Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

need help with trojan horse viruses PLEASE! [RESOLVED]

Started by jrp5454 , Feb 12 2008 07:23 PM

  • This topic is locked This topic is locked

#1
jrp5454
Posted 12 February 2008 - 07:23 PM

jrp5454

    Member

  • Member
  • PipPip
  • 10 posts
I was running norton anti-virus corporate edition. I believe the program went down and with a younger brother in my house and no virus protection it didnt take long before my system was infected. At first I was getting, what looked to be, windows warnings telling me that I had adult content on my computer and it wanted me to run a certain program. I ran spybot S&D with plenty of results. I also downloaded AVG and did a scan. AVG found 2 Trojan horse Generic6.VAQ, 1 Trojan Horse Downloader.agent.14.AO, and 8 Virus found LOP within my system 32 files. I put all the viruses into the virus vault. My computer is functioning a little better at this point, but on start up I get a run DLL error saying system32 bnhbfkne.dll, the specified module could not be found. I also ran spybot again today which found 11 files with virtumonde, 3 with adwarealert, 1 with yazzle, and 1 with win32.small.azl. Please help me if you can!!!
  • 0

Advertisements

#2
kahdah
Posted 12 February 2008 - 07:40 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello jrp5454

Welcome to G2Go. :)
================
* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\Hijack This.
  • Click on I agree
  • Then Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#3
jrp5454
Posted 12 February 2008 - 07:47 PM

jrp5454

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:11 PM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {5850856f-891f-4b79-b984-cd4e14b4918b} - {b8194b41-e4dc-489b-97b4-f198f6580585} - C:\WINDOWS\system32\asrpqkty.dll (file missing)
O2 - BHO: (no name) - {D66E9561-FA81-42E4-B556-E29C2160A787} - C:\WINDOWS\system32\ssqrq.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [f839f74b] rundll32.exe "C:\WINDOWS\system32\bnhbfkne.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [QdrModule12] "C:\Program Files\QdrModule\QdrModule12.exe"
O4 - HKCU\..\Run: [QdrPack12] "C:\Program Files\QdrPack\QdrPack12.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 5860 bytes
  • 0

#4
kahdah
Posted 12 February 2008 - 07:52 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You have a few nasties to get rid of. :)
Let's start.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
jrp5454
Posted 12 February 2008 - 08:07 PM

jrp5454

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
ComboFix 08-02-13.2 - Jon 2008-02-12 20:56:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.492 [GMT -5:00]
Running from: C:\Documents and Settings\Jon\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jon\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Jon\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Jon\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\trgts.gz
C:\WINDOWS\system32\ckxxgobw.ini
C:\WINDOWS\system32\cxyrdmjm.ini
C:\WINDOWS\system32\dixrcfor.ini
C:\WINDOWS\system32\enkfbhnb.ini
C:\WINDOWS\system32\ffkoeclp.ini
C:\WINDOWS\system32\gsvfhyek.ini
C:\WINDOWS\system32\jovkvwmb.ini
C:\WINDOWS\system32\lanxjlbv.ini
C:\WINDOWS\system32\oxbcitdn.ini
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\tpoukwlc.ini
C:\WINDOWS\system32\yecedjoa.ini
C:\WINDOWS\system32\ymbntsfb.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-12 20:45 . 2008-02-12 20:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-11 14:14 . 2008-02-11 14:14 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-11 14:14 . 2008-02-12 13:33 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\AVG7
2008-02-11 14:14 . 2008-02-11 14:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-11 14:14 . 2008-02-12 14:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-11 13:13 . 2008-02-11 13:46 485 --a------ C:\WINDOWS\wininit.ini
2008-02-11 12:48 . 2008-02-11 12:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-11 12:48 . 2008-02-11 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-31 16:04 . 2008-01-31 16:04 <DIR> d-------- C:\Program Files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 21:31 --------- d-----w C:\Program Files\Duplicate File Remover
2008-02-11 19:02 --------- d-----w C:\Documents and Settings\Jon\Application Data\uTorrent
2008-02-11 18:59 --------- d-----w C:\Program Files\PeerGuardian2
2008-02-11 18:54 --------- d-----w C:\Program Files\Symantec
2008-02-11 18:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-11 18:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-07 02:51 --------- d-----w C:\Documents and Settings\Jon\Application Data\U3
2008-02-03 11:05 --------- d-----w C:\Program Files\PowerISO
2008-01-31 21:04 --------- d-----w C:\Program Files\Best Buy Rhapsody
2008-01-20 21:30 --------- d-----w C:\Documents and Settings\Jon\Application Data\LimeWire
2008-01-05 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-22 19:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-12-19 20:05 97,216 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-12-16 16:06 --------- d-----w C:\Documents and Settings\Jon\Application Data\AdobeUM
2007-12-14 21:08 --------- d-----w C:\Program Files\LimeWire
2007-12-04 01:50 20,688 ----a-w C:\Documents and Settings\danielle\Application Data\GDIPFONTCACHEV1.DAT
2007-12-01 20:29 20,688 ----a-w C:\Documents and Settings\Jon\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8194b41-e4dc-489b-97b4-f198f6580585}]
C:\WINDOWS\system32\asrpqkty.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D66E9561-FA81-42E4-B556-E29C2160A787}]
C:\WINDOWS\system32\ssqrq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [ ]
"QdrModule12"="C:\Program Files\QdrModule\QdrModule12.exe" [ ]
"QdrPack12"="C:\Program Files\QdrPack\QdrPack12.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 03:04 59392]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [ ]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [ ]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [ ]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [ ]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [ ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [ ]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [ ]
"f839f74b"="C:\WINDOWS\system32\bnhbfkne.dll" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-11 14:19 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-11 14:14 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-09-04 16:41:05 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

R2 aksfridge;aksfridge;C:\WINDOWS\system32\drivers\aksfridge.sys [2007-03-12 19:48]
R2 hasplms;HASP License Manager;C:\WINDOWS\system32\hasplms.exe [2007-03-15 13:48]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 20:59:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-02-12 21:00:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-13 02:00:29
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:33 PM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {5850856f-891f-4b79-b984-cd4e14b4918b} - {b8194b41-e4dc-489b-97b4-f198f6580585} - C:\WINDOWS\system32\asrpqkty.dll (file missing)
O2 - BHO: (no name) - {D66E9561-FA81-42E4-B556-E29C2160A787} - C:\WINDOWS\system32\ssqrq.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [f839f74b] rundll32.exe "C:\WINDOWS\system32\bnhbfkne.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [QdrModule12] "C:\Program Files\QdrModule\QdrModule12.exe"
O4 - HKCU\..\Run: [QdrPack12] "C:\Program Files\QdrPack\QdrPack12.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 5836 bytes
  • 0

#6
jrp5454
Posted 12 February 2008 - 08:09 PM

jrp5454

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Should I be worried about th system32bnhbfkne.dll I have in avg virus vault? Every time my computer restarts i get an error sayind that file is missing
  • 0

#7
kahdah
Posted 12 February 2008 - 08:15 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Go ahead and empty your Virus vault.
We will take care of that error now with the following:
=============================================================
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O2 - BHO: {5850856f-891f-4b79-b984-cd4e14b4918b} - {b8194b41-e4dc-489b-97b4-f198f6580585} - C:\WINDOWS\system32\asrpqkty.dll (file missing)
O2 - BHO: (no name) - {D66E9561-FA81-42E4-B556-E29C2160A787} - C:\WINDOWS\system32\ssqrq.dll (file missing)
O4 - HKLM\..\Run: [f839f74b] rundll32.exe "C:\WINDOWS\system32\bnhbfkne.dll",b
O4 - HKCU\..\Run: [QdrModule12] "C:\Program Files\QdrModule\QdrModule12.exe"
O4 - HKCU\..\Run: [QdrPack12] "C:\Program Files\QdrPack\QdrPack12.exe"


Now click on Fix Checked and then close Hijackthis.
=====================================================
After that Please go HERE to run Panda's TotalScan
  • Select the bubble for Full scan
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Then the scan will begin
  • When the scan completes, click the Save button on the right of Scan details
  • Save it to a convenient location. Post the contents of the TotalScan report and a new Hijackthis log as well

  • 0

#8
jrp5454
Posted 12 February 2008 - 08:58 PM

jrp5454

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Still scanning, but during my scan AVG notified me of 17 Virus found LOPs. Located in C:\system volume information\restore a registry number and then A0023568.dll
  • 0

#9
kahdah
Posted 12 February 2008 - 09:02 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Those are no threat anymore as they are system restore points that are infected and we will clean them before we are finished.
  • 0

#10
jrp5454
Posted 12 February 2008 - 09:03 PM

jrp5454

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-02-12 22:00:28
PROTECTIONS: 1
MALWARE: 34
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
AVG 7.5.516 7.5.516 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Cookies\jon@trafficmp[1].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.trafficmp.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.atdmt.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.247realmedia.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.tribalfusion.com/]
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.revenue.net/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.com.com/]
00167795 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.club.cdfreaks.com/]
00167795 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.club.cdfreaks.com/]
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.perf.overture.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Cookies\[email protected][2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[ad.yieldmanager.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.bs.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.bs.serving-sys.com/]
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[www.burstbeacon.com/]
00168105 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.cdfreaks.com/]
00168105 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.cdfreaks.com/]
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[stat.onestat.com/]
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[stat.onestat.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Cookies\jon@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.advertising.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.ads.pointroll.com/]
00170549 Cookie/FortuneCity TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.fortunecity.com/]
00170549 Cookie/FortuneCity TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.fortunecity.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.overture.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.questionmarket.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\danielle\Application Data\Mozilla\Firefox\Profiles\slof595y.default\cookies.txt[.go.com/]
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[searchportal.information.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.atwola.com/]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{C5FBA1CA-CE6A-429D-849F-C83AB23264E2}\RP112\A0035052.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{C5FBA1CA-CE6A-429D-849F-C83AB23264E2}\RP112\A0035078.EXE
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Jon\Local Settings\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\Cache\6D952C06d01[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Jon\Local Settings\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\Cache\6D952C06d01[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Jon\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\Nircmd.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{C5FBA1CA-CE6A-429D-849F-C83AB23264E2}\RP112\A0035102.com
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Jon\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.advancedcleaner.com/]
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.advancedcleaner.com/]
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.advancedcleaner.com/]
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.advancedcleaner.com/]
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[advancedcleaner.com/]
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.advancedcleaner.com/]
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\txret6pg.default\cookies.txt[.advancedcleaner.com/]
02891362 Adware/Yazzle Adware No 0 Yes No C:\System Volume Information\_restore{C5FBA1CA-CE6A-429D-849F-C83AB23264E2}\RP108\A0034693.exe
02897803 Trj/Downloader.SJM Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{C5FBA1CA-CE6A-429D-849F-C83AB23264E2}\RP101\A0032545.exe
02899369 Adware/Popadd Adware No 0 Yes No C:\System Volume Information\_restore{C5FBA1CA-CE6A-429D-849F-C83AB23264E2}\RP102\A0032557.exe
02899864 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{C5FBA1CA-CE6A-429D-849F-C83AB23264E2}\RP106\A0034614.dll
02899864 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{C5FBA1CA-CE6A-429D-849F-C83AB23264E2}\RP110\A0034958.dll
02900049 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{C5FBA1CA-CE6A-429D-849F-C83AB23264E2}\RP106\A0034653.dll
02900049 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{C5FBA1CA-CE6A-429D-849F-C83AB23264E2}\RP108\A0034682.dll
02900270 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{C5FBA1CA-CE6A-429D-849F-C83AB23264E2}\RP110\A0034961.dll
02900270 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{C5FBA1CA-CE6A-429D-849F-C83AB23264E2}\RP110\A0034956.dll
02900300 Adware/InternetSpeedMonitor Adware No 0 Yes No C:\QooBox\Quarantine\C\Program Files\ISM\ism.exe.vir
02900300 Adware/InternetSpeedMonitor Adware No 0 Yes No C:\System Volume Information\_restore{C5FBA1CA-CE6A-429D-849F-C83AB23264E2}\RP112\A0035053.exe
02900302 Adware/InternetSpeedMonitor Adware No 0 Yes No C:\System Volume Information\_restore{C5FBA1CA-CE6A-429D-849F-C83AB23264E2}\RP108\A0034678.dll
;===============================================================================
=================================================================================
===================
SUSPECTS
Location
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:38 PM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 5357 bytes
  • 0

Advertisements

#11
kahdah
Posted 12 February 2008 - 09:07 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Clean your Cache and Cookies in Firefox :
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
  • Alternatively, you can clear all information stored while browsing by clicking Clear All.
  • A confirmation dialog box will be shown before clearing the information.
=========================================================
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

    The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Clean System Restore points.

Also delete anything that we used that is left over.
=====================================
After that Your log is clean.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here
  • 0

#12
jrp5454
Posted 12 February 2008 - 09:18 PM

jrp5454

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I typed in ComboFix/ U in the run box and it popped up real quick and said bombo fix deleted. Im not familiar with the other things I need to delete. Sorry Im not very computer literate!
  • 0

#13
kahdah
Posted 12 February 2008 - 09:23 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Sorry but I have that in all of my combofix uninstall specches it basically means that if I had you use any other tools to clean up with,
But we didn't need to this time.

Uninstalling Combofix deletes infected system restore points and removes the infections it has in it's quarantine folder.

So you are good to go. :)
  • 0

#14
jrp5454
Posted 12 February 2008 - 09:56 PM

jrp5454

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thank You very much for all your help!! I relly appreciate it! Sorry for starting a new thread I thought you logged off or something this is the first time I have ever used a forum like this. Thanks again!
  • 0

#15
kahdah
Posted 12 February 2008 - 10:02 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
No problem and You are welcome :)


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP