Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can't Load Web Sites in Firefox or Internet Explorer


  • Please log in to reply

#1
leonfelpz6

leonfelpz6

    Member

  • Member
  • PipPip
  • 13 posts
Hello all. I want to thank any and all of you for helping me out. I greatly appreciate your advice...now on to my problem...

I have tried to load different web sites using firefox and IE but to no avail...any particular reason why? I looked on another forum and someone suggested i test to see if i had a few working .dll files...the one that i tested and it didnt work was "regsvr32 Mshtml.dll" ...so i downloaded it again and it worked fine last night...then i go to access the same sites and go figure i'm back to square 1....

so any help or suggestions? or any other information can provide? MANY THANKS!!





Logfile of HijackThis v1.99.1
Scan saved at 7:59:00 PM, on 6/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Leon\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: (no name) - {5BC6834F-4888-515B-8D89-10541C09B19D} - C:\Program Files\Outerinfo\OinBHO.dll (file missing)
O2 - BHO: (no name) - {13F20E4F-F379-41EA-8F80-CCAAE787362A} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5BC6834F-4888-515B-8D89-10541C09B19D} - C:\Program Files\Outerinfo\OinBHO.dll (file missing)
O2 - BHO: (no name) - {6C630E6C-DC71-4DF7-8A0F-0CE5B4E0B6A4} - (no file)
O2 - BHO: (no name) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: {610dd766-c875-24cb-3864-05e218f6177d} - {d7716f81-2e50-4683-bc42-578c667dd016} - C:\WINDOWS\system32\drphdgnj.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [{66-66-61-1A-ZN}] C:\DOCUME~1\Leon\LOCALS~1\Temp\stdrun2.exe CHD001
O4 - HKLM\..\Run: [OCAudioIni] C:\Program Files\One-click Audio Converter\OCAudioIni.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM0b255529] Rundll32.exe "C:\WINDOWS\system32\titvdxvt.dll",s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1189821869276
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1195270563765
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: vupdnwed - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)

dont know if that tells you anything but hopefully it does

i greatly appreciate all of your help
  • 0

Advertisements


#2
leonfelpz6

leonfelpz6

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
20 views and no suggestions? im dying here people.
  • 0

#3
Blender

Blender

    Malware Expert

  • Member
  • PipPipPip
  • 187 posts
  • MVP
Hi and welcome.

Sorry for delay but we do have alot of people needing help. :)
Alot of views are likely from other victims like yourself looking for answers.

We'll need to run a couple tools to help clean up the junk dropped on your system.

Let's start with this one:

Download SDFix and save it to your Desktop.

In the event you already have SDFix, please delete it as this is a new version I need you to download.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Let me know how machine is running.
There will be more work to do so please don't run away yet.

Can you tell me also if you uninstalled Norton? All products?

Thanks :)
  • 0

#4
leonfelpz6

leonfelpz6

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
SDFix: Version 1.195
Run by Leon on Sun 06/22/2008 at 10:11 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Leon\Desktop\Casey\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\Leon\Favorites\Online Security Guide.lnk - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Temp\bkR11\ftCa.log - Deleted
C:\WINDOWS\system32\daSgo01\daSgo011065.exe - Deleted
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe - Deleted
C:\WINDOWS\system32\netrax01\netrax011065.exe - Deleted
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe - Deleted
C:\WINDOWS\system32\ldinfo.ldr - Deleted
C:\WINDOWS\system32\pac.txt - Deleted



Folder C:\Program Files\WinAble - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\bkR11 - Removed
Folder C:\Temp\fse - Removed
Folder C:\WINDOWS\system32\daSgo01 - Removed
Folder C:\WINDOWS\system32\f02WtR - Removed
Folder C:\WINDOWS\system32\netrax01 - Removed
Folder C:\WINDOWS\system32\X1 - Removed
Folder C:\WINDOWS\system32\xcsDd01 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 22:35:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS]
"StateIndex"=dword:00000000

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\WINDOWS\\system32\\idkbjakk.exe"="C:\\WINDOWS\\system32\\idk"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\DOCUME~1\Leon\Desktop\Casey\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 4 Nov 2007 383,532 A.SH. --- "C:\WINDOWS\SYSTEM32\dfhkj.tmp"
Sun 4 Nov 2007 378,724 A.SH. --- "C:\WINDOWS\SYSTEM32\dfhkj.bak2"
Sat 17 Nov 2007 436,710 ..SH. --- "C:\WINDOWS\SYSTEM32\ppppo.tmp"
Sat 17 Nov 2007 434,343 A.SH. --- "C:\WINDOWS\SYSTEM32\ppppo.bak2"
Sat 17 Nov 2007 20,810 ..SH. --- "C:\WINDOWS\SYSTEM32\zjapunzp.dllbox"
Thu 23 Feb 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 2 Sep 2004 270 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti5E3.tmp"
Tue 3 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 27 May 2008 6,648 ...H. --- "C:\Documents and Settings\TEMP\Local Settings\Temp\[email protected]"
Tue 27 May 2008 5,324 ...H. --- "C:\Documents and Settings\TEMP\Local Settings\Temp\[email protected]"
Wed 9 Apr 2008 3,407,872 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP208\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-3492734962-61800610-4223009023-501.bak"
Fri 29 Dec 2006 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP208\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3492734962-61800610-4223009023-501.bak"
Wed 9 Apr 2008 3,407,872 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP209\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-3492734962-61800610-4223009023-501.bak"
Fri 29 Dec 2006 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP209\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3492734962-61800610-4223009023-501.bak"
Wed 9 Apr 2008 3,407,872 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP210\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-3492734962-61800610-4223009023-501.bak"
Fri 29 Dec 2006 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP210\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3492734962-61800610-4223009023-501.bak"
Wed 9 Apr 2008 3,407,872 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP212\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-3492734962-61800610-4223009023-501.bak"
Fri 29 Dec 2006 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP212\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3492734962-61800610-4223009023-501.bak"
Wed 9 Apr 2008 3,407,872 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP213\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-3492734962-61800610-4223009023-501.bak"
Fri 29 Dec 2006 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP213\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3492734962-61800610-4223009023-501.bak"
Wed 9 Apr 2008 3,407,872 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP214\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-3492734962-61800610-4223009023-501.bak"
Fri 29 Dec 2006 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP214\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3492734962-61800610-4223009023-501.bak"
Wed 9 Apr 2008 3,407,872 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP215\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-3492734962-61800610-4223009023-501.bak"
Fri 29 Dec 2006 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP215\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3492734962-61800610-4223009023-501.bak"
Wed 9 Apr 2008 3,407,872 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP216\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-3492734962-61800610-4223009023-501.bak"
Fri 29 Dec 2006 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP216\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3492734962-61800610-4223009023-501.bak"
Wed 9 Apr 2008 3,407,872 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP217\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-3492734962-61800610-4223009023-501.bak"
Fri 29 Dec 2006 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP217\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3492734962-61800610-4223009023-501.bak"
Thu 30 Jun 2005 19,456 ...H. --- "C:\Documents and Settings\Leon\Application Data\Microsoft\Word\~WRL0003.tmp"
Thu 30 Jun 2005 19,968 ...H. --- "C:\Documents and Settings\Leon\Application Data\Microsoft\Word\~WRL0005.tmp"
Thu 30 Jun 2005 19,968 ...H. --- "C:\Documents and Settings\Leon\Application Data\Microsoft\Word\~WRL1528.tmp"

Finished!
  • 0

#5
leonfelpz6

leonfelpz6

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:25 PM, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: (no name) - {5BC6834F-4888-515B-8D89-10541C09B19D} - C:\Program Files\Outerinfo\OinBHO.dll (file missing)
O2 - BHO: (no name) - {13F20E4F-F379-41EA-8F80-CCAAE787362A} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5BC6834F-4888-515B-8D89-10541C09B19D} - C:\Program Files\Outerinfo\OinBHO.dll (file missing)
O2 - BHO: (no name) - {6C630E6C-DC71-4DF7-8A0F-0CE5B4E0B6A4} - (no file)
O2 - BHO: (no name) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: {610dd766-c875-24cb-3864-05e218f6177d} - {d7716f81-2e50-4683-bc42-578c667dd016} - C:\WINDOWS\system32\drphdgnj.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [{66-66-61-1A-ZN}] C:\DOCUME~1\Leon\LOCALS~1\Temp\stdrun2.exe CHD001
O4 - HKLM\..\Run: [OCAudioIni] C:\Program Files\One-click Audio Converter\OCAudioIni.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM0b255529] Rundll32.exe "C:\WINDOWS\system32\titvdxvt.dll",s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1189821869276
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1195270563765
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vupdnwed - C:\WINDOWS\
O22 - SharedTaskScheduler: {210b4043-35ca-4aa0-8796-191f9663dfb3} - altmannsberger - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)

--
End of file - 7996 bytes
  • 0

#6
Blender

Blender

    Malware Expert

  • Member
  • PipPipPip
  • 187 posts
  • MVP
Hi,

Thanks for the logs.

So your Spybot does not interfere with fixes please Undo its "Imunize" then uninstall it.
We can re-install Spybot when done.
Once uninstalled please do the following:

Print out or save instructions to notepad.
You need to so some fixes in safe mode and this page will be non viewable.
If you need instructions from other sites I referr to -- please print or save them before proceeding.

Copy the following text inside code box to a new notepad file.
Save it as file name fix.reg
As file types: All files
Save it to the desktop. Do nothing with it yet.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\idkbjakk.exe"=-

Please download ATF Cleaner by Atribune.

  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose:

    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Java Cache
    Recycle bin
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.


Reboot system to SAFE mode.
Log into your usual account.

Start Hijackthis (the new one you just installed)
Run system scan only and check the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - {5BC6834F-4888-515B-8D89-10541C09B19D} - C:\Program Files\Outerinfo\OinBHO.dll (file missing)
O2 - BHO: (no name) - {13F20E4F-F379-41EA-8F80-CCAAE787362A} - (no file)
O2 - BHO: (no name) - {5BC6834F-4888-515B-8D89-10541C09B19D} - C:\Program Files\Outerinfo\OinBHO.dll (file missing)
O2 - BHO: (no name) - {6C630E6C-DC71-4DF7-8A0F-0CE5B4E0B6A4} - (no file)
O2 - BHO: (no name) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: {610dd766-c875-24cb-3864-05e218f6177d} - {d7716f81-2e50-4683-bc42-578c667dd016} - C:\WINDOWS\system32\drphdgnj.dll
O4 - HKLM\..\Run: [{66-66-61-1A-ZN}] C:\DOCUME~1\Leon\LOCALS~1\Temp\stdrun2.exe CHD001
O4 - HKLM\..\Run: [BM0b255529] Rundll32.exe "C:\WINDOWS\system32\titvdxvt.dll",s
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [LDM] \Program\BackWeb-8876480.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} -
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} -
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: vupdnwed - C:\WINDOWS\
O22 - SharedTaskScheduler: {210b4043-35ca-4aa0-8796-191f9663dfb3} - altmannsberger - (no file)


Hit "fix checked" then OK.
Exit Hijackthis.

Locate fix.reg and right click it.
Choose "merge" and OK.
Should get success message.

Enable system to show hidden files:
How to if needed:

http://www.bleepingc...tutorial62.html
don't forget to hide files/folders when we are finished cleaning.

Locate and delete the following if found:

C:\Program Files\Outerinfo <-- folder
C:\WINDOWS\system32\titvdxvt.dll <-- file
C:\WINDOWS\SYSTEM32\zjapunzp.dllbox <-- file
C:\WINDOWS\SYSTEM32\ppppo.bak2 <-- file
C:\WINDOWS\SYSTEM32\ppppo.tmp <-- file
C:\WINDOWS\SYSTEM32\dfhkj.bak2 <-- file
C:\WINDOWS\SYSTEM32\dfhkj.tmp <-- file
c:\windows\system32\ldcore.dll <-- file

Empty out recycle bin.

Reboot back to normal mode and post a fresh HJT log here please.
Let me know how system is running.
We will likely have more work to do. :)

-------------------------

Also --- if these are your threads in other forums-- you may want to let them know you are getting help here so they can close threads:

http://forums.techgu...s-some-web.html

http://www.neowin.ne...#entry589499569

Don't try fixing the O10s like the last link at neowin says or you will trash your internet.
Those belong to your antivirus.
  • 0

#7
leonfelpz6

leonfelpz6

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
When i went to HJT, these were not in the log...

O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)

also- when I go to 'merge' the .reg, i get an error that says "Cannot import C:\Documents and Settings\Leon\Desktop\fix.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor." ....dont know what I should do next...
  • 0

#8
leonfelpz6

leonfelpz6

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Tried it twice...still nothing...this is what i put into the fix.reg ...

ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\idkbjakk.exe

...should I proceed with the next steps ? For the [bleep] of it i posted my most recent hjt log (in case it helps)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:09 PM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [OCAudioIni] C:\Program Files\One-click Audio Converter\OCAudioIni.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1189821869276
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1195270563765
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)

--
End of file - 5367 bytes
  • 0

#9
leonfelpz6

leonfelpz6

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Blender-

I needed to use my computer last night (a semi-important, but not life-or-death, situation and as it turns out I can access some of the sites I needed to before you instructed me to do what I did...I would assume that my computer still is not 'fixed' so I ask, what should I do from here?

Again- I greatly appreciate your help and thank you for taking the time to help solve my problem(s)
  • 0

#10
Blender

Blender

    Malware Expert

  • Member
  • PipPipPip
  • 187 posts
  • MVP
Hi,

Sorry for delay. Had power outage yesterday.

I will attach the registry file you need.
Attached is file called "fixit.zip"
Please download this file, save it and unzip it.

Once unzipped, right click fixit.reg then choose "merge"
It should ask if you are sure -- say yes.
Should get success message.

REboot when done please and post a fresh hijackthis log here along with the following:

If you already have used Kaspersky online scanner, please uninstall it via add/remove programs because this is a new version I need you to download.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Graphics tutorial available here if needed:

http://i275.photobuc...ng/KAS/KAS9.gif

Let me know how system is acting please.

Thanks :)

Attached Files


  • 0

Advertisements


#11
leonfelpz6

leonfelpz6

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Blender-

Thank you for your help. No worries about the power outage...hope all is fixed

as for the Kaspersky Online skanner, last night it was about 70% complete then I remembered that I didn't have my portable hard-drive plugged in. SO i plugged it in and restarted the scanner....well here I sit 12+hours later and I am only at + - 30%....should I un-plug my portable hard drive and ONLY scan my computer ?
  • 0

#12
leonfelpz6

leonfelpz6

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Well 24 hours later the scan finished... here is the HJT log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:45 AM, on 6/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [OCAudioIni] C:\Program Files\One-click Audio Converter\OCAudioIni.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1189821869276
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1195270563765
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5798 bytes


and the KAS results / log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, June 28, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, June 26, 2008 23:58:43
Records in database: 886174
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\

Scan statistics:
Files scanned: 90379
Threat name: 14
Infected objects: 28
Suspicious objects: 2
Duration of the scan: 24:22:41


File name / Threat name / Threats count
C:\Documents and Settings\Leon\.housecall\Quarantine\A0036412.exe.bac_a19092 Infected: not-a-virus:AdWare.Win32.Relevant.a 1
C:\Documents and Settings\Leon\.housecall\Quarantine\A0037109.exe.bac_a19092 Infected: not-a-virus:AdWare.Win32.RK.f 1
C:\Documents and Settings\Leon\.housecall\Quarantine\A0037137.dll.bac_a19092 Infected: not-a-virus:AdWare.Win32.RK.e 1
C:\Documents and Settings\Leon\.housecall6.6\Quarantine\A0036412.exe.bac_a19092 Infected: not-a-virus:AdWare.Win32.Relevant.a 1
C:\Documents and Settings\Leon\.housecall6.6\Quarantine\A0037109.exe.bac_a19092 Infected: not-a-virus:AdWare.Win32.RK.f 1
C:\Documents and Settings\Leon\.housecall6.6\Quarantine\A0037137.dll.bac_a19092 Infected: not-a-virus:AdWare.Win32.RK.e 1
C:\Documents and Settings\Leon\.housecall6.6\Quarantine\rlxf.dll.bac_a02272 Infected: not-a-virus:AdWare.Win32.RK.m 1
C:\Documents and Settings\Leon\Desktop\Casey\SAVLaunch.exe Suspicious: Type_Script 1
C:\Documents and Settings\Leon\Desktop\Casey\SDFix\backups\backups.zip Infected: Trojan-Downloader.Win32.VB.cho 1
C:\Documents and Settings\Leon\Desktop\Casey\SDFix\backups\backups.zip Infected: Trojan-Downloader.Win32.VB.awj 1
C:\Documents and Settings\Leon\Desktop\Casey\SDFix\backups\backups.zip Infected: Trojan-Downloader.Win32.VB.fao 1
C:\Documents and Settings\Leon\Desktop\Elise\Desktop\SAVLaunch.exe Suspicious: Type_Script 1
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\DBBLTBUK.DLL Infected: not-a-virus:AdWare.Win32.Virtumonde.ki 1
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\DRVFXKVG.DLL Infected: not-a-virus:AdWare.Win32.Virtumonde.ki 1
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\HHTJSHJK.DLL Infected: not-a-virus:AdWare.Win32.Virtumonde.ki 1
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\IMWBAIOH.DLL Infected: not-a-virus:AdWare.Win32.Virtumonde.ki 1
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\INDRIKUX.DLL Infected: not-a-virus:AdWare.Win32.Virtumonde.ki 1
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\JCRVBANH.DLL Infected: not-a-virus:AdWare.Win32.Virtumonde.ki 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP217\A0008364.exe Infected: Trojan-Downloader.Win32.VB.cho 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP217\A0008365.exe Infected: Trojan-Downloader.Win32.VB.awj 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP217\A0008366.exe Infected: Trojan-Downloader.Win32.VB.fao 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP217\A0008374.exe Infected: Trojan-Downloader.Win32.VB.cho 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP217\A0008375.exe Infected: Trojan-Downloader.Win32.VB.awj 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP217\A0008376.exe Infected: Trojan-Downloader.Win32.VB.fao 1
C:\WINDOWS\frexup3.exe Infected: not-a-virus:Downloader.Win32.Agent.q 1
C:\WINDOWS\frexup3.exe Infected: not-a-virus:AdWare.Win32.AdBand.a 1
C:\WINDOWS\frexup3.exe Infected: not-a-virus:AdWare.Win32.Agent.aix 1
C:\WINDOWS\SYSTEM32\oTt02e\oTt02e1065.exe Infected: Trojan-Downloader.Win32.VB.bnq 1
C:\WINDOWS\SYSTEM32\oTt08e\oTt08e1099.exe Infected: Trojan-Downloader.Win32.VB.bnq 1

The selected area was scanned.
  • 0

#13
leonfelpz6

leonfelpz6

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
was it something i said, blender??? :) :) :)
  • 0

#14
Blender

Blender

    Malware Expert

  • Member
  • PipPipPip
  • 187 posts
  • MVP
Hi,

I am sorry for the delay. :)
I had ISP issues on and off for a while and I believe I missed my topic reply notice along the way.
If I miss you again -- please PM me. :)

How is the system running now? Website access OK?
Any other issues with the machine?

From the Kaspersky log there are a few items to delete if they are still there.
A file I want to get scanned because it was labled as suspisious.

Go to http://www.virustota.../en/indexf.html
Copy the following line into the white textbox:
C:\Documents and Settings\Leon\Desktop\Casey\SAVLaunch.exe
Click Send.
Please post the results of this scan to this thread.
Please include the file size/MD5 information if available.

Next:

Locate and delete the following files/folders if present:

C:\WINDOWS\frexup3.exe <-- file
C:\WINDOWS\SYSTEM32\oTt02e <-- folder

Then empty the recycle bin.

Next:

I want to make sure no new critters come in for a visit.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts. (On Vista; right click dss.exe and choose run as administrator)
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

-- If dss.exe hangs up anywhere during scan, please note where in scan it hung up and let me know.

Thanks :)
  • 0

#15
leonfelpz6

leonfelpz6

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
BLENDER! Glad to hear back from you! Thank you for taking the time to help me...I really appreciate your help...I am at work right now so I have not been able to follow your instructions yet...will try to sometime on Sunday evening. Hope you got all of your ISP problems fixed...I will follow up with you soon! Have a great weekend!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP