Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

NTService32,kazaln21

Started by Steven7 , Jan 12 2007 01:41 AM

This topic is locked

#1
Steven7

Posted 12 January 2007 - 01:41 AM

New Member

Member
3 posts

I'm infected with some malware and I hope I can get some advices here.Thank you.Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:32:19 PM, on 1/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis\HijackThis.exe

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v8.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEMonitor Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - C:\WINDOWS\system32\IESHEL~1.DLL (file missing)
O2 - BHO: XBTP06568 - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O4 - HKLM\..\Run: [Desktop] "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\NTService32.dll",Run
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [kazaln21] %systemroot%\system32\Rundll32.exe %systemroot%\system32\kazaln21.dll,DllUnregisterServer
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: ▲酘艘奀惆◎婓盄督昢 - C:\Program Files\Common Files\yygamenet\left.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - http://www.symantec....rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Windows NT Service32 - Unknown owner - C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\NTService32.dll",Start (file missing)

Edited by Steven7, 12 January 2007 - 03:36 AM.

#2
kahdah

Posted 12 January 2007 - 07:00 PM

GeekU Teacher

Retired Staff
15,822 posts

Hello Steven7

Welcome to G2Go. :whistling:

My name is Kahdah and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers,so there may be a delay between posts.

I will be back with you as soon as possible.

#3
kahdah

Posted 12 January 2007 - 08:19 PM

GeekU Teacher

Retired Staff
15,822 posts

Hello Steven7

1. Download ComboFix.exe using either of these links:

BleepingComputer

Techsupportforum.com

2. Double click on combofix.exe & follow the prompts to allow the tool to run.

3. When it has finished, it will produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Also I will need you to provide me with an uninstall list using Hjt.
To do this:
*Open HijackThis
*click Config
*click Misc Tools
*Click "Open Uninstall Manager"
*Click "Save List" (generates uninstall_list.txt)
*ClickSave

Post these results in your next post.
*Combofix log
*Uninstall list
*new Hjt log.

#4
Steven7

Posted 13 January 2007 - 02:45 AM

New Member

Topic Starter
Member
3 posts

Thanks for your reply,here are things you need:

"Lee" - 07-01-13 16:29:19 Service Pack 2
ComboFix 07-01-12 - Running from: "C:\Documents and Settings\user\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\eeeeee.ini
C:\WINDOWS\system32\eeeeee1.ini
C:\WINDOWS\system32\xunleibho_v8.dll
C:\Documents and Settings\All Users\Templates\temp.exe
C:\WINDOWS\system32\advport.dll
C:\WINDOWS\system32\drivers\msprotect.sys
C:\WINDOWS\system32\drivers\restore.ini
C:\WINDOWS\system32\Score.txt
C:\WINDOWS\system32\wbem\ocmor.dll
C:\Program Files\Common Files\CPush
C:\WINDOWS\TEMP\Cache
C:\WINDOWS\system32\wbem\qycml.dll
C:\\WINDOWS\system32\drivers\mbhewx31.sys
C:\WINDOWS\system32\CharSet.dll
C:\WINDOWS\system32\CreateDomTree.dll
C:\WINDOWS\system32\NTService32.dll
C:\WINDOWS\system32\WebPageParser.dll
C:\WINDOWS\Downloaded Program Files\960130

((((((((((((((((((((((((((((((( Files Created from 2006-12-13 to 2007-01-13 ))))))))))))))))))))))))))))))))))

2007-01-13 16:32 <DIR> d-------- C:\WINDOWS\erdnt
2007-01-13 00:55 <DIR> d-------- C:\Program Files\QuickTime
2007-01-12 17:27 <DIR> d-------- C:\Program Files\HiJackThis
2007-01-12 17:08 <DIR> d-------- C:\Program Files\AOL Security Toolbar
2007-01-12 17:07 <DIR> d-------- C:\Program Files\AOL
2007-01-12 17:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\AOL
2007-01-11 14:53 1,308 --a------ C:\WINDOWS\system32\svupoq.exe
2007-01-09 00:27 307,200 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-01-09 00:27 <DIR> d-------- C:\Program Files\Free Audio Pack
2007-01-08 01:36 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-01-08 01:35 <DIR> d-------- C:\Program Files\Real
2007-01-08 01:25 630,784 --a------ C:\WINDOWS\system32\vp7vfw.dll
2007-01-08 01:25 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-01-08 01:25 39,936 --a------ C:\WINDOWS\system32\huffyuv.dll
2007-01-08 01:25 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-01-08 01:25 217,088 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-01-08 01:25 144,384 --a------ C:\WINDOWS\system32\Iacenc.dll
2007-01-08 01:25 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-01-08 00:45 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-01-07 20:15 <DIR> d-------- C:\Program Files\Easy Video Splitter
2007-01-06 22:10 <DIR> d-------- C:\Program Files\WinAVIVideoConverter
2007-01-06 18:02 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2007-01-06 18:02 90,112 --a------ C:\WINDOWS\system32\ALOAudioFormatSettings3.dll
2007-01-06 18:02 877,568 --a------ C:\WINDOWS\system32\ALOAudioFile2.dll
2007-01-06 18:02 780,288 --a------ C:\WINDOWS\system32\ALOVideoCompress.dll
2007-01-06 18:02 778,240 --a------ C:\WINDOWS\system32\ALOAudioCompress2.dll
2007-01-06 18:02 495,104 --a------ C:\WINDOWS\system32\ALOVideoCoreM.dll
2007-01-06 18:02 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2007-01-06 18:02 403,968 --a------ C:\WINDOWS\system32\ALOWMAFile2.dll
2007-01-06 18:02 382,464 --a------ C:\WINDOWS\system32\ALOAVIFile.dll
2007-01-06 18:02 249,856 --a------ C:\WINDOWS\system32\ALOQuickTimeFile.dll
2007-01-06 18:02 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll
2007-01-06 18:02 215,552 --a------ C:\WINDOWS\system32\ALOWMVFile.dll
2007-01-06 18:02 2,846,720 --a------ C:\WINDOWS\system32\ALOAudioCompress3.dll
2007-01-06 18:02 188,416 --a------ C:\WINDOWS\system32\ALOVideoFile.dll
2007-01-06 18:02 1,245,184 --a------ C:\WINDOWS\system32\bkll.dll
2007-01-06 18:02 1 --a------ C:\WINDOWS\yedlata.dll
2007-01-06 18:02 <DIR> d-------- C:\WINDOWS\system32\RMBin
2007-01-06 16:37 <DIR> d-------- C:\DOCUME~1\user\Application Data\vlc
2007-01-06 16:27 <DIR> d-------- C:\Program Files\VideoLAN
2007-01-05 20:29 <DIR> d-------- C:\Program Files\eMule
2007-01-02 11:54 <DIR> d-------- C:\tbtx
2007-01-01 21:37 <DIR> d-------- C:\DOCUME~1\user\Application Data\Adobe
2006-12-31 14:24 <DIR> d-------- C:\Program Files\怢
2006-12-30 15:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Sandlot Games
2006-12-25 21:23 <DIR> d-------- C:\DOCUME~1\user\Application Data\wsInspector
2006-12-25 21:20 <DIR> d-------- C:\WINDOWS\pss
2006-12-25 21:13 <DIR> d-------- C:\DOCUME~1\user\Application Data\MetaProducts
2006-12-22 17:26 3,120 --a------ C:\WINDOWS\system32\2d2ca2ce-704a-428c-8cbe-0736b29190aa.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-13 16:35 -------- d-------- C:\Documents and Settings\user\Application Data\utorrent
2007-01-13 16:15 -------- d-------- C:\Program Files\mozilla firefox
2007-01-12 16:50 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-01-11 19:19 -------- d-------- C:\Documents and Settings\user\Application Data\avg7
2007-01-08 01:35 -------- d-------- C:\Program Files\Common Files\real
2007-01-07 19:46 -------- d--h----- C:\Program Files\installshield installation information
2007-01-06 16:37 -------- d-------- C:\Documents and Settings\user\Application Data\vlc
2007-01-06 16:12 -------- d-------- C:\Documents and Settings\user\Application Data\bsplayer pro
2007-01-06 10:15 -------- d-------- C:\Program Files\opera
2007-01-01 21:37 -------- d-------- C:\Documents and Settings\user\Application Data\adobe
2006-12-30 11:36 -------- d-------- C:\Program Files\giganology
2006-12-27 15:17 5120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2006-12-25 21:23 -------- d-------- C:\Documents and Settings\user\Application Data\wsinspector
2006-12-25 21:13 -------- d-------- C:\Documents and Settings\user\Application Data\metaproducts
2006-12-04 08:57 28160 --a------ C:\WINDOWS\qmdispatch.dll
2006-12-04 08:57 15872 --a------ C:\WINDOWS\system32\znihf.dll
2006-11-24 20:30 4 --a------ C:\WINDOWS\system32\mszspd.dll
2006-11-24 20:28 208384 --a------ C:\WINDOWS\system32\msacedrag.dll
2006-11-24 14:22 -------- d-------- C:\Program Files\Common Files\installshield
2006-11-24 10:28 -------- d-------- C:\Program Files\tuneup utilities 2006
2006-11-24 10:27 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2006-11-23 14:05 -------- d-------- C:\Documents and Settings\user\Application Data\help
2006-11-23 13:55 -------- d---s---- C:\Documents and Settings\user\Application Data\microsoft
2006-11-19 12:35 40960 --a------ C:\WINDOWS\system32\letvebtks.exe
2006-11-19 12:35 20480 --a------ C:\WINDOWS\system32\letvebtkp.dll
2006-11-17 21:47 -------- d-------- C:\Program Files\adsl usb modem
2006-11-15 22:01 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-11-07 08:08 558592 --a------ C:\WINDOWS\system32\x264vfw.dll
2006-11-01 14:54 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2006-11-01 14:52 765952 --a------ C:\WINDOWS\system32\xvidcore.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"VTPreset"="VTPreset.exe"
"aol"="\"C:\\Program Files\\AOL\\Active Virus Shield\\avp.exe\""
@=""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"mswdnm"="C:\\WINDOWS\\system32\\mswdnm.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
UxTuneUp
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_WINDOWS_NT_SERVICE32

Completion time: 07-01-13 16:37:22

Uninstall List
a÷±eaZ?C
ACDSee 5.0 Standard
Active Virus Shield
Ad-Aware SE Professional
Adobe Reader 7.0.7
Adobe Shockwave Player
ADSL USB Modem Network Adapter
AOL Security Toolbar
Ashampoo WinOptimizer Platinum 3
BSPlayer
Cacheman 5.50
Chinese Star XP
Diskeeper Professional Premier Edition
Easy Video Splitter 1.28
eMule VeryCD°a
Free Mp3 Wma Converter V 1.5.1
Gigaget
Google Earth
Grand Theft Auto Vice City
Hamachi 1.0.0.61
HijackThis 1.99.1
J2SE Runtime Environment 5.0 Update 6
JYOnline_TW
K-Lite Mega Codec Pack 1.63
Lavasoft Reghance 2.1
LimeWire PRO 4.12.3
MapleStory
Microsoft .NET Framework 1.1
Microsoft Office Professional Edition 2003
Mozilla Firefox (1.5.0.9)
MSN Messenger 7.5
O2Jam (e-Games) v.3.50
Opera 9.01
PowerISO
ProSavageDDR and Utilities
QuickTime
RealPlayer
Realtek AC'97 Audio
S3Display
S3Gamma2
S3Info2
S3Overlay
Skype 2.5
Sony Sound Forge 8.0
Spybot - Search & Destroy 1.4
TuneUp Utilities 2006
Tweak-SE plug-in for Ad-Aware SE
Unlocker 1.8.1
VideoLAN VLC media player 0.8.6a
Win AVI HelixSDK
WinAVIVideoConverter
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
WinRAR archiver
WinZip
Yahoo! Messenger
μTorrent

New Hjt Log
Logfile of HijackThis v1.99.1
Scan saved at 4:45:28 PM, on 1/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HiJackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\uTorrent\utorrent.exe

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v8.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTP06568 - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - http://www.symantec....rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

#5
kahdah

Posted 13 January 2007 - 02:35 PM

GeekU Teacher

Retired Staff
15,822 posts

Hello Steven7

I see you have uTorrent Limewire and eMule installed.
These are likely the cause of malware being dropped into your computer.
See Here for details on P2P file sharing programs.
But these programs are optional for you if you choose to want to keep it.

We will remove these later if you choose to do so.

Please download the Killbox by Option^Explicit.
Note:In the event you already have Killbox, this is a new version that I need you to download.
*Save it to your desktop.

Also please download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".<<<****VERY IMPORTANT****
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly

After that please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Please re-open Hjt and hit scan only
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v8.dll (file missing)

Now close hjt.

Run Killbox:
[*] Please double-click Killbox.exe to run it.
[*] Select:

"Delete on Reboot
then Click on the "All Files" button.

[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\WINDOWS\system32\svupoq.exe
C:\WINDOWS\yedlata.dll
C:\tbtx
C:\Program Files\??
C:\WINDOWS\system32\2d2ca2ce-704a-428c-8cbe-0736b29190aa.dll
C:\WINDOWS\qmdispatch.dll
C:\WINDOWS\system32\znihf.dll
C:\WINDOWS\system32\mszspd.dll
C:\WINDOWS\system32\msacedrag.dll
C:\WINDOWS\system32\letvebtks.exe
C:\WINDOWS\system32\letvebtkp.dll
C:\WINDOWS\system32\mswdnm.exe
C:\WINDOWS\system32\conime.exe

[*] Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
[*]Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at any PendingRenameOperations prompt.
If your computer does not restart automatically, please restart it manually

*Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

Then please go to the Control Panel > Add/Remove Programs and remove the following:

Limewire Pro <<<>>
uTorrent<<<>>At your option for these
eMule<<<>>
a÷±eaZ?C
Close Control Panel.

Using Windows Explorer (to get there right-click your Start button and go to "Explore")
Delete these folders:

C:\Program Files\Limewire Pro
C:\Program Files\uTorrent
C:\Program Files\eMule
C:\Program Files\a÷±eaZ?C

Now close Windows Explorer.

Now run ATF cleaner:
Double-click ATF-Cleaner.exe to run the program.(It is on your Desktop)
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Then run AVG antispyware.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
[*]Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
[*]Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
[*]AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
[*]If you have any infections you will prompted, then select "Apply all actions"
[*]Next select the "Reports" icon at the top.
[*]Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
[*]Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Please post back with these logs:
*New Hjt log
*AVG Anti-Spyware log.

And also tell me how things are running. :whistling:

Edited by kahdah, 13 January 2007 - 02:37 PM.

#6
OwNt

Posted 03 February 2007 - 08:29 PM

Malware Expert

Retired Staff
7,457 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.