Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Problems with multiple Malware programs

Started by Feanorfenwe , Apr 14 2008 04:10 PM

  • This topic is locked This topic is locked

#1
Feanorfenwe
Posted 14 April 2008 - 04:10 PM

Feanorfenwe

    Member

  • Member
  • PipPip
  • 19 posts
Basically, I have absolutely no clue how these got on my computer, but I seem to have a Smitfraud-C, SmitFraud-C.gp, Virtumonde, Virtumonde.dll, and Zlob.Downloader.vcd problem because those are what Spybot keeps removing.

Here is the Highjack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:01:19 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Documents and Settings\All Users\Application Data\lsjotyfg\dszynuri.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\DAEMON Tools Lite\daemon.exe
F:\Program Files\Digidesign\Drivers\MMERefresh.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\WINDOWS\system32\ehidkrwd.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\system32\rundll32.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
F:\PROGRA~1\Mozilla Firefox\firefox.exe
F:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3062BF76-CBCD-4235-A1C7-469385944123} - F:\WINDOWS\system32\wvUOiJCt.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DVA Storm - {53952518-97B4-4885-B7D6-3A274DB20792} - F:\WINDOWS\nslbvxpgagr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8B6DD113-13C6-4D05-9B31-625CB77537E4} - F:\WINDOWS\system32\byXRjhhg.dll (file missing)
O2 - BHO: (no name) - {8E07256F-CEA0-4F8C-B2A0-43C920BC97F1} - F:\WINDOWS\system32\awtsQhGW.dll (file missing)
O2 - BHO: (no name) - {EEC73EA5-1367-49D1-93F4-CA1D8C22E9F9} - F:\WINDOWS\system32\vtUmMdcy.dll
O3 - Toolbar: sgoblxtm - {10BDE5C9-141F-4536-86D4-56883348BBA1} - F:\WINDOWS\sgoblxtm.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [MacDrive7.0.4TimeOutPatch] F:\Program Files\Mediafour\MacDrive 7\TimeOutPatch.EXE
O4 - HKLM\..\Run: [DigidesignMMERefresh] F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [f459d105] rundll32.exe "F:\WINDOWS\system32\fsujgutf.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA4635] command /c del "F:\WINDOWS\system32\byXRjhhg.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4696] cmd /c del "F:\WINDOWS\system32\byXRjhhg.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5689] command /c del "F:\WINDOWS\system32\yplqqapp.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8391] cmd /c del "F:\WINDOWS\system32\yplqqapp.dll_old"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] F:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [dtpqcnry] F:\WINDOWS\system32\ehidkrwd.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB2091] command /c del "F:\WINDOWS\system32\byXRjhhg.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4423] cmd /c del "F:\WINDOWS\system32\byXRjhhg.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8552] command /c del "F:\WINDOWS\system32\yplqqapp.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4468] cmd /c del "F:\WINDOWS\system32\yplqqapp.dll_old"
O4 - HKLM\..\Policies\Explorer\Run: [th54ITjOIc] F:\Documents and Settings\All Users\Application Data\lsjotyfg\dszynuri.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185412818126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1185413417030
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: vtUmMdcy - F:\WINDOWS\SYSTEM32\vtUmMdcy.dll
O21 - SSODL: ogxtsepr - {93274C4C-4B33-4899-9165-6DFB623012CF} - F:\WINDOWS\ogxtsepr.dll
O21 - SSODL: dsktbwfe - {9737BD20-78A7-48F2-BDE4-11B2CFE9043A} - F:\WINDOWS\dsktbwfe.dll
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - F:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O24 - Desktop Component 0: Privacy Protection - file:///F:\WINDOWS\privacy_danger\index.htm

--
End of file - 8590 bytes

and here is the unistall list

7-Zip 4.57
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.9
Age of Empires III
Age of Empires III - The Asian Dynasties
Age of Empires III - The WarChiefs
America's Army
AmpegSVX
AmpliTube2
Antares Auto-Tune v4.39
Antares AVOX Vocal Kit Bundle RTAS v1.02
Antares Tube v1.02 RTAS
Apple Mobile Device Support
ARP2600 V
AviSynth 2.5
BIOSTAR VGA Over Clock
Combined Community Codec Pack 2007-07-22
DC++ 0.699
Digidesign Audio Drivers 7.0
DigiDesign Focusrite D2 1.71.345
DigiDesign Focusrite D3 AudioSuite 1.51.345
Digidesign Pro Tools LE 7.1
Digidesign Shared Plug-Ins 7.0
DualCoreCenter
DVD Decrypter (Remove Only)
Finale NotePad 2007
FLAC 1.2.1b (remove only)
Free Bomb Factory Plug-Ins 7.0
Game Creators Dark GDK
Guitar Pro 5.2
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
InterLok Driver Kit
InterLok Driver Kit
iTunes
Java™ 6 Update 2
LightScribe Applications
Matroska Pack - Lazy Man's MKV 1.0.1-alpha6
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 SDK - ENU
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Age of Empires Gold
Microsoft AppLocale
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Document Explorer 2005
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft MSDN 2005 Express Edition - ENU
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C# 2005 Express Edition - ENU Service Pack 1 (KB926749)
Microsoft Visual C++ 2008 Express Edition - ENU
Microsoft Visual C++ 2008 Express Edition - ENU
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Windows Application Compatibility Database
Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework
Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32
Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
Microsoft XNA Framework Redistributable 1.0 Refresh
Microsoft XNA Game Studio Express 1.0 Refresh
Midisport 4x4 1.0.1.0
Mozilla Firefox (2.0.0.13)
MSI Live Update 3
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Native Instruments Kontakt 2
Nero 8
Nero PhotoShow Express
Norton PartitionMagic 8.0
NVIDIA Drivers
NVIDIA nTune
ObjectDock
Power Tab Editor 1.7
PunkBuster Services
QuickTime
RarZilla Free Unrar 2.00
Realtek High Definition Audio Driver
Reason 3.0.4
ReCycle 2.0
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Sibelius 5
Sibelius Sounds Essentials
Skype™ 3.6
Sony Inflator RTAS v1.0
SopCast 2.0.4
Spybot - Search & Destroy
Star Wars Empire at War
Star Wars Empire at War Forces of Corruption
Star Wars Galaxies: 14-Day Trial
TVUPlayer 2.3.0.0
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VideoLAN VLC media player 0.8.6d
Videora iPod Converter 3.05
Waves Diamond Bundle 4.05
Waves Diamond Bundle v5.2
Waves L3 v5.2
Waves Musicians Bundle v5.0
Waves Renaissance Collection 2 3.5
Waves SSL Collection v1.2
Waves Transform Bundle v5.0
Waves Vocal Bundle v1.1
Winamp (remove only)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
Xfire (remove only)
Xpand!

Thanks
  • 0

Advertisements

#2
miekiemoes
Posted 15 April 2008 - 12:24 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
  • 0

#3
Feanorfenwe
Posted 15 April 2008 - 02:36 PM

Feanorfenwe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Here you go



Avira AntiVir Personal
Report file date: Tuesday, April 15, 2008 15:43

Scanning for 1202665 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: JUSTINS

Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 15:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 14:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 14:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 14:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:33:34
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 19:08:58
ANTIVIR2.VDF : 7.0.3.156 795136 Bytes 4/11/2008 19:41:24
ANTIVIR3.VDF : 7.0.3.170 123904 Bytes 4/15/2008 19:41:30
Engineversion : 8.1.0.30
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 15:58:21
AESCRIPT.DLL : 8.1.0.23 233851 Bytes 4/15/2008 19:42:16
AESCN.DLL : 8.1.0.13 115061 Bytes 4/15/2008 19:42:12
AERDL.DLL : 8.1.0.19 418164 Bytes 4/7/2008 21:34:44
AEPACK.DLL : 8.1.1.1 364918 Bytes 4/15/2008 19:42:08
AEOFFICE.DLL : 8.1.0.17 192891 Bytes 4/15/2008 19:42:00
AEHEUR.DLL : 8.1.0.18 1167735 Bytes 4/15/2008 19:41:56
AEHELP.DLL : 8.1.0.12 115063 Bytes 4/15/2008 19:41:37
AEGEN.DLL : 8.1.0.15 299379 Bytes 4/7/2008 21:34:43
AEEMU.DLL : 8.1.0.5 430450 Bytes 4/7/2008 21:34:43
AECORE.DLL : 8.1.0.26 168311 Bytes 4/15/2008 19:41:34
AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/23/2008 23:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 16:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 1/23/2008 23:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 14:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/23/2008 23:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 20:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 18:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: f:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:, E:, F:, G:, H:, I:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Tuesday, April 15, 2008 15:43

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'AcroRd32.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'StarWindServiceAE.exe' - '1' Module(s) have been scanned
Scan process 'sqlwriter.exe' - '1' Module(s) have been scanned
Scan process 'sqlbrowser.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'mdm.exe' - '1' Module(s) have been scanned
Scan process 'MMERefresh.exe' - '1' Module(s) have been scanned
Scan process 'ehidkrwd.exe' - '1' Module(s) have been scanned
Module is infected -> 'F:\WINDOWS\system32\ehidkrwd.exe'
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'daemon.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
F:\Documents and Settings\All Users\Application Data\lsjotyfg\dszynuri.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
Scan process 'dszynuri.exe' - '1' Module(s) have been scanned
Module is infected -> 'F:\Documents and Settings\All Users\Application Data\lsjotyfg\dszynuri.exe'
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'ehidkrwd.exe' has been terminated
Process 'dszynuri.exe' has been terminated
F:\WINDOWS\system32\ehidkrwd.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
F:\Documents and Settings\All Users\Application Data\lsjotyfg\dszynuri.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!

40 processes with 38 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!
Boot sector 'G:\'
[INFO] No virus was found!
Boot sector 'H:\'
[INFO] No virus was found!
Boot sector 'I:\'
[INFO] No virus was found!

Starting to scan the registry.
F:\WINDOWS\system32\vtUmMdcy.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[WARNING] The file could not be deleted!
F:\WINDOWS\system32\jkkLEWnl.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
F:\WINDOWS\system32\jkkLEWnl.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
F:\WINDOWS\system32\jkkLEWnl.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
F:\WINDOWS\system32\jkkLEWnl.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
F:\WINDOWS\system32\jkkLEWnl.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
F:\WINDOWS\system32\jkkLEWnl.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
F:\WINDOWS\system32\jkkLEWnl.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
F:\WINDOWS\system32\jkkLEWnl.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
F:\WINDOWS\system32\udjeenfm.dll_old
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
F:\WINDOWS\system32\udjeenfm.dll_old
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
F:\WINDOWS\system32\udjeenfm.dll_old
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
F:\WINDOWS\system32\udjeenfm.dll_old
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
F:\WINDOWS\system32\udjeenfm.dll_old
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
F:\WINDOWS\system32\udjeenfm.dll_old
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
F:\WINDOWS\system32\udjeenfm.dll_old
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
F:\WINDOWS\system32\udjeenfm.dll_old
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!

The registry was scanned ( '54' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
Begin scan in 'D:\'
D:\pagefile.sys
[WARNING] The file could not be opened!
D:\47262cb29dd4daf3b6b9af65cdb8fee0\update\update.exe
[WARNING] The file could not be opened!
D:\6664db0bee2401874ff02c7b46edd8\update\update.exe
[WARNING] The file could not be opened!
Begin scan in 'E:\'
E:\pagefile.sys
[WARNING] The file could not be opened!
Begin scan in 'F:\'
F:\pagefile.sys
[WARNING] The file could not be opened!
F:\Documents and Settings\Justin\Local Settings\Temp\explorer32.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
F:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\A8REJDA1\css4[1]
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
F:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\SC3BHCVO\css4[1]
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
F:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\SC3BHCVO\css4[2]
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
F:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\SC3BHCVO\css4[3]
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
F:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\SC3BHCVO\kriv[1]
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
F:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\UD5J2953\css4[1]
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
F:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\UD5J2953\kriv[1]
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
F:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\UD5J2953\zrt20080408[1]
[DETECTION] Is the Trojan horse TR/Agent.3648.1
[NOTE] The file was deleted!
F:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\ZXWDG4AK\css4[1]
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
F:\Program Files\Panda Security\ActiveScan 2.0\pskavs.dll
[DETECTION] Contains detection pattern of the Windows virus W95/Blumblebee.1738
[NOTE] The file was deleted!
F:\System Volume Information\_restore{3A248B21-6E94-44AA-A1C9-9CD5CC918CF1}\RP335\A0115592.exe
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.iue.1
[NOTE] The file was deleted!
F:\System Volume Information\_restore{3A248B21-6E94-44AA-A1C9-9CD5CC918CF1}\RP335\A0115688.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
F:\System Volume Information\_restore{3A248B21-6E94-44AA-A1C9-9CD5CC918CF1}\RP335\A0115689.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
F:\System Volume Information\_restore{3A248B21-6E94-44AA-A1C9-9CD5CC918CF1}\RP336\A0116816.exe
[DETECTION] Is the Trojan horse TR/Hijacker.Gen
[NOTE] The file was deleted!
F:\System Volume Information\_restore{3A248B21-6E94-44AA-A1C9-9CD5CC918CF1}\RP336\A0116817.dll
[DETECTION] Contains suspicious code HEUR/Malware
[NOTE] The fund was classified as suspicious.
[NOTE] The file was moved to '48360bb5.qua'!
F:\System Volume Information\_restore{3A248B21-6E94-44AA-A1C9-9CD5CC918CF1}\RP337\A0116906.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
F:\System Volume Information\_restore{3A248B21-6E94-44AA-A1C9-9CD5CC918CF1}\RP337\A0116908.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
F:\System Volume Information\_restore{3A248B21-6E94-44AA-A1C9-9CD5CC918CF1}\RP337\A0116909.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
F:\System Volume Information\_restore{3A248B21-6E94-44AA-A1C9-9CD5CC918CF1}\RP337\A0116910.dll
[DETECTION] Contains detection pattern of the Windows virus W95/Blumblebee.1738
[NOTE] The file was deleted!
F:\WINDOWS\system32\elubkned.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
F:\WINDOWS\system32\gohclrec.dll
[DETECTION] Is the Trojan horse TR/Agent.3648.1
[NOTE] The file was deleted!
F:\WINDOWS\system32\hwpnbikr.dll
[DETECTION] Is the Trojan horse TR/Agent.3648.1
[NOTE] The file was deleted!
F:\WINDOWS\system32\ijareuhk.dll
[DETECTION] Is the Trojan horse TR/Agent.3648.1
[NOTE] The file was deleted!
F:\WINDOWS\system32\ixmzinyt.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
F:\WINDOWS\system32\jkkLEWnl.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
F:\WINDOWS\system32\lujmnova.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
F:\WINDOWS\system32\mzezktiv.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
F:\WINDOWS\system32\pfaspjgy.dll
[DETECTION] Is the Trojan horse TR/Agent.3648.1
[NOTE] The file was deleted!
F:\WINDOWS\system32\pmnMcCVO.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
F:\WINDOWS\system32\pyeesath.dll
[DETECTION] Is the Trojan horse TR/Agent.3648.1
[NOTE] The file was deleted!
F:\WINDOWS\system32\slgncrcd.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
F:\WINDOWS\system32\udjeenfm.dll_old
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
F:\WINDOWS\system32\vtUmMdcy.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[WARNING] The file could not be deleted!
F:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'G:\'
G:\pagefile.sys
[WARNING] The file could not be opened!
Begin scan in 'H:\'
H:\pagefile.sys
[WARNING] The file could not be opened!
Begin scan in 'I:\'
I:\pagefile.sys
[WARNING] The file could not be opened!


End of the scan: Tuesday, April 15, 2008 16:19
Used time: 36:17 min

The scan has been done completely.

12153 Scanning directories
297354 Files were scanned
54 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
31 files were deleted
0 files were repaired
1 files were moved to quarantine
0 files were renamed
10 Files cannot be scanned
297300 Files not concerned
3561 Archives were scanned
31 Warnings
32 Notes


Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:14 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
F:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
F:\Program Files\Digidesign\Drivers\MMERefresh.exe
F:\Program Files\DAEMON Tools Lite\daemon.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\wscntfy.exe
f:\program files\avira\antivir personaledition classic\avcenter.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\notepad.exe
F:\PROGRA~1\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O3 - Toolbar: sgoblxtm - {10BDE5C9-141F-4536-86D4-56883348BBA1} - F:\WINDOWS\sgoblxtm.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [MacDrive7.0.4TimeOutPatch] F:\Program Files\Mediafour\MacDrive 7\TimeOutPatch.EXE
O4 - HKLM\..\Run: [DigidesignMMERefresh] F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [f459d105] rundll32.exe "F:\WINDOWS\system32\fsujgutf.dll",b
O4 - HKLM\..\Run: [avgnt] "F:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] F:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [dtpqcnry] F:\WINDOWS\system32\ehidkrwd.exe
O4 - HKCU\..\Run: [iidwibdc] F:\WINDOWS\system32\ixmzinyt.exe
O4 - HKCU\..\Run: [iluzbhfq] F:\WINDOWS\system32\mzezktiv.exe
O4 - HKLM\..\Policies\Explorer\Run: [th54ITjOIc] F:\Documents and Settings\All Users\Application Data\lsjotyfg\dszynuri.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185412818126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1185413417030
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: ogxtsepr - {93274C4C-4B33-4899-9165-6DFB623012CF} - F:\WINDOWS\ogxtsepr.dll
O21 - SSODL: dsktbwfe - {9737BD20-78A7-48F2-BDE4-11B2CFE9043A} - F:\WINDOWS\dsktbwfe.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - F:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - F:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - F:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O24 - Desktop Component 0: Privacy Protection - file:///F:\WINDOWS\privacy_danger\index.htm

--
End of file - 7449 bytes
  • 0

#4
miekiemoes
Posted 15 April 2008 - 02:42 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#5
Feanorfenwe
Posted 15 April 2008 - 02:55 PM

Feanorfenwe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Here are these

Malwarebytes' Anti-Malware 1.11
Database version: 633

Scan type: Quick Scan
Objects scanned: 33612
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 28
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
f:\WINDOWS\system32\vtUmMdcy.dll (Trojan.Vundo) -> Unloaded module successfully.
F:\WINDOWS\system32\jkkLEWnl.dll (Trojan.Vundo) -> Unloaded module successfully.
F:\WINDOWS\dsktbwfe.dll (Trojan.FakeAlert) -> Unloaded module successfully.
F:\WINDOWS\ogxtsepr.dll (Trojan.FakeAlert) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{eec73ea5-1367-49d1-93f4-ca1d8c22e9f9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{eec73ea5-1367-49d1-93f4-ca1d8c22e9f9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtummdcy (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{325a19db-a3ac-4911-9f31-31579d714bcb} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{325a19db-a3ac-4911-9f31-31579d714bcb} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f60e7f1-0051-4531-8310-8da152244ada} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{575d6631-f4c7-41f9-b10d-b2a3b5e3cc3c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1c68314c-94c7-43db-8cf9-7f76647ac5e2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5a1958fc-7880-41b6-bf53-8559a707f1cb} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{11c3d1ab-cc3e-4e15-b414-180a4d7d5664} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9737bd20-78a7-48f2-bde4-11b2cfe9043a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{53952518-97b4-4885-b7d6-3a274db20792} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53952518-97b4-4885-b7d6-3a274db20792} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{93274c4c-4b33-4899-9165-6dfb623012cf} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{10bde5c9-141f-4536-86d4-56883348bba1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sgoblxtm.btrp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sgoblxtm.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MSVPS.MSVPSApp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin (Trojan.Fakealert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{eec73ea5-1367-49d1-93f4-ca1d8c22e9f9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dsktbwfe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ogxtsepr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{10bde5c9-141f-4536-86d4-56883348bba1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: f:\windows\system32\jkklewnl -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
f:\WINDOWS\system32\vtUmMdcy.dll (Trojan.Vundo) -> Delete on reboot.
F:\WINDOWS\system32\jkkLEWnl.dll (Trojan.Vundo) -> Delete on reboot.
F:\WINDOWS\system32\lnWELkkj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\lnWELkkj.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\SC3BHCVO\kriv[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\WINDOWS\dsktbwfe.dll (Trojan.FakeAlert) -> Delete on reboot.
F:\WINDOWS\nslbvxpgagr.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
F:\WINDOWS\ogxtsepr.dll (Trojan.FakeAlert) -> Delete on reboot.
F:\WINDOWS\sgoblxtm.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
F:\WINDOWS\spnkfwad.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:13 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
F:\Program Files\DAEMON Tools Lite\daemon.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
F:\Program Files\Digidesign\Drivers\MMERefresh.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\System32\svchost.exe
F:\PROGRA~1\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3062BF76-CBCD-4235-A1C7-469385944123} - F:\WINDOWS\system32\wvUOiJCt.dll (file missing)
O2 - BHO: (no name) - {325A19DB-A3AC-4911-9F31-31579D714BCB} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53952518-97B4-4885-B7D6-3A274DB20792} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8B6DD113-13C6-4D05-9B31-625CB77537E4} - F:\WINDOWS\system32\byXRjhhg.dll (file missing)
O2 - BHO: (no name) - {8E07256F-CEA0-4F8C-B2A0-43C920BC97F1} - F:\WINDOWS\system32\awtsQhGW.dll (file missing)
O2 - BHO: (no name) - {94502CDA-9B20-454F-BA44-76EEC82990C9} - (no file)
O2 - BHO: (no name) - {D7CDD0FC-72BD-47A9-B327-F7424B4F733C} - F:\WINDOWS\system32\rqRJApnM.dll (file missing)
O2 - BHO: (no name) - {ED804FCB-D52A-4F4D-A9F7-3CF8EC184F65} - F:\WINDOWS\system32\tuvUKaAp.dll (file missing)
O2 - BHO: (no name) - {EEC73EA5-1367-49D1-93F4-CA1D8C22E9F9} - (no file)
O3 - Toolbar: (no name) - {10BDE5C9-141F-4536-86D4-56883348BBA1} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [MacDrive7.0.4TimeOutPatch] F:\Program Files\Mediafour\MacDrive 7\TimeOutPatch.EXE
O4 - HKLM\..\Run: [DigidesignMMERefresh] F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [f459d105] rundll32.exe "F:\WINDOWS\system32\fsujgutf.dll",b
O4 - HKLM\..\Run: [avgnt] "F:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] F:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [dtpqcnry] F:\WINDOWS\system32\ehidkrwd.exe
O4 - HKCU\..\Run: [iidwibdc] F:\WINDOWS\system32\ixmzinyt.exe
O4 - HKCU\..\Run: [iluzbhfq] F:\WINDOWS\system32\mzezktiv.exe
O4 - HKLM\..\Policies\Explorer\Run: [th54ITjOIc] F:\Documents and Settings\All Users\Application Data\lsjotyfg\dszynuri.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185412818126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1185413417030
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: vtUmMdcy - F:\WINDOWS\
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - F:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - F:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - F:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O24 - Desktop Component 0: Privacy Protection - file:///F:\WINDOWS\privacy_danger\index.htm

--
End of file - 8429 bytes
  • 0

#6
miekiemoes
Posted 15 April 2008 - 03:02 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then,

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Select "Privacy Protection" you find in there and press the delete button on the right.
Hit ok below > apply in previous window.

Then,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
O2 - BHO: (no name) - {3062BF76-CBCD-4235-A1C7-469385944123} - F:\WINDOWS\system32\wvUOiJCt.dll (file missing)
O2 - BHO: (no name) - {325A19DB-A3AC-4911-9F31-31579D714BCB} - (no file)
O2 - BHO: (no name) - {53952518-97B4-4885-B7D6-3A274DB20792} - (no file)
O2 - BHO: (no name) - {8B6DD113-13C6-4D05-9B31-625CB77537E4} - F:\WINDOWS\system32\byXRjhhg.dll (file missing)
O2 - BHO: (no name) - {8E07256F-CEA0-4F8C-B2A0-43C920BC97F1} - F:\WINDOWS\system32\awtsQhGW.dll (file missing)
O2 - BHO: (no name) - {94502CDA-9B20-454F-BA44-76EEC82990C9} - (no file)
O2 - BHO: (no name) - {D7CDD0FC-72BD-47A9-B327-F7424B4F733C} - F:\WINDOWS\system32\rqRJApnM.dll (file missing)
O2 - BHO: (no name) - {ED804FCB-D52A-4F4D-A9F7-3CF8EC184F65} - F:\WINDOWS\system32\tuvUKaAp.dll (file missing)
O2 - BHO: (no name) - {EEC73EA5-1367-49D1-93F4-CA1D8C22E9F9} - (no file)
O3 - Toolbar: (no name) - {10BDE5C9-141F-4536-86D4-56883348BBA1} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [f459d105] rundll32.exe "F:\WINDOWS\system32\fsujgutf.dll",b
O4 - HKCU\..\Run: [dtpqcnry] F:\WINDOWS\system32\ehidkrwd.exe
O4 - HKCU\..\Run: [iidwibdc] F:\WINDOWS\system32\ixmzinyt.exe
O4 - HKCU\..\Run: [iluzbhfq] F:\WINDOWS\system32\mzezktiv.exe
O4 - HKLM\..\Policies\Explorer\Run: [th54ITjOIc] F:\Documents and Settings\All Users\Application Data\lsjotyfg\dszynuri.exe
O20 - Winlogon Notify: vtUmMdcy - F:\WINDOWS\
O24 - Desktop Component 0: Privacy Protection - file:///F:\WINDOWS\privacy_danger\index.htm

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Reboot afterwards and post a new HijackThislog in your next reply.
  • 0

#7
Feanorfenwe
Posted 15 April 2008 - 03:19 PM

Feanorfenwe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:19:51 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
F:\Program Files\DAEMON Tools Lite\daemon.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
F:\Program Files\Digidesign\Drivers\MMERefresh.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
F:\WINDOWS\System32\svchost.exe
F:\PROGRA~1\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\System32\svchost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MacDrive7.0.4TimeOutPatch] F:\Program Files\Mediafour\MacDrive 7\TimeOutPatch.EXE
O4 - HKLM\..\Run: [DigidesignMMERefresh] F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "F:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] F:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185412818126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1185413417030
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - F:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - F:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - F:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 6328 bytes
  • 0

#8
miekiemoes
Posted 15 April 2008 - 03:24 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

This looks OK again.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 5.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 5".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.
Let me know in your next reply how things are now.
  • 0

#9
Feanorfenwe
Posted 15 April 2008 - 03:30 PM

Feanorfenwe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
everytime I try to unistall my current java it says that "The Windows installer could not be accessed"
  • 0

#10
miekiemoes
Posted 15 April 2008 - 03:38 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Download Dial-a-fix from here:
http://wiki.djlizard...2C_and_articles

Open Dial-a-fix and in the main Window, you'll find: MSI
There, select "Fix Windows Installer"
All the other ones under it will be checked as well.

Then click the GO button below.

If that didn't fix it,
Download and install the latest version of the Windows Installer.
http://www.microsoft...;displaylang=en
  • 0

Advertisements

#11
Feanorfenwe
Posted 15 April 2008 - 03:45 PM

Feanorfenwe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
hmmm. Neither of those worked for me.
  • 0

#12
miekiemoes
Posted 15 April 2008 - 03:50 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Did you reinstall the Windows installer?
Also, please reboot your computer afterwards and try again.
  • 0

#13
Feanorfenwe
Posted 15 April 2008 - 03:54 PM

Feanorfenwe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I reinstaled and reset and still not working.
  • 0

#14
miekiemoes
Posted 15 April 2008 - 03:57 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Please read here:
http://support.micro...b;EN-US;Q315346

Under: Method 2: Reinstall the Windows Installer
(where it is explained how to rename the damaged Windows Installer files first and then reinstall the Windows Installer afterwards).

Good advice, get rid of Uniblue RegistryBooster 2, because these registry tools are responsible for breaking these and breaking a lot of other applications.
  • 0

#15
miekiemoes
Posted 15 April 2008 - 04:11 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Sidenote... You're getting this error when you try to uninstall Java? So what happens if you install latest java? Does that work? If so, then you should be OK.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP