Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

WinAntispyware 2006

Started by auslander , Nov 11 2006 03:17 PM

  • Please log in to reply

#1
auslander
Posted 11 November 2006 - 03:17 PM

auslander

    Member

  • Member
  • PipPip
  • 14 posts
Hello,

I seem to have picked up malware that is very difficult to remove by conventional means. I thought is was vundo and maybe it is, but the tools for its removal did not seem to work as described. I have followed the "before you post instructions and have logs for the entire process."

As a practice I run zone alarm, avg antivirus, and adaware.

You help is greatly appreciated.


Logfile of HijackThis v1.99.1
Scan saved at 2:59:48 PM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {084E544B-1839-548C-DCB4-03C0E674CC2E} - C:\WINDOWS\system32\akylatg.dll
O2 - BHO: (no name) - {0C7C6EBC-4CFF-EBC0-F5C1-045C32427E79} - C:\WINDOWS\system32\muflamc.dll
O2 - BHO: (no name) - {34D275CD-D96B-59FB-FDC3-0B5DB8125D86} - C:\WINDOWS\system32\ljhyyjf.dll
O2 - BHO: (no name) - {3C765153-BC20-2127-9FA0-088FCE4BF571} - C:\WINDOWS\system32\tcghurh.dll
O2 - BHO: (no name) - {4B9AE6AA-1DBC-0F9D-0944-06FAF33BB412} - C:\WINDOWS\system32\kmqpqll.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {62B0BBF5-B5BB-3710-6E9E-005499A5EEBD} - C:\WINDOWS\system32\eybcyri.dll
O2 - BHO: (no name) - {6F987F03-D7A7-4923-9CC0-C547CF0BC812} - C:\WINDOWS\system32\awtsr.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {C81BC5B4-D313-4882-9998-46EFBEC8F947} - C:\WINDOWS\system32\mljge.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\hqtjrrbb.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzec.dll,startup
O4 - HKLM\..\Run: [zhqrgni.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zhqrgni.dll,dnlgvv
O4 - HKLM\..\Run: [eavkuxl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\eavkuxl.dll,pozfjib
O4 - HKLM\..\Run: [qggnadh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\qggnadh.dll,rohvxe
O4 - HKLM\..\Run: [vmhuzqf.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\vmhuzqf.dll,eoblaf
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [phydbyd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\phydbyd.dll,nnecjw
O4 - HKLM\..\Run: [iiuzzug.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\iiuzzug.dll,pishxtc
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: awtsr - C:\WINDOWS\system32\awtsr.dll (file missing)
O20 - Winlogon Notify: mljge - C:\WINDOWS\system32\mljge.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


ActiveScan log after running adaware and ewido (agv).
Incident Status Location

Adware:Adware/Adservice Not disinfected C:\WINDOWS\system32\drvzec.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\john\Desktop\VundoFix\VundoFix\process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\john\Desktop\VundoFix.exe[process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\john\My Documents\FireFoxDownloads\smitRem.exe[smitRem/Process.exe]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\John_2\Application Data\Mozilla\Firefox\Profiles\ie8d2eek.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\John_2\Application Data\Mozilla\Firefox\Profiles\ie8d2eek.default\cookies.txt[.maxserving.com/]
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\bhygjkfk.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\dfcaormf.exe
Adware:Adware/Adservice Not disinfected C:\WINDOWS\system32\drvdit.dll
Adware:Adware/Adservice Not disinfected C:\WINDOWS\system32\drvhic.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\fccaayx.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\gebcyyw.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\gebyvsp.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\hbsmgjrd.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\hggghih.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\ietpbaxk.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\iygoxxec.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\mljhfcd.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ssqpomk.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\yjnykexf.exe
  • 0

Advertisements

#2
Wizard
Posted 11 November 2006 - 04:20 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi auslander and Welcome to GeekstoGo!


Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


After posting those 2 logs,Please download Combofix to your Root Drive C:\
http://download.blee...Bs/combofix.exe

Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt

Please post that log in the next reply.
  • 0

#3
auslander
Posted 12 November 2006 - 09:15 AM

auslander

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hello Cretemonster,

Thank you for you help.

I ran vundofix and hjt as instructed. The logs are below inline. Upon reboot I received a series of dialogs indicating missing dlls. These are the dlls removed by vundofix (see log).

BTW, to you prefer inline logs or attached log files. Most posts seem to put them inline.


VundoFix V6.2.8

Checking Java version...

Java version is 1.5.0.6

Scan started at 8:52:45 AM 11/12/2006

Listing files found while scanning....

C:\WINDOWS\system32\eavkuxl.dll
C:\WINDOWS\system32\eybcyri.dll
C:\WINDOWS\system32\iiuzzug.dll
C:\WINDOWS\system32\kmqpqll.dll
C:\WINDOWS\system32\ljhyyjf.dll
C:\WINDOWS\system32\muflamc.dll
C:\WINDOWS\system32\phydbyd.dll
C:\WINDOWS\system32\tcghurh.dll
C:\WINDOWS\system32\vmhuzqf.dll
C:\WINDOWS\system32\zhqrgni.dll
C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\mljge.dll
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\rstwa.bak1
C:\WINDOWS\system32\rstwa.bak2
C:\WINDOWS\system32\rstwa.ini2
C:\WINDOWS\system32\egjlm.ini
C:\WINDOWS\system32\egjlm.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\eavkuxl.dll
C:\WINDOWS\system32\eavkuxl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\eybcyri.dll
C:\WINDOWS\system32\eybcyri.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iiuzzug.dll
C:\WINDOWS\system32\iiuzzug.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kmqpqll.dll
C:\WINDOWS\system32\kmqpqll.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljhyyjf.dll
C:\WINDOWS\system32\ljhyyjf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\muflamc.dll
C:\WINDOWS\system32\muflamc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\phydbyd.dll
C:\WINDOWS\system32\phydbyd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tcghurh.dll
C:\WINDOWS\system32\tcghurh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vmhuzqf.dll
C:\WINDOWS\system32\vmhuzqf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\zhqrgni.dll
C:\WINDOWS\system32\zhqrgni.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\rstwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rstwa.bak1
C:\WINDOWS\system32\rstwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rstwa.bak2
C:\WINDOWS\system32\rstwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rstwa.ini2
C:\WINDOWS\system32\rstwa.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\egjlm.ini
C:\WINDOWS\system32\egjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\egjlm.bak1
C:\WINDOWS\system32\egjlm.bak1 Has been deleted!

Performing Repairs to the registry.
Done!



Logfile of HijackThis v1.99.1
Scan saved at 9:01:38 AM, on 11/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {084E544B-1839-548C-DCB4-03C0E674CC2E} - C:\WINDOWS\system32\akylatg.dll
O2 - BHO: (no name) - {0C7C6EBC-4CFF-EBC0-F5C1-045C32427E79} - C:\WINDOWS\system32\muflamc.dll (file missing)
O2 - BHO: (no name) - {34D275CD-D96B-59FB-FDC3-0B5DB8125D86} - C:\WINDOWS\system32\ljhyyjf.dll (file missing)
O2 - BHO: (no name) - {3C765153-BC20-2127-9FA0-088FCE4BF571} - C:\WINDOWS\system32\tcghurh.dll (file missing)
O2 - BHO: (no name) - {4B9AE6AA-1DBC-0F9D-0944-06FAF33BB412} - C:\WINDOWS\system32\kmqpqll.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {62B0BBF5-B5BB-3710-6E9E-005499A5EEBD} - C:\WINDOWS\system32\eybcyri.dll (file missing)
O2 - BHO: (no name) - {6F987F03-D7A7-4923-9CC0-C547CF0BC812} - C:\WINDOWS\system32\awtsr.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {C81BC5B4-D313-4882-9998-46EFBEC8F947} - C:\WINDOWS\system32\mljge.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\hqtjrrbb.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzec.dll,startup
O4 - HKLM\..\Run: [zhqrgni.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zhqrgni.dll,dnlgvv
O4 - HKLM\..\Run: [eavkuxl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\eavkuxl.dll,pozfjib
O4 - HKLM\..\Run: [qggnadh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\qggnadh.dll,rohvxe
O4 - HKLM\..\Run: [vmhuzqf.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\vmhuzqf.dll,eoblaf
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [phydbyd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\phydbyd.dll,nnecjw
O4 - HKLM\..\Run: [iiuzzug.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\iiuzzug.dll,pishxtc
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: awtsr - C:\WINDOWS\system32\awtsr.dll (file missing)
O20 - Winlogon Notify: mljge - C:\WINDOWS\system32\mljge.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#4
auslander
Posted 12 November 2006 - 09:23 AM

auslander

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Adding Combofix log per previous instructions.





john - 06-11-12 9:18:43.87 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\components
C:\Program Files\Common Files\{349BD071-0AE9-1033-0530-060223060001}
C:\Program Files\Common Files\{E49BD071-0AE9-1033-0530-060223060001}


((((((((((((((((((((((((((((((( Files Created from 2006-10-12 to 2006-11-12 ))))))))))))))))))))))))))))))))))


2006-11-12 09:16 277,182 --a------ C:\combofix.exe
2006-11-11 12:16 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-11 08:53 110,612 --a------ C:\WINDOWS\system32\bhygjkfk.exe
2006-11-08 08:38 110,612 --a------ C:\WINDOWS\system32\dfcaormf.exe
2006-11-07 20:05 40,973 --ahs---- C:\WINDOWS\system32\gebcyyw.dll
2006-11-07 07:02 40,973 --ahs---- C:\WINDOWS\system32\mljhfcd.dll
2006-11-07 07:00 110,612 --a------ C:\WINDOWS\system32\iygoxxec.exe
2006-11-07 07:00 110,612 --a------ C:\WINDOWS\system32\ietpbaxk.exe
2006-11-06 07:14 73,728 --a------ C:\WINDOWS\system32\akylatg.dll
2006-11-06 07:13 40,973 --ahs---- C:\WINDOWS\system32\ssqpomk.dll
2006-11-06 06:56 110,612 --a------ C:\WINDOWS\system32\yjnykexf.exe
2006-11-05 18:49 93,696 --a------ C:\WINDOWS\system32\qggnadh.dll
2006-11-05 18:49 59,392 --a------ C:\WINDOWS\system32\drvdit.dll
2006-11-05 18:49 40,973 --ahs---- C:\WINDOWS\system32\fccaayx.dll
2006-11-05 08:22 40,973 --ahs---- C:\WINDOWS\system32\hggghih.dll
2006-11-04 21:14 110,612 --a------ C:\WINDOWS\system32\hbsmgjrd.exe
2006-11-04 18:08 59,392 --a------ C:\WINDOWS\system32\drvhic.dll
2006-11-04 18:07 40,973 --ahs---- C:\WINDOWS\system32\gebyvsp.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-12 09:19 -------- d-------- C:\Program Files\Common Files
2006-11-12 09:03 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-11 14:51 -------- d-------- C:\Program Files\Windows Defender
2006-11-11 14:51 -------- d-------- C:\Program Files\QuickTime
2006-11-11 14:49 -------- d-------- C:\Program Files\iTunes
2006-11-11 14:49 -------- d-------- C:\Program Files\Internet Explorer
2006-11-11 14:04 -------- d-------- C:\Program Files\CCleaner
2006-11-11 13:51 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-11 13:15 -------- d-------- C:\Program Files\CleanUp!
2006-11-11 12:30 -------- d-------- C:\Program Files\VSAdd-in
2006-11-11 12:16 -------- d-------- C:\Program Files\Grisoft
2006-11-06 19:37 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-06 19:37 -------- d-------- C:\Program Files\CyberLink
2006-11-06 18:41 -------- d-------- C:\Program Files\Lavasoft
2006-11-06 18:41 -------- d-------- C:\Documents and Settings\john\Application Data\Lavasoft
2006-11-06 18:15 -------- d-------- C:\Program Files\InterActual
2006-11-04 20:57 -------- d-------- C:\Documents and Settings\john\Application Data\Help
2006-11-04 17:49 -------- d-------- C:\Program Files\InterVideo Information Service
2006-10-26 19:51 -------- dr------- C:\Documents and Settings\john\Application Data\Brother
2006-10-26 19:49 -------- d---s---- C:\Documents and Settings\john\Application Data\Microsoft
2006-10-26 18:32 -------- d-------- C:\Documents and Settings\john\Application Data\Macromedia
2006-10-03 21:32 -------- d-------- C:\Documents and Settings\john\Application Data\CyberLink
2006-10-03 21:19 -------- d-------- C:\Documents and Settings\john\Application Data\Apple Computer
2006-10-03 21:17 -------- d-------- C:\Program Files\Common Files\AVSMedia
2006-10-03 21:11 33824 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2006-10-03 21:11 0 --a------ C:\Documents and Settings\john\Application Data\AVSDVDPlayer.m3u
2006-10-03 19:32 -------- d-------- C:\Program Files\InterVideo
2006-10-03 19:32 -------- d-------- C:\Program Files\Common Files\InterVideo
2006-10-03 18:15 -------- d-------- C:\Program Files\DAEMON Tools
2006-10-03 18:14 611064 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-10-03 17:46 -------- d-------- C:\Program Files\DVD Decrypter
2006-09-27 20:32 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-26 08:08 16752 --a------ C:\Documents and Settings\john\Application Data\GDIPFONTCACHEV1.DAT
2006-09-25 20:58 -------- d-------- C:\Program Files\iPod
2006-09-25 20:57 -------- d-------- C:\Program Files\Apple Software Update
2006-09-23 10:51 -------- d-------- C:\Program Files\Microsoft Money 2006
2006-09-18 21:51 -------- d-------- C:\Program Files\Messenger
2006-09-18 21:50 -------- d-------- C:\Program Files\Windows Media Player
2006-09-18 21:48 -------- d-------- C:\Program Files\Outlook Express
2006-09-18 21:48 -------- d-------- C:\Program Files\Common Files\System
2006-09-18 19:52 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-09-18 19:49 -------- d-------- C:\Program Files\Common Files\Designer
2006-09-18 19:48 -------- d-------- C:\Program Files\Microsoft Office
2006-09-17 19:12 -------- d-------- C:\Documents and Settings\john\Application Data\InterVideo
2006-09-17 19:11 -------- d-------- C:\Program Files\MSXML 4.0
2006-09-17 19:11 -------- d-------- C:\Program Files\DivX
2006-09-16 03:55 -------- d-------- C:\Program Files\Java
2006-09-16 03:55 -------- d-------- C:\Documents and Settings\john\Application Data\Sun
2006-09-16 03:52 -------- d-------- C:\Program Files\Common Files\Java
2006-09-14 16:11 -------- d-------- C:\Documents and Settings\john\Application Data\AdobeUM
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-09 01:56 869 --a------ C:\Documents and Settings\john\Application Data\AdobeDLM.log
2006-09-09 01:56 0 --a------ C:\Documents and Settings\john\Application Data\dm.ini
2006-09-08 20:04 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-09-08 20:04 348160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-09-07 21:02 0 -rahs---- C:\MSDOS.SYS
2006-09-07 21:02 0 -rahs---- C:\IO.SYS
2006-09-07 21:02 0 --a------ C:\CONFIG.SYS
2006-09-07 21:02 0 --a------ C:\AUTOEXEC.BAT
2006-09-07 14:46 62 --ahs---- C:\Documents and Settings\john\Application Data\desktop.ini
2006-08-25 09:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 06:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 03:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 05:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SigmatelSysTrayApp"="stsystra.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"CTDrive"="rundll32.exe C:\\WINDOWS\\system32\\drvzec.dll,startup"
"zhqrgni.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\zhqrgni.dll,dnlgvv"
"eavkuxl.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\eavkuxl.dll,pozfjib"
"qggnadh.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\qggnadh.dll,rohvxe"
"vmhuzqf.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\vmhuzqf.dll,eoblaf"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"phydbyd.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\phydbyd.dll,nnecjw"
"iiuzzug.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\iiuzzug.dll,pishxtc"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,01,00,00,00,00,00,00,00,06,00,00,b0,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljge
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrnt32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061111-131150-773
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....6...ER}&ar=home
backup-20061111-131150-993
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....6...&ar=msnhome
backup-20061111-131150-168
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-11-12 9:19:25.59
C:\ComboFix.txt ... 06-11-12 09:19
  • 0

#5
Wizard
Posted 12 November 2006 - 09:45 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

O2 - BHO: (no name) - {084E544B-1839-548C-DCB4-03C0E674CC2E} - C:\WINDOWS\system32\akylatg.dll

O2 - BHO: (no name) - {0C7C6EBC-4CFF-EBC0-F5C1-045C32427E79} - C:\WINDOWS\system32\muflamc.dll (file missing)

O2 - BHO: (no name) - {34D275CD-D96B-59FB-FDC3-0B5DB8125D86} - C:\WINDOWS\system32\ljhyyjf.dll (file missing)

O2 - BHO: (no name) - {3C765153-BC20-2127-9FA0-088FCE4BF571} - C:\WINDOWS\system32\tcghurh.dll (file missing)

O2 - BHO: (no name) - {4B9AE6AA-1DBC-0F9D-0944-06FAF33BB412} - C:\WINDOWS\system32\kmqpqll.dll (file missing)

O2 - BHO: (no name) - {62B0BBF5-B5BB-3710-6E9E-005499A5EEBD} - C:\WINDOWS\system32\eybcyri.dll (file missing)

O2 - BHO: (no name) - {6F987F03-D7A7-4923-9CC0-C547CF0BC812} - C:\WINDOWS\system32\awtsr.dll (file missing)

O2 - BHO: (no name) - {C81BC5B4-D313-4882-9998-46EFBEC8F947} - C:\WINDOWS\system32\mljge.dll (file missing)

O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\hqtjrrbb.dll (file missing)

O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzec.dll,startup

O4 - HKLM\..\Run: [zhqrgni.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zhqrgni.dll,dnlgvv

O4 - HKLM\..\Run: [eavkuxl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\eavkuxl.dll,pozfjib

O4 - HKLM\..\Run: [qggnadh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\qggnadh.dll,rohvxe

O4 - HKLM\..\Run: [vmhuzqf.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\vmhuzqf.dll,eoblaf

O4 - HKLM\..\Run: [phydbyd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\phydbyd.dll,nnecjw

O4 - HKLM\..\Run: [iiuzzug.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\iiuzzug.dll,pishxtc

O20 - Winlogon Notify: awtsr - C:\WINDOWS\system32\awtsr.dll (file missing)

O20 - Winlogon Notify: mljge - C:\WINDOWS\system32\mljge.dll (file missing)

O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Search for and delete the following:

C:\WINDOWS\system32\hbsmgjrd.exe<-- File

C:\WINDOWS\system32\bhygjkfk.exe<-- File

C:\WINDOWS\system32\dfcaormf.exe<-- File

C:\WINDOWS\system32\iygoxxec.exe<-- File

C:\WINDOWS\system32\ietpbaxk.exe<-- File

C:\WINDOWS\system32\yjnykexf.exe<-- File



Click Start--> Click Run--> Copy&Paste the bold text below into the open Run box and click OK.

%systemdrive%\combofix.exe /v akylatg hqtjrrbb drvzec qggnadh drvdit drvhic gebyvsp fccaayx hggghih ssqpomk gebcyyw mljhfcd


If combofix did not reboot the machine,please restart now and scan fresh with HijackThis.

Post the fresh HijackThis log and the results from the last combofix run.


After posting those 2 logs,Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

  • 0

#6
auslander
Posted 12 November 2006 - 12:10 PM

auslander

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Posting combofix and hjt logs per instruction...



john - 06-11-12 11:59:54.39 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\"
Command switches used :: /v akylatg hqtjrrbb drvzec qggnadh drvdit drvhic gebyvsp fccaayx hggghih ssqpomk gebcyyw mljhfcd

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\akylatg.dll
C:\WINDOWS\system32\qggnadh.dll
C:\WINDOWS\system32\drvdit.dll
C:\WINDOWS\system32\drvhic.dll
C:\WINDOWS\system32\gebyvsp.dll
C:\WINDOWS\system32\fccaayx.dll
C:\WINDOWS\system32\hggghih.dll
C:\WINDOWS\system32\ssqpomk.dll
C:\WINDOWS\system32\gebcyyw.dll
C:\WINDOWS\system32\mljhfcd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((( Files Created from 2006-10-12 to 2006-11-12 ))))))))))))))))))))))))))))))))))


2006-11-12 09:16 277,182 --a------ C:\combofix.exe
2006-11-11 12:16 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-12 11:53 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-12 09:19 -------- d-------- C:\Program Files\Common Files
2006-11-11 14:51 -------- d-------- C:\Program Files\Windows Defender
2006-11-11 14:51 -------- d-------- C:\Program Files\QuickTime
2006-11-11 14:49 -------- d-------- C:\Program Files\iTunes
2006-11-11 14:49 -------- d-------- C:\Program Files\Internet Explorer
2006-11-11 14:04 -------- d-------- C:\Program Files\CCleaner
2006-11-11 13:51 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-11 13:15 -------- d-------- C:\Program Files\CleanUp!
2006-11-11 12:30 -------- d-------- C:\Program Files\VSAdd-in
2006-11-11 12:16 -------- d-------- C:\Program Files\Grisoft
2006-11-06 19:37 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-06 19:37 -------- d-------- C:\Program Files\CyberLink
2006-11-06 18:41 -------- d-------- C:\Program Files\Lavasoft
2006-11-06 18:41 -------- d-------- C:\Documents and Settings\john\Application Data\Lavasoft
2006-11-06 18:15 -------- d-------- C:\Program Files\InterActual
2006-11-04 20:57 -------- d-------- C:\Documents and Settings\john\Application Data\Help
2006-11-04 17:49 -------- d-------- C:\Program Files\InterVideo Information Service
2006-10-26 19:51 -------- dr------- C:\Documents and Settings\john\Application Data\Brother
2006-10-26 19:49 -------- d---s---- C:\Documents and Settings\john\Application Data\Microsoft
2006-10-26 18:32 -------- d-------- C:\Documents and Settings\john\Application Data\Macromedia
2006-10-03 21:32 -------- d-------- C:\Documents and Settings\john\Application Data\CyberLink
2006-10-03 21:19 -------- d-------- C:\Documents and Settings\john\Application Data\Apple Computer
2006-10-03 21:17 -------- d-------- C:\Program Files\Common Files\AVSMedia
2006-10-03 21:11 33824 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2006-10-03 21:11 0 --a------ C:\Documents and Settings\john\Application Data\AVSDVDPlayer.m3u
2006-10-03 19:32 -------- d-------- C:\Program Files\InterVideo
2006-10-03 19:32 -------- d-------- C:\Program Files\Common Files\InterVideo
2006-10-03 18:15 -------- d-------- C:\Program Files\DAEMON Tools
2006-10-03 18:14 611064 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-10-03 17:46 -------- d-------- C:\Program Files\DVD Decrypter
2006-09-27 20:32 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-26 08:08 16752 --a------ C:\Documents and Settings\john\Application Data\GDIPFONTCACHEV1.DAT
2006-09-25 20:58 -------- d-------- C:\Program Files\iPod
2006-09-25 20:57 -------- d-------- C:\Program Files\Apple Software Update
2006-09-23 10:51 -------- d-------- C:\Program Files\Microsoft Money 2006
2006-09-18 21:51 -------- d-------- C:\Program Files\Messenger
2006-09-18 21:50 -------- d-------- C:\Program Files\Windows Media Player
2006-09-18 21:48 -------- d-------- C:\Program Files\Outlook Express
2006-09-18 21:48 -------- d-------- C:\Program Files\Common Files\System
2006-09-18 19:52 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-09-18 19:49 -------- d-------- C:\Program Files\Common Files\Designer
2006-09-18 19:48 -------- d-------- C:\Program Files\Microsoft Office
2006-09-17 19:12 -------- d-------- C:\Documents and Settings\john\Application Data\InterVideo
2006-09-17 19:11 -------- d-------- C:\Program Files\MSXML 4.0
2006-09-17 19:11 -------- d-------- C:\Program Files\DivX
2006-09-16 03:55 -------- d-------- C:\Program Files\Java
2006-09-16 03:55 -------- d-------- C:\Documents and Settings\john\Application Data\Sun
2006-09-16 03:52 -------- d-------- C:\Program Files\Common Files\Java
2006-09-14 16:11 -------- d-------- C:\Documents and Settings\john\Application Data\AdobeUM
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-09 01:56 869 --a------ C:\Documents and Settings\john\Application Data\AdobeDLM.log
2006-09-09 01:56 0 --a------ C:\Documents and Settings\john\Application Data\dm.ini
2006-09-08 20:04 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-09-08 20:04 348160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-09-07 21:02 0 -rahs---- C:\MSDOS.SYS
2006-09-07 21:02 0 -rahs---- C:\IO.SYS
2006-09-07 21:02 0 --a------ C:\CONFIG.SYS
2006-09-07 21:02 0 --a------ C:\AUTOEXEC.BAT
2006-09-07 14:46 62 --ahs---- C:\Documents and Settings\john\Application Data\desktop.ini
2006-08-25 09:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 06:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 03:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 05:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SigmatelSysTrayApp"="stsystra.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,01,00,00,00,00,00,00,00,06,00,00,b0,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-11-12 12:01:32.82
C:\ComboFix.txt ... 06-11-12 12:01
C:\ComboFix2.txt ... 06-11-12 09:19

====================================


Logfile of HijackThis v1.99.1
Scan saved at 12:07:11 PM, on 11/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#7
Wizard
Posted 12 November 2006 - 12:38 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Locate and Delete this folder--> C:\Program Files\VSAdd-in


Post F-Secure results when you are ready.
  • 0

#8
auslander
Posted 12 November 2006 - 12:46 PM

auslander

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I ran f-secure before deleting the VSAdd-in directory. Do I need to run it again?


Here is the log from the first run.



Scanning Report


Sunday, November 12, 2006 12:18:43 - 12:37:07

Computer name: WORKSTATION9150
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\

------------------------------------------------------------------------


Result: 0 malware found

------------------------------------------------------------------------


Statistics

Scanned:

* Files: 14712
* System: 3303
* Not scanned: 4

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 0
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\DOCUMENTS AND SETTINGS\JOHN\LOCAL SETTINGS\APPLICATION
DATA\MICROSOFT\WINDOWS
DEFENDER\FILETRACKER\{E22BC677-9A89-4610-A5DC-1E23B20C10C0}

------------------------------------------------------------------------


Options

Scanning engines:

* F-Secure Libra: 2.4.2, 2006-11-10
* F-Secure AVP: 7.0.171, 2006-11-10
* F-Secure Orion: 1.2.37, 2006-11-10
* F-Secure Blacklight: 1.0.31, 0000-00-00
* F-Secure Draco: 1.0.35, 0260-02-44
* F-Secure Pegasus: 1.19.0, 2006-08-29

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT
VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM
ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK
WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML
PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
* Use Advanced heuristics

------------------------------------------------------------------------


Copyright © 1998-2006 Product support
<http://support.f-secure.com/> |Send virus sample to
F-Secure
<http://support.f-sec...roblem/sample/>


F-Secure assumes no responsibility for material
created or published by third parties that F-Secure
World Wide Web pages have a link to. Unless you have
clearly stated otherwise, by submitting material to
any of our servers, for example by E-mail or via our
F-Secure's CGI E-mail, you agree that the material you
make available may be published in the F-Secure World
Wide Pages or hard-copy publications. You will reach
F-Secure public web site by clicking on underlined
links. While doing this, your access will be logged to
our private access statistics with your domain
name.This information will not be given to any third
party. You agree not to take action against us in
relation to material that you submit. Unless you have
clearly stated otherwise, by submitting material you
warrant that F-Secure may incorporate any concepts
described in it in the F-Secure products/publications
without liability.
  • 0

#9
Wizard
Posted 12 November 2006 - 12:54 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Nah,you did fine.

I like those results but Id like to run a scan or 2 more before we call things clear.


Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

  • 0

#10
auslander
Posted 12 November 2006 - 01:39 PM

auslander

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Activescan log


Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\john\Desktop\VundoFix\VundoFix\process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\john\My Documents\FireFoxDownloads\smitRem.exe[smitRem/Process.exe]
Adware:Adware/Adservice Not disinfected C:\WINDOWS\system32\__delete_on_reboot__d_r_v_z_e_c_._d_l_l_
  • 0

Advertisements

#11
Wizard
Posted 12 November 2006 - 01:45 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
You should easily find this file and be able to delete it.

C:\WINDOWS\system32\__delete_on_reboot__d_r_v_z_e_c_._d_l_l_


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#12
auslander
Posted 12 November 2006 - 05:17 PM

auslander

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 12, 2006 4:58:46 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 13/11/2006
Kaspersky Anti-Virus database records: 227198
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
Scan Statistics
Total number of scanned objects 22737
Number of viruses found 1
Number of infected objects 4 / 0
Number of suspicious objects 0
Duration of the scan process 00:16:31

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-11062006-200436.log Object is locked skipped
C:\Documents and Settings\john\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{25371987-CB6E-4314-A9EE-27DA2E8989A1} Object is locked skipped
C:\Documents and Settings\john\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\john\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\john\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-842925246-879983540-839522115-1004\Dc1._d_l_l_ Infected: not-virus:Hoax.Win32.Renos.ge skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3273F90D-281C-48E4-AA25-50B37CEA7001}\RP3\A0002309.dll Infected: not-virus:Hoax.Win32.Renos.ge skipped
C:\System Volume Information\_restore{3273F90D-281C-48E4-AA25-50B37CEA7001}\RP3\A0002392.dll Infected: not-virus:Hoax.Win32.Renos.ge skipped
C:\System Volume Information\_restore{3273F90D-281C-48E4-AA25-50B37CEA7001}\RP3\A0002393.dll Infected: not-virus:Hoax.Win32.Renos.ge skipped
C:\System Volume Information\_restore{3273F90D-281C-48E4-AA25-50B37CEA7001}\RP3\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\WORKSTATION9150.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{0F2991A4-A749-40AA-87E5-EABF4C0CAD9D}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT053aa.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT053ad.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
  • 0

#13
Wizard
Posted 12 November 2006 - 05:56 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Very nicely done! :whistling:


Please Install these 2 to add to the Security of the PC

SpywareBlaster:
http://www.javacools.../downloads.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/...2002/hosts2.htm


Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

Post back and let me know how the machine is running?
  • 0

#14
auslander
Posted 12 November 2006 - 05:57 PM

auslander

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Rerun of Kaspersky with correct settings


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 12, 2006 5:54:38 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 13/11/2006
Kaspersky Anti-Virus database records: 240851
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 22804
Number of viruses found: 2
Number of infected objects: 10 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:16:12

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-11062006-200436.log Object is locked skipped
C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\q25tl66s.default\cert8.db Object is locked skipped
C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\q25tl66s.default\history.dat Object is locked skipped
C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\q25tl66s.default\key3.db Object is locked skipped
C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\q25tl66s.default\parent.lock Object is locked skipped
C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\q25tl66s.default\search.sqlite Object is locked skipped
C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\q25tl66s.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\john\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{25371987-CB6E-4314-A9EE-27DA2E8989A1} Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\q25tl66s.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\q25tl66s.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\q25tl66s.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\q25tl66s.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\john\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\History\History.IE5\MSHist012006111220061113\index.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\john\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\john\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-842925246-879983540-839522115-1004\Dc1._d_l_l_ Infected: not-virus:Hoax.Win32.Renos.ge skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3273F90D-281C-48E4-AA25-50B37CEA7001}\RP3\A0002309.dll Infected: not-virus:Hoax.Win32.Renos.ge skipped
C:\System Volume Information\_restore{3273F90D-281C-48E4-AA25-50B37CEA7001}\RP3\A0002380.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{3273F90D-281C-48E4-AA25-50B37CEA7001}\RP3\A0002381.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{3273F90D-281C-48E4-AA25-50B37CEA7001}\RP3\A0002382.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{3273F90D-281C-48E4-AA25-50B37CEA7001}\RP3\A0002383.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{3273F90D-281C-48E4-AA25-50B37CEA7001}\RP3\A0002384.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{3273F90D-281C-48E4-AA25-50B37CEA7001}\RP3\A0002385.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{3273F90D-281C-48E4-AA25-50B37CEA7001}\RP3\A0002392.dll Infected: not-virus:Hoax.Win32.Renos.ge skipped
C:\System Volume Information\_restore{3273F90D-281C-48E4-AA25-50B37CEA7001}\RP3\A0002393.dll Infected: not-virus:Hoax.Win32.Renos.ge skipped
C:\System Volume Information\_restore{3273F90D-281C-48E4-AA25-50B37CEA7001}\RP4\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\WORKSTATION9150.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{0F2991A4-A749-40AA-87E5-EABF4C0CAD9D}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT053aa.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT053ad.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#15
Wizard
Posted 12 November 2006 - 06:05 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts

Scan using the following antivirus database standard


Caught me not looking,yes you did! :whistling: :blink:


The extended database does make a difference but in your case we were lucky.

Just be sure to empty your recycle bin and we will take care of those items in System Restore directly.


Is the machine running OK?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP