Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

artm_new.dll & polymorph.dll...can't get rid of them

Started by wvbear , Nov 21 2006 11:39 AM

  • This topic is locked This topic is locked

#1
wvbear
Posted 21 November 2006 - 11:39 AM

wvbear

    New Member

  • Member
  • Pip
  • 9 posts
These .dll's are pesky buggers. I can't get rid of them no matter how hard I try. I followed all the pre-posting instructions and found/cleaned quite a bit. That was a big help already. My system seems to be working well now, but hijackthis still has those .dll's show up and neither it, nor killbox, can get rid of them. Although, the polymorph.dll now shows "(file missing)" which appeared at some point during the pre-posting instructions.

Logfile of HijackThis v1.99.1
Scan saved at 12:18:21 PM, on 11/21/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

O2 - BHO: (no name) - {3A823C54-4119-E733-BF38-0592CB58B540} - C:\WINDOWS\System32\hqvxscn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [WINRUN] taskgmr.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll (file missing)
O21 - SSODL: CDRecorder025 - {A3BC5E20-0235-1ABF-9CE1-00AA00512025} - C:\WINDOWS\System32\cmxh32.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

*********************

Uninstall Log From Hijackthis -

ABBYY FineReader 5.0 Sprint
Ad-Aware SE Personal
America Online
AOL Coach Version 1.0(Build:20020823.1)
AVG Anti-Spyware 7.5
AVG Free Edition
BCM V.92 56K Modem
Charter Pipeline® Self-Installation
Dell Digital Jukebox Driver
Dell Media Experience
Dell Solution Center
Dell Support 5.0.0 (766)
DS21Patch
DVDSentry
EarthLink Setup Files
HijackThis 1.99.1
Intel® PRO Network Adapters and Drivers
Intel® PROSet
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2
Microsoft .NET Framework 1.1
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Money 2004
Microsoft Money 2004 System Pack
Modem Helper
MUSICMATCH® Jukebox
NVIDIA Windows 2000/XP Display Drivers
Panda ActiveScan
PowerDVD
RealOne Player
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Shockwave
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy 1.4
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Viewpoint Media Player (Remove Only)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
WordPerfect Office 11


**********************

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:56:46 AM 11/21/2006

+ Scan result:



C:\WINDOWS\SYSTEM32\bre.dll -> Downloader.Small.ajp : Cleaned with backup (quarantined).
C:\t.inx -> Downloader.Tibs.fj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000020.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\xpupdate.exe -> Not-A-Virus.Hoax.Win32.Renos.dz : Cleaned with backup (quarantined).
C:\Documents and Settings\JEFF SR\Local Settings\Temp\temp.fr74AA -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000022.dll -> Proxy.Agent.ji : Cleaned with backup (quarantined).
[212] C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll -> Proxy.Xorpix.v : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\slx.exen -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000012.exe -> Worm.Mytob.f : Cleaned with backup (quarantined).
C:\hellmsn.exe -> Worm.Mytob.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000009.scr -> Worm.Mytob.t : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000010.scr -> Worm.Mytob.t : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000011.scr -> Worm.Mytob.t : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\bingoo.exe -> Worm.Mytob.t : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\taskgmr.exe -> Worm.Mytob.t : Cleaned with backup (quarantined).
C:\funny_pic.scr -> Worm.Mytob.t : Cleaned with backup (quarantined).
C:\my_photo2005.scr -> Worm.Mytob.t : Cleaned with backup (quarantined).
C:\see_this!!.scr -> Worm.Mytob.t : Cleaned with backup (quarantined).


::Report end
  • 0

Advertisements

#2
Crustyoldbloke
Posted 21 November 2006 - 03:50 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello wvbear and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! (Click the Options drop down near the upper right of the topic. Select Print this topic.)

You have quite a mixture of malware and Trojans. Let’s see what we can do.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CCleaner
combofix.exe

There is a file in your log of which I am unsure. For that reason, I need you to submit it to Jotti's for analysis.

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

C:\WINDOWS\System32\cmxh32.dll

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {3A823C54-4119-E733-BF38-0592CB58B540} - C:\WINDOWS\System32\hqvxscn.dll
O4 - HKCU\..\Run: [WINRUN] taskgmr.exe
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Please install Killbox by Option^Explicit.
  • Please double-click Killbox.exe to run it.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\System32\hqvxscn.dll
C:\WINDOWS\System32\taskgmr.exe
C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, and under the heading of Applications uncheck AVGas Anti-Spyware log then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back a fresh HijackThis log (from normal mode) and I will take another look. (2 logs and a file analysis please).
  • 0

#3
wvbear
Posted 21 November 2006 - 06:49 PM

wvbear

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks CoB,

We're making progress, it would seem. I'll respond to all your questions/requests in the order they were presented to me. Hopefully it will all make sense.

The PC has 3 individual settings, all with admin rights.

The three programs were downloaded to desktop.

I could not find C:\WINDOWS\System32\cmxh32.dll so I don't have the Jotti analysis.

I looked in windows explorer and made sure to show hidden files and folders as well as to
not hide protected operating system files. I also did a windows search for the file.
I'm not sure what else to do to find it.

I scanned/fixed your suggested files in hijackthis.

I installed Killbox and followed your directions. I did not receive the PendingFileRenameOperations prompt. I didn't have any error messages or problems installing/running Killbox either.

I installed CCleaner but didn't see any default option to be checked. Old Prefetch Data was already unchecked. There was no AVGas Anti-Spyware log to uncheck, but I unchecked AVG Anti-Spyware. I hope I didn't make a mistake by doing that.

Combofix.exe generated the following report:

JEFF SR - 06-11-21 19:26:36.70 Service Pack 1
ComboFix 06.11.19 - Running from: "C:\Documents and Settings\JEFF SR\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users\Documents\Settings


((((((((((((((((((((((((((((((( Files Created from 2006-10-21 to 2006-11-21 ))))))))))))))))))))))))))))))))))


2006-11-21 19:25 <DIR> dr-h----- C:\Documents and Settings\JEFF SR\Recent
2006-11-21 19:19 <DIR> d-------- C:\Program Files\CCleaner
2006-11-21 18:18 34,997 --a------ C:\WINDOWS\SYSTEM32\wrmim32.dll
2006-11-21 18:04 11,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pxscrmbl.sys
2006-11-21 12:49 <DIR> d-------- C:\Program Files\FaxTools
2006-11-21 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2006-11-21 12:48 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
2006-11-21 12:48 87,040 --a------ C:\WINDOWS\SYSTEM32\wiafbdrv.dll
2006-11-21 12:48 24,960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbprint.sys
2006-11-21 12:48 14,208 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbscan.sys
2006-11-21 12:48 <DIR> d-------- C:\Program Files\Dell AIO Printer A940
2006-11-21 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-11-21 12:06 593,408 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll
2006-11-21 12:06 548,352 --a------ C:\WINDOWS\SYSTEM32\rtcdll.dll
2006-11-21 12:06 439,808 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll
2006-11-21 11:41 991,232 --a------ C:\WINDOWS\SYSTEM32\esent.dll
2006-11-21 11:34 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2006-11-21 11:33 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2006-11-21 11:33 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2006-11-21 11:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall
2006-11-21 11:31 <DIR> d-------- C:\WINDOWS\Prefetch
2006-11-21 11:28 921,475 --------- C:\WINDOWS\SYSTEM32\ati3d2ag.dll
2006-11-21 11:28 844,675 --------- C:\WINDOWS\SYSTEM32\ati3d1ag.dll
2006-11-21 11:28 63,663 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinrvxx.sys
2006-11-21 11:28 6,912 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hidir.sys
2006-11-21 11:28 56,591 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinbtxx.sys
2006-11-21 11:28 450,176 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys
2006-11-21 11:28 38,912 --a------ C:\WINDOWS\SYSTEM32\hhsetup.dll
2006-11-21 11:28 377,984 --------- C:\WINDOWS\SYSTEM32\ati2dvaa.dll
2006-11-21 11:28 36,463 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atintuxx.sys
2006-11-21 11:28 34,735 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinxsxx.sys
2006-11-21 11:28 327,040 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtaa.sys
2006-11-21 11:28 30,671 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinraxx.sys
2006-11-21 11:28 29,455 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinxbxx.sys
2006-11-21 11:28 26,367 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinsnxx.sys
2006-11-21 11:28 21,343 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinttxx.sys
2006-11-21 11:28 202,496 --------- C:\WINDOWS\SYSTEM32\ati2dvag.dll
2006-11-21 11:28 18,944 --------- C:\WINDOWS\SYSTEM32\faxpatch.exe
2006-11-21 11:28 143,872 --a------ C:\WINDOWS\SYSTEM32\itircl.dll
2006-11-21 11:28 13,056 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wacompen.sys
2006-11-21 11:28 128,000 --a------ C:\WINDOWS\SYSTEM32\itss.dll
2006-11-21 11:28 12,047 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinpdxx.sys
2006-11-21 11:28 11,904 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mutohpen.sys
2006-11-21 11:28 11,615 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atinmdxx.sys
2006-11-21 11:28 10,752 --a------ C:\WINDOWS\hh.exe
2006-11-21 11:28 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2006-11-21 11:28 <DIR> d-------- C:\WINDOWS\ehome
2006-11-21 10:52 <DIR> dr-h----- C:\$VAULT$.AVG
2006-11-21 10:30 816,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
2006-11-21 10:30 4,960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdi.sys
2006-11-21 10:30 4,224 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsw.sys
2006-11-21 10:30 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
2006-11-21 10:30 28,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
2006-11-21 10:30 18,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
2006-11-21 10:30 <DIR> d-------- C:\Documents and Settings\JEFF SR\Application Data\AVG7
2006-11-21 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-11-21 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2006-11-21 10:07 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2006-11-21 09:18 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-11-21 09:18 <DIR> d-------- C:\Program Files\Grisoft
2006-11-21 09:04 <DIR> d-------- C:\Program Files\Lavasoft
2006-11-21 09:04 <DIR> d-------- C:\Documents and Settings\JEFF SR\Application Data\Lavasoft
2006-11-21 09:03 <DIR> d-------- C:\WINDOWS\pss
2006-11-21 08:56 <DIR> d-------- C:\hjt
2006-11-21 08:06 7,680 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll
2006-11-21 08:06 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll
2006-11-21 08:06 331,776 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2006-11-21 08:06 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2006-11-17 15:30 <DIR> d-------- C:\!KillBox
2006-11-17 14:00 <DIR> d-------- C:\Program Files\Enigma Software Group
2006-11-17 13:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-17 13:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-17 13:21 <DIR> d-------- C:\Program Files\Ultimate Cleaner
2006-11-17 13:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\SoftwareDistribution
2006-11-17 13:18 465,176 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2006-11-17 13:18 41,240 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2006-11-17 13:18 194,328 --a------ C:\WINDOWS\SYSTEM32\wuaueng1.dll
2006-11-17 13:18 173,536 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2006-11-17 13:18 172,312 --a------ C:\WINDOWS\SYSTEM32\wuauclt1.exe
2006-11-17 13:18 127,256 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2006-11-17 13:18 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2006-11-17 13:12 94,720 --a------ C:\WINDOWS\SYSTEM32\hdmdcal.dll
2006-11-17 13:12 107,520 --a------ C:\Documents and Settings\JEFF SR\loaded.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-21 12:49 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-21 12:06 -------- d-------- C:\Program Files\NetMeeting
2006-11-21 11:58 -------- d-------- C:\Program Files\Windows Media Player
2006-11-21 11:51 -------- d-------- C:\Program Files\Outlook Express
2006-11-21 11:49 -------- d-------- C:\Program Files\Messenger
2006-11-21 10:16 -------- d-------- C:\Program Files\Internet Explorer
2006-11-21 10:16 -------- d-------- C:\Program Files\Dell Support
2006-11-21 10:15 -------- d-------- C:\Program Files\AOL Companion
2006-11-21 10:15 -------- d-------- C:\Program Files\America Online 8.0
2006-11-17 13:45 -------- d---s---- C:\Documents and Settings\JEFF SR\Application Data\Microsoft
2006-11-17 13:18 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-13 00:09 1110528 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2006-08-25 10:53 561664 --a------ C:\WINDOWS\SYSTEM32\comctl32.dll
2006-08-25 04:14 595968 --a------ C:\WINDOWS\SYSTEM32\xpsp2res.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"BCMSMMSG"="BCMSMMSG.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"mmtask"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Dell AIO Printer A940"="\"C:\\Program Files\\Dell AIO Printer A940\\dlbabmgr.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"WINRUN"="taskgmr.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"WINRUN"="taskgmr.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"CDRecorder026"="{A3BC5E20-0235-1ABF-9CE1-00AA00512026}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061121-191420-603
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll (file missing)
backup-20061121-191420-489
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
backup-20061121-191420-710
O4 - HKCU\..\Run: [WINRUN] taskgmr.exe
backup-20061121-191420-324
O2 - BHO: (no name) - {3A823C54-4119-E733-BF38-0592CB58B540} - C:\WINDOWS\System32\hqvxscn.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 1.job

Completion time: 06-11-21 19:26:55.40
C:\ComboFix.txt ... 06-11-21 19:26


****************

Hijackthis then generated the following report:


Logfile of HijackThis v1.99.1
Scan saved at 7:28:39 PM, on 11/21/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\hjt\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O21 - SSODL: CDRecorder026 - {A3BC5E20-0235-1ABF-9CE1-00AA00512026} - C:\WINDOWS\System32\wrmim32.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



Thanks for your assistance :whistling:
  • 0

#4
Crustyoldbloke
Posted 21 November 2006 - 07:05 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

Thanks for the logs; they look good. I can still see the file in your HJT log that causes me some concern. I also see it in the ComboFix log. There is a folder you can delete if you would please:

C:\Program Files\Enigma Software Group\

Now that the HijackThis log for the main account is clean, you have a choice to make.

You can either post into this thread a fresh HJT log for each of the other accounts, from normal mode and I will analyse them and give you instruction necessary for any fix. Please name or number the logs to save any confusion.

Or you can go to User Accounts in the Control Panel and delete all the accounts other than the one I have been working on.

Windows by default will create a folder for each account and place it on the desktop with all the files and documents relative to that account in it, so nothing is lost.

If you then wish to have multiple accounts again, just reboot normally and create the account again from User Accounts (takes 5 minutes).
  • 0

#5
wvbear
Posted 21 November 2006 - 08:31 PM

wvbear

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks so much for your help. I decided to delete the other two users and avoid extra work for you or I. The first user I deleted was insanely infected and during the process of deletion popped up no less than 30 virus infections in AVG. I sent them all to the vault. The process crashed and I had to force it to close. User #2 wasn't deleted when I went back into the control panel, but another attempt at deleting it did the trick (albeit with another 3 virus alerts). User #3 deleted without any problems or alerts.

I appreciate your assistance with this problem. You nailed it right away. That's as close to superhuman as can be expected, imo. I'm going to let it ride for a little while and see if anything strange happens. If it does, I'll certainly be back for more help. Thanks again.
  • 0

#6
Crustyoldbloke
Posted 22 November 2006 - 02:30 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Congratulations! your new log is clean. :whistling: Just a little bit more to do to prevent further infection.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

MVPS Hosts file This replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

SiteAdvisor download this plug-in for your browser and it will alert you of a known bad site for FREE.

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
WINDOWS DEFENDER - With daily updates and scans, this programme offers good security against malware.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS FREE EDITION - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one (Windows XP has a built-in firewall).

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one antispyware programme for “on demand” scanning, having two or more antivirus systems is not recommended as they may well cause conflicts and slowness.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep your Windows, antispyware and antivirus updated. :blink:

Please take note of the above at this stage and if you have problems in a few days, we can find the hidden file and isolate it,

It just remains for me to wish you happy safe surfing; I hope you found my advice helpful.
  • 0

#7
Crustyoldbloke
Posted 02 December 2006 - 03:52 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP