Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware or Trojan infection

Started by jesushairdo , Nov 21 2006 05:14 PM

  • Please log in to reply

#1
jesushairdo
Posted 21 November 2006 - 05:14 PM

jesushairdo

    New Member

  • Member
  • Pip
  • 8 posts
Can anyone help.
I'm having Malware or a Trojan problem. I have ZoneAlarm security suite & used Spybot Doctor & "Search & Destroy" scans. None of them seem to fix a problem/s. I've also done a Hijackthis scan & copied the results in www.hijackthis.de I noticed obivious problems & a few Malware in there, fixed them but still getting - every other boot up a small task bar icon which creates a popups. I recently got rid of smitfraud-c.toolbar888 .
Below is my Panda ActiveScan log. Can anyone help please.


Incident Status Location

Adware:adware/wupd Not disinfected Windows Registry
Adware:Adware/ActiveSearch Not disinfected C:\Program Files\Common Files\{EC4CA273-0C7A-2057-1215-04041207002c}\system.dll
Adware:Adware/Mytoolbar Not disinfected C:\Program Files\Common Files\{EC4CA273-0C7A-2057-1215-04041207002c}\Update.exe
Possible Virus. Not disinfected C:\VundoFix Backups\pmnlm.dll.bad
Adware:Adware/Yazzle Not disinfected C:\VundoFix Backups\winexy32.dll.bad
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\cnretnbv.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\cspyqjwr.exe -
Adware:Adware/Adservice Not disinfected C:\WINDOWS\system32\drvcuz.dll
Adware:Adware/Adservice Not disinfected C:\WINDOWS\system32\drvhih.dll
Adware:Adware/Adservice Not disinfected C:\WINDOWS\system32\drvjaf.dll
Adware:Adware/Yazzle Not disinfected C:\WINDOWS\system32\khfgeda.dll
Adware:Adware/Yazzle Not disinfected C:\WINDOWS\system32\ljjgghf.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\lvyqvjfs.dll
Adware:Adware/Yazzle Not disinfected C:\WINDOWS\system32\mljhfda.dll
Adware:Adware/Yazzle Not disinfected C:\WINDOWS\system32\nnnmjhf.dll
Adware:Adware/Yazzle Not disinfected C:\WINDOWS\system32\rqrppnm.dll
  • 0

Advertisements

#2
MFDnSC
Posted 21 November 2006 - 05:37 PM

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
post the hijack log here - that automated analyzer is worthless
  • 0

#3
jesushairdo
Posted 21 November 2006 - 05:54 PM

jesushairdo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Logfile of HijackThis v1.99.1
Scan saved at 23:54:01, on 21/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A7E436D-9AF6-5933-E340-006C7BB0479B} - C:\WINDOWS\system32\kmcribj.dll
O2 - BHO: (no name) - {1222EBBE-B963-8FE7-3ADA-09F66DABB82A} - C:\WINDOWS\system32\oipxwab.dll
O2 - BHO: (no name) - {2261499D-7D10-C00E-3AA6-0B3A64A8DE01} - C:\WINDOWS\system32\efggxn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {658C8155-DC7E-58A2-12E3-08384264A2B5} - C:\WINDOWS\system32\bblwuwh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-30.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142265253500
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#4
MFDnSC
Posted 21 November 2006 - 06:41 PM

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
1. Download this file :

http://download.blee...Bs/combofix.exe
http://www.techsuppo...ls/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall


===============================


Download AVG Anti-Spyware from http://www.ewido.net/en/download/ and save that file to your desktop. Note: This is NOT the Anti Virus from AVG.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.
1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
o Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
4. Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
6. Under "Reports"
o Select "Automatically generate report after every scan"
o Un-Select "Only if threats were found"
Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
1. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
2. Launch AVG Anti-Spyware by double clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
4. AVG will now begin the scanning process. Please be patient as this may take a little time.
Once the scan is complete, do the following:
5. If you have any infections you will be prompted. Then select "Apply all actions."
6. Next select the "Reports" icon at the top.
7. Select the "Save report as" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
8. Close AVG Anti-Spyware and reboot your system back into Normal Mode.
Post the log from AVG and a new HiJack log
  • 0

#5
jesushairdo
Posted 22 November 2006 - 05:09 AM

jesushairdo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Owner - 06-11-22 10:58:36.07 Service Pack 2
ComboFix 06.11.22 - Running from: "C:\Documents and Settings\Owner\My Documents\Downloads"

((((((((((((((((((((((((((((((( Files Created from 2006-10-22 to 2006-11-22 ))))))))))))))))))))))))))))))))))


2006-11-19 21:14 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2006-11-17 13:28 <DIR> d-------- C:\VundoFix Backups
2006-11-17 13:22 <DIR> d-------- C:\Program Files\Hijackthis
2006-11-16 23:32 93,696 --a------ C:\WINDOWS\system32\fodnrtb.dll
2006-11-16 23:32 71,680 --a------ C:\WINDOWS\system32\efggxn.dll
2006-11-16 23:32 59,392 --a------ C:\WINDOWS\system32\drvhih.dll
2006-11-16 23:31 40,973 ---hs---- C:\WINDOWS\system32\khfgeda.dll
2006-11-16 21:47 71,168 --a------ C:\WINDOWS\system32\oipxwab.dll
2006-11-16 21:44 40,973 ---hs---- C:\WINDOWS\system32\nnnmjhf.dll
2006-11-16 20:44 126,996 --a------ C:\WINDOWS\system32\lvyqvjfs.dll
2006-11-16 20:44 110,612 --a------ C:\WINDOWS\system32\cnretnbv.exe
2006-11-16 20:32 93,696 --a------ C:\WINDOWS\system32\jtrbqmd.dll
2006-11-16 20:32 59,392 --a------ C:\WINDOWS\system32\drvcuz.dll
2006-11-16 20:32 40,973 ---hs---- C:\WINDOWS\system32\ljjgghf.dll
2006-11-16 13:10 <DIR> d-------- C:\Program Files\Streamload
2006-11-16 11:40 93,696 --a------ C:\WINDOWS\system32\acvqsyb.dll
2006-11-16 11:40 71,680 --a------ C:\WINDOWS\system32\kmcribj.dll
2006-11-16 11:39 40,973 ---hs---- C:\WINDOWS\system32\rqrppnm.dll
2006-11-16 11:39 101 --a------ C:\WINDOWS\system32\mit.bat
2006-11-16 11:36 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-11-16 11:36 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-11-16 11:36 <DIR> d-------- C:\Program Files\Spyware Doctor
2006-11-16 11:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2006-11-16 00:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2006-11-15 23:10 <DIR> d-------- C:\Program Files\Grisoft
2006-11-15 22:21 617,489 --ahs---- C:\WINDOWS\system32\acbeg.bak1
2006-11-15 22:21 110,612 --a------ C:\WINDOWS\system32\cspyqjwr.exe
2006-11-15 22:16 71,680 --a------ C:\WINDOWS\system32\bblwuwh.dll
2006-11-15 22:15 93,696 --a------ C:\WINDOWS\system32\pbldmhl.dll
2006-11-15 22:15 59,392 --a------ C:\WINDOWS\system32\drvjaf.dll
2006-11-15 22:15 40,973 ---hs---- C:\WINDOWS\system32\mljhfda.dll
2006-11-14 11:17 72,192 --a------ C:\WINDOWS\system32\taskkill.exe
2006-11-14 11:17 25,600 --a------ C:\WINDOWS\system32\borlndmm.dll
2006-11-14 11:17 <DIR> d-------- C:\Program Files\Gizmoz Talking Headz
2006-11-07 11:42 <DIR> d-------- C:\Program Files\Line Rider
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-03 11:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-11-01 20:02 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Motive
2006-11-01 20:01 <DIR> d-------- C:\Program Files\Yahoo!
2006-10-30 11:15 <DIR> d-------- C:\Program Files\Betfair
2006-10-29 17:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-10-28 13:26 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-10-28 12:22 611,064 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-10-28 12:07 24,576 --a------ C:\WINDOWS\system32\STKIT432.DLL
2006-10-27 22:10 <DIR> d-------- C:\Program Files\BT Broadband Talk Softphone
2006-10-27 22:10 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2006-10-27 22:02 <DIR> d-------- C:\Program Files\btbb_wcm
2006-10-27 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2006-10-27 21:58 <DIR> d-------- C:\Program Files\Motive
2006-10-27 21:58 <DIR> d-------- C:\Program Files\BT Home Hub


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-22 10:54 -------- d-------- C:\Program Files\Common Files
2006-11-22 10:48 -------- d-------- C:\Documents and Settings\Owner\Application Data\Skype
2006-11-22 10:43 -------- d-------- C:\Program Files\Mozilla Thunderbird
2006-11-22 10:06 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-21 22:43 -------- d-------- C:\Program Files\WinZip
2006-11-21 22:43 -------- d-------- C:\Program Files\WinRAR
2006-11-21 22:43 -------- d-------- C:\Program Files\TuneUp Utilities 2006
2006-11-21 22:42 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-21 22:35 -------- d-------- C:\Program Files\Internet Explorer
2006-11-21 22:31 -------- d-------- C:\Program Files\Common Files\System
2006-11-21 22:31 -------- d-------- C:\Program Files\Common Files\Motive
2006-11-21 19:49 -------- d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2006-11-20 21:05 -------- d-------- C:\Documents and Settings\Owner\Application Data\Azureus
2006-11-20 20:00 -------- d-------- C:\Program Files\Azureus
2006-11-19 19:17 -------- d-------- C:\Program Files\DYMO Label
2006-11-16 09:55 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2006-11-16 00:23 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-11-15 13:47 -------- d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2006-11-13 20:50 -------- d-------- C:\Program Files\Skype
2006-11-03 10:34 -------- d-------- C:\Program Files\Registry Mechanic
2006-11-01 20:02 -------- d-------- C:\Program Files\PokerRoom.com
2006-11-01 20:02 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-10-21 22:46 -------- d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2006-10-21 12:02 2275840 --a------ C:\WINDOWS\system32\TUKernel.exe
2006-10-21 09:49 -------- d-------- C:\Program Files\Google
2006-10-20 16:22 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2006-10-20 16:22 249856 --------- C:\WINDOWS\Setup1.exe
2006-10-20 09:58 -------- d-------- C:\Program Files\OfficeUpdate11
2006-10-19 09:23 -------- d-------- C:\Program Files\Adobe
2006-10-17 12:33 6049280 --a------ C:\WINDOWS\system32\ieframe.dll
2006-10-17 12:33 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-17 12:33 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-17 12:33 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-17 12:33 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-17 12:33 180736 --a------ C:\WINDOWS\system32\ieui.dll
2006-10-17 12:33 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 12:01 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-17 12:01 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-17 12:01 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-17 12:01 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-17 12:01 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-17 12:01 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-17 12:00 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-17 12:00 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-17 12:00 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-17 11:58 61952 --a------ C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --a------ C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --a------ C:\WINDOWS\system32\ieapfltr.dll
2006-10-17 11:23 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-13 12:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-12 12:01 -------- d-------- C:\Program Files\Sony Ericsson
2006-10-12 12:01 -------- d-------- C:\Program Files\Common Files\Teleca Shared
2006-10-12 12:00 146 --a------ C:\WINDOWS\DelMR.bat
2006-10-08 10:38 -------- d-------- C:\Documents and Settings\Owner\Application Data\Teleca
2006-10-07 23:49 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-07 23:06 -------- d-------- C:\Documents and Settings\Owner\Application Data\Sony Ericsson
2006-10-07 23:05 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-05 19:26 24072 --a------ C:\WINDOWS\system32\uxtuneup.dll
2006-10-01 13:18 -------- d-------- C:\Documents and Settings\Owner\Application Data\Avant Profiles
2006-10-01 13:16 -------- d-------- C:\Documents and Settings\Owner\Application Data\Avant Browser
2006-09-29 21:59 774144 --a------ C:\Program Files\RngInterstitial.dll
2006-09-29 21:59 -------- d-------- C:\Program Files\Real
2006-09-29 21:59 -------- d-------- C:\Program Files\Common Files\Real
2006-09-29 13:00 -------- d--h----- C:\Program Files\Zero G Registry
2006-09-26 10:38 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-25 13:07 184320 --a------ C:\PlayerHost.dll
2006-09-22 21:21 -------- d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2006-09-13 05:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-06 16:43 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-08-25 15:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-23 22:38 75776 --a------ C:\WINDOWS\zllsputility.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,62,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"Spyware Doctor"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"Spyware Doctor"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoUserNameInStartMenu"=dword:00000001
"StartMenuLogOff"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Creative WebCam Tray"="\"C:\\Program Files\\Creative\\Shared Files\\CamTray.exe\""
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"eyeBeam SIP Client"="\"C:\\Program Files\\BT Broadband Talk Softphone\\BTSoftphone.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"btbb_wcm_McciTrayApp"="C:\\Program Files\\btbb_wcm\\McciTrayApp.exe"
"CTDrive"="rundll32.exe C:\\WINDOWS\\system32\\drvcuz.dll,startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
"backup"="C:\\WINDOWS\\pss\\BT Broadband Desktop Help.lnkCommon Startup"
"location"="Common Startup"
"item"="BT Broadband Desktop Help"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

Completion time: 06-11-22 11:01:18.60
C:\ComboFix.txt ... 06-11-22 11:01
C:\ComboFix2.txt ... 06-11-22 10:56




-----------------------------------------------------------
-----------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:08:46, on 22/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A7E436D-9AF6-5933-E340-006C7BB0479B} - C:\WINDOWS\system32\kmcribj.dll
O2 - BHO: (no name) - {1222EBBE-B963-8FE7-3ADA-09F66DABB82A} - C:\WINDOWS\system32\oipxwab.dll
O2 - BHO: (no name) - {2261499D-7D10-C00E-3AA6-0B3A64A8DE01} - C:\WINDOWS\system32\efggxn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {658C8155-DC7E-58A2-12E3-08384264A2B5} - C:\WINDOWS\system32\bblwuwh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-30.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142265253500
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#6
jesushairdo
Posted 22 November 2006 - 08:07 AM

jesushairdo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:32:08 22/11/2006

+ Scan result:

C:\System Volume Information\_restore{AE6A27C7-E53A-4E4A-B149-02EC7E5C41BB}\RP277\A0063169.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AE6A27C7-E53A-4E4A-B149-02EC7E5C41BB}\RP277\A0063170.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AE6A27C7-E53A-4E4A-B149-02EC7E5C41BB}\RP283\A0063486.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AE6A27C7-E53A-4E4A-B149-02EC7E5C41BB}\RP283\A0063487.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AE6A27C7-E53A-4E4A-B149-02EC7E5C41BB}\RP287\A0063536.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AE6A27C7-E53A-4E4A-B149-02EC7E5C41BB}\RP287\A0063537.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AE6A27C7-E53A-4E4A-B149-02EC7E5C41BB}\RP287\A0063540.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AE6A27C7-E53A-4E4A-B149-02EC7E5C41BB}\RP288\A0063602.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AE6A27C7-E53A-4E4A-B149-02EC7E5C41BB}\RP288\A0063603.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AE6A27C7-E53A-4E4A-B149-02EC7E5C41BB}\RP288\A0063605.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AE6A27C7-E53A-4E4A-B149-02EC7E5C41BB}\RP288\A0063606.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AE6A27C7-E53A-4E4A-B149-02EC7E5C41BB}\RP290\A0063645.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AE6A27C7-E53A-4E4A-B149-02EC7E5C41BB}\RP290\A0063647.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AE6A27C7-E53A-4E4A-B149-02EC7E5C41BB}\RP293\A0064636.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AE6A27C7-E53A-4E4A-B149-02EC7E5C41BB}\RP293\A0064637.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Sandlot Shared\slghex.dll -> Adware.SpywareStorm : Cleaned with backup (quarantined).
C:\WINDOWS\system32\khfgeda.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ljjgghf.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mljhfda.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nnnmjhf.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rqrppnm.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AE6A27C7-E53A-4E4A-B149-02EC7E5C41BB}\RP277\A0063171.exe -> Downloader.Zlob.axl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drvcuz.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drvhih.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drvjaf.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{AE6A27C7-E53A-4E4A-B149-02EC7E5C41BB}\RP290\A0063660.dll -> Trojan.Agent.neq : Cleaned with backup (quarantined).
C:\VundoFix Backups\winexy32.dll.bad -> Trojan.Agent.neq : Cleaned with backup (quarantined).


::Report end
================================================

Logfile of HijackThis v1.99.1
Scan saved at 14:03:58, on 22/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\My Documents\Downloads\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A7E436D-9AF6-5933-E340-006C7BB0479B} - C:\WINDOWS\system32\kmcribj.dll
O2 - BHO: (no name) - {1222EBBE-B963-8FE7-3ADA-09F66DABB82A} - C:\WINDOWS\system32\oipxwab.dll
O2 - BHO: (no name) - {2261499D-7D10-C00E-3AA6-0B3A64A8DE01} - C:\WINDOWS\system32\efggxn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {658C8155-DC7E-58A2-12E3-08384264A2B5} - C:\WINDOWS\system32\bblwuwh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-30.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142265253500
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#7
MFDnSC
Posted 22 November 2006 - 08:50 AM

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O2 - BHO: (no name) - {0A7E436D-9AF6-5933-E340-006C7BB0479B} - C:\WINDOWS\system32\kmcribj.dll

O2 - BHO: (no name) - {1222EBBE-B963-8FE7-3ADA-09F66DABB82A} - C:\WINDOWS\system32\oipxwab.dll

O2 - BHO: (no name) - {2261499D-7D10-C00E-3AA6-0B3A64A8DE01} - C:\WINDOWS\system32\efggxn.dll

O2 - BHO: (no name) - {658C8155-DC7E-58A2-12E3-08384264A2B5} - C:\WINDOWS\system32\bblwuwh.dll

DownLoad http://www.downloads...org/KillBox.zip or
http://www.thespykil...les/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\system32\kmcribj.dll
C:\WINDOWS\system32\oipxwab.dll
C:\WINDOWS\system32\efggxn.dll
C:\WINDOWS\system32\bblwuwh.dll

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
  • 0

#8
jesushairdo
Posted 22 November 2006 - 09:44 AM

jesushairdo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks Killbox managed to delete all below, & all was deleted from the temp folder.

C:\WINDOWS\system32\kmcribj.dll
C:\WINDOWS\system32\oipxwab.dll
C:\WINDOWS\system32\efggxn.dll
C:\WINDOWS\system32\bblwuwh.dll

All seems to be running fine, many thanks.
  • 0

#9
MFDnSC
Posted 22 November 2006 - 09:51 AM

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
Clean Posted Image

Turn off restore points, boot, turn them back on – here’s how

http://service1.syma...src=sec_doc_nam
  • 0

#10
jesushairdo
Posted 22 November 2006 - 01:37 PM

jesushairdo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
:) :rofl: :rofl: Thank you - one clean laptop. :whistling: :blink: :help:
  • 0

#11
jesushairdo
Posted 23 November 2006 - 09:56 AM

jesushairdo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
After exstensive scans, panda activescan is still picking up spyware/malware trojan problems.
Below is my Panda Activescan log & the hijackthis log. can someone please help me remove the problems please. kind regards robert.

Panda scan

Incident Status Location

Adware:adware/wupd Not disinfected Windows Registry
Possible Virus. Not disinfected C:\VundoFix Backups\pmnlm.dll.bad
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\cnretnbv.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\cspyqjwr.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\lvyqvjfs.dll

===================================

Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 15:22:26, on 23/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Owner\My Documents\Downloads\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-30.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142265253500
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#12
MFDnSC
Posted 23 November 2006 - 12:44 PM

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\VundoFix Backups\pmnlm.dll.bad
C:\WINDOWS\system32\cnretnbv.exe
C:\WINDOWS\system32\cspyqjwr.exe
C:\WINDOWS\system32\lvyqvjfs.dll

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.
  • 0

#13
jesushairdo
Posted 23 November 2006 - 01:57 PM

jesushairdo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
thankyou.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP