+ Scan result:



D:\Documents and Settings\User\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : No action taken.
D:\Documents and Settings\User\Cookies\[email protected][1].txt -> TrackingCookie.Adjuggler : No action taken.
D:\Documents and Settings\User\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : No action taken.
D:\Documents and Settings\User\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : No action taken.
D:\Documents and Settings\User\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : No action taken.
D:\Documents and Settings\User\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : No action taken.
D:\Documents and Settings\User\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : No action taken.
D:\Documents and Settings\User\Cookies\[email protected][2].txt -> TrackingCookie.Onestat : No action taken.
D:\Documents and Settings\User\Cookies\[email protected][2].txt -> TrackingCookie.Overture : No action taken.
D:\Documents and Settings\User\Cookies\[email protected][1].txt -> TrackingCookie.Statcounter : No action taken.
D:\Documents and Settings\User\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : No action taken.
D:\Documents and Settings\User\Cookies\[email protected][1].txt -> TrackingCookie.Targetnet : No action taken.
D:\Documents and Settings\User\Cookies\[email protected][2].txt -> TrackingCookie.Targetnet : No action taken.
D:\Documents and Settings\User\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : No action taken.
D:\Documents and Settings\User\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\WINDOWS\Temp\win7EA.tmp.exe -> Trojan.Dialer.qs : No action taken.
C:\WINDOWS\Temp\win887.tmp.exe -> Trojan.Dialer.qs : No action taken.
C:\WINDOWS\Temp\winD4A.tmp.exe -> Trojan.Dialer.qs : No action taken.


::Report end
  • 0

#11
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
crusaderofrock,

OK, we need to a few things.

Please read "ALL" of the instructions before proceeding:

You will need to print out these instructions for a reference or you can
save them by copying and pasting them into notepad and saving the text file to the desktop.

This process will take a few steps, please take your time and follow the directions in the order posted.
If you don't understand something please ask before performing any task..

Please open HijackThis and perform a scan only, then place a checkmark next to each of the following items:

O20 - Winlogon Notify: winije32 - winije32.dll (file missing)

Now close all open browsers and windows except for HijackThis then click on the the Fix Checked button. Once that completes close HijackThis.

You are currently running a few P2P applications, this may be the source of some of your issues. I have included them in the following instructions, it will be your choice to remove them or not. My recommendation is to remove them.

Next, go to Start > Control Panel > Add/Remove Programs and remove the following entries if present:

µTorrent < optional
LimeWire 4.12.3 < optional
ToolBar888 < remove

Now go to MyComputer find and remove the following folders if present:

C:\Program Files\Toolbar888 < -- Folder
C:\Program Files\LimeWire
C:\Program Files\µTorrent

Close your MyComputer and lets proceed.

The reason the Trojan.Dialer.qs keeps showing up is that some of your settings in AVG Anti-Spyware are not set correctly.
  • Open AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Now close AVG Anti-Spyware we will run it shortly.

Next, lets run ATF Cleaner you downloaded earlier:

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
[/list]If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Now lets do the following:
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
Please also include and new HijackThis log by using Add Reply

Thanks,
rstones12
  • 0

#12
crusaderofrock

crusaderofrock

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Sorry for the delay. There was a two-day holiday back here in Malaysia where I work, hence the inavailability of Internet connection (only my office has internet connection, none in my home). Please check again on Thursday 12 Oct. 'cause I'll be doing those steps tonight. Bit busy with work at the moment. :whistling:

Again, sorry. :blink:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP