Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijackthis log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijackthis log

Unread postby cocko » January 20th, 2007, 4:03 am

If someone could help with this I will be eternally Grateful


Logfile of HijackThis v1.99.1
Scan saved at 4:00:04 PM, on 20/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\tp4mon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\VM303_STI.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wpablan.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Trish Cant\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {089AD80E-0E1F-452E-8916-4AC80BA2046B} - C:\WINDOWS\System32\ljjgh.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\khfcywx.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\System32\ekfjvwwt.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {D1986A1D-39BC-4DC3-9F4C-04700A8B40F5} - C:\WINDOWS\System32\nnlmm.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunServices: [Windows ASN Services] tfvs.exe
O4 - HKLM\..\RunServices: [Microsoft Configuration 35] microsotl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?b63adb856c414262a9d12d1f21465d8a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?b63adb856c414262a9d12d1f21465d8a
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1336836769
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\System32\svchq0.dll
O20 - Winlogon Notify: khfcywx - C:\WINDOWS\SYSTEM32\khfcywx.dll
O20 - Winlogon Notify: ljjgh - C:\WINDOWS\System32\ljjgh.dll (file missing)
O20 - Winlogon Notify: nnlmm - C:\WINDOWS\System32\nnlmm.dll (file missing)
O20 - Winlogon Notify: pmnopnm - C:\WINDOWS\SYSTEM32\pmnopnm.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)
O23 - Service: Local Security Policy (Windows Local Security Policy) - Unknown owner - C:\WINDOWS\wpablan.exe
cocko
Regular Member
 
Posts: 16
Joined: January 20th, 2007, 3:45 am
Location: Australia
Advertisement
Register to Remove

Unread postby Mr_JAk3 » January 20th, 2007, 4:36 am

Hi cocko and welcome to the Malware Removal Forums :)

You're quite badly infected.

One or more of the identified infections is a backdoor trojan :silent:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

I can help you in the cleaning if you don't want to reformat but I can't promise that we'll get you 100% clean.

Please let us know what you have decided to do in your next post :)
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

Clean up

Unread postby cocko » January 20th, 2007, 5:02 am

Hi jak3,
thanks for your time. Lets give it a go to get clean and if not I will use the last resort process.

Cocko
cocko
Regular Member
 
Posts: 16
Joined: January 20th, 2007, 3:45 am
Location: Australia

Unread postby Mr_JAk3 » January 20th, 2007, 5:09 am

Hi :)

I'll be happy to help you.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Create a new folder for HijackThis and move HijackThis.exe into it.

At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...

Disable Windows Defender's realtime protection.
  • Open Windows Defender
  • Click on "Tools"
  • Click on "General Settings"
  • Scroll down to "Real-time protection options"
  • Uncheck "Turn on Real-time protection (recommended)"
  • Click "Save"
  • Exit the program.
Disable AVG Anti-Spyware guard.
  • Open AVG Anti-Spyware
  • Click Shield
  • Click under "resident shield is"
  • Change it to inactive
  • Close the program
Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

Results So Far

Unread postby cocko » January 20th, 2007, 5:29 am

SD Fix caused a BSOD after about 2 - 3 minutes. Have started Laptop and running VundoFix, after that has run I will try SDFix again
cocko
Regular Member
 
Posts: 16
Joined: January 20th, 2007, 3:45 am
Location: Australia

Maybe the problem was in execution order

Unread postby cocko » January 20th, 2007, 5:49 am

Allowed Vundoo to run, restarted in safe mode and ran SDFix again. Worked this time. will post all the reports next

My smile is nearly returned

Cocko
cocko
Regular Member
 
Posts: 16
Joined: January 20th, 2007, 3:45 am
Location: Australia

Copy of all three logs

Unread postby cocko » January 20th, 2007, 5:56 am

Well Here it is one big Log File

Logfile of HijackThis v1.99.1
Scan saved at 5:52:29 PM, on 20/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wpablan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\tp4mon.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\VM303_STI.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Trish Cant\Desktop\HijackThis.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {089AD80E-0E1F-452E-8916-4AC80BA2046B} - C:\WINDOWS\System32\ljjgh.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} -

C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\khfcywx.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\System32\ekfjvwwt.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live

Toolbar\msntb.dll
O2 - BHO: (no name) - {D1986A1D-39BC-4DC3-9F4C-04700A8B40F5} - C:\WINDOWS\System32\nnlmm.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live

Toolbar\msntb.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunServices: [Windows ASN Services] tfvs.exe
O4 - HKLM\..\RunServices: [Microsoft Configuration 35] microsotl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7

-reboot 1
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live

Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live

Toolbar\Components\en-au\msntabres.dll.mui/229?b63adb856c414262a9d12d1f21465d8a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live

Toolbar\Components\en-au\msntabres.dll.mui/230?b63adb856c414262a9d12d1f21465d8a
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} -

C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by103fd.bay103.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupda ... 1336836769
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\System32\svchq0.dll
O20 - Winlogon Notify: ljjgh - C:\WINDOWS\System32\ljjgh.dll (file missing)
O20 - Winlogon Notify: nnlmm - C:\WINDOWS\System32\nnlmm.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Local Security Policy (Windows Local Security Policy) - Unknown owner - C:\WINDOWS\wpablan.exe




SDFix: Version 1.60

Sat 20/01/2007 - 17:44:53.02

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
hide_evr2
MsaSvc

Path:
File Path - \??\C:\WINDOWS\hide_evr2.sys
File Path - C:\WINDOWS\System32\msasvc.exe
File Path - \??\C:\WINDOWS\hide_evr2.sys
File Path - C:\WINDOWS\System32\msasvc.exe

hide_evr2 Deleted
MsaSvc Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File

Killing PID 152 'smss.exe'
Killing PID 224 'winlogon.exe'
Killing PID 152 'smss.exe'
Killing PID 224 'winlogon.exe'

Rebooting...

Normal Mode:
Checking Files:

Files will be copied to Backups folder and removed:

C:\WINDOWS\system32\eraseme_70737.exe - Deleted
C:\WINDOWS\Nvds.exe - Deleted
C:\WINDOWS\system32\daoprint.dll - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\rpcc.dll - Deleted
C:\WINDOWS\system32\setup_60712.exe - Deleted
C:\WINDOWS\system32\TFTP1408 - Deleted
C:\WINDOWS\system32\TFTP1748 - Deleted
C:\WINDOWS\system32\TFTP1768 - Deleted
C:\WINDOWS\system32\TFTP2952 - Deleted
C:\WINDOWS\system32\TFTP3080 - Deleted
C:\WINDOWS\system32\TFTP3440 - Deleted
C:\WINDOWS\system32\TFTP528 - Deleted
C:\WINDOWS\system32\TFTP764 - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
C:\WINDOWS\userinit.exe - Deleted
C:\WINDOWS\WeRecl.exe - Deleted

Could Not Remove C:\WINDOWS\wpablan.exe!


Alternate Streams Check:

C:\WINDOWS\system32
:lzx32.sys 69670
Total size: 69670 bytes.

Removing ADS...

system32: deleted 69670 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Rootkit PE386 Found!

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Au

thorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:Explorer"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Auth

orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------
C:\WINDOWS\wpablan.exe Found

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\NTDETECT.COM
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Cants\CONFIG.SYS
C:\Cants\Documents and Settings\Trish Cant\Local Settings\Temp\~WRL0138.tmp
C:\Cants\Documents and Settings\Trish Cant\Local Settings\Temp\~WRL0576.tmp
C:\Cants\Documents and Settings\Trish Cant\Local Settings\Temp\158005199\BIT28A4.tmp
C:\Documents and Settings\Trish Cant\My Documents\Football 2005\~WRL0820.tmp
C:\Documents and Settings\Trish Cant\My Documents\Football 2006\Football 2006\~WRL0285.tmp
C:\Documents and Settings\Trish Cant\My Documents\Football 2006\Football 2006\~WRL2738.tmp
C:\Documents and Settings\Trish Cant\My Documents\Football 2006\Football 2006\~WRL3153.tmp
C:\WINDOWS\system32\mmlnn.tmp
C:\WINDOWS\Temp\$_2341233.TMP
C:\WINDOWS\Temp\$_2341235.TMP

Finished


VundoFix V6.3.2

Checking Java version...

Sun Java not detected
Scan started at 5:25:30 PM 20/01/2007

Listing files found while scanning....

C:\Documents and settings\Trish Cant\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\Trish Cant\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\cbxvttr.dll
C:\WINDOWS\System32\ekfjvwwt.dll
C:\WINDOWS\system32\fccaxxv.dll
C:\WINDOWS\System32\hgjjl.bak1
C:\WINDOWS\System32\hgjjl.bak2
C:\WINDOWS\System32\hgjjl.ini
C:\WINDOWS\System32\hgjjl.ini2
C:\WINDOWS\System32\hgjjl.tmp
C:\WINDOWS\system32\iifffgg.dll
C:\WINDOWS\system32\khfcywx.dll
C:\WINDOWS\System32\ljjgh.dll
C:\WINDOWS\system32\mljhigh.dll
C:\WINDOWS\System32\nnlmm.dll
C:\WINDOWS\system32\nnnnlkl.dll
C:\WINDOWS\system32\nulglgpu.dll
C:\WINDOWS\system32\opnmnnk.dll
C:\WINDOWS\System32\pabpvjkk.dll
C:\WINDOWS\system32\pmnopnm.dll
C:\WINDOWS\system32\qomjgff.dll
C:\WINDOWS\system32\sljxkylw.exe
C:\WINDOWS\system32\tuvvtts.dll
C:\WINDOWS\system32\upglglun.ini
C:\WINDOWS\system32\vtuutuv.dll
C:\WINDOWS\system32\wvuvvut.dll

Beginning removal...

Attempting to delete C:\Documents and settings\Trish Cant\Application Data\SearchToolbarCorp\Toolbar

Vision\PageHistory.txt
C:\Documents and settings\Trish Cant\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt Has been

deleted!

Attempting to delete C:\Documents and settings\Trish Cant\Application Data\SearchToolbarCorp\Toolbar

Vision\WebHistory.txt
C:\Documents and settings\Trish Cant\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt Has been

deleted!

Attempting to delete C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\awtqnkh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxvttr.dll
C:\WINDOWS\system32\cbxvttr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fccaxxv.dll
C:\WINDOWS\system32\fccaxxv.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\hgjjl.bak1
C:\WINDOWS\System32\hgjjl.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\hgjjl.bak2
C:\WINDOWS\System32\hgjjl.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\hgjjl.ini
C:\WINDOWS\System32\hgjjl.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\hgjjl.ini2
C:\WINDOWS\System32\hgjjl.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\hgjjl.tmp
C:\WINDOWS\System32\hgjjl.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifffgg.dll
C:\WINDOWS\system32\iifffgg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khfcywx.dll
C:\WINDOWS\system32\khfcywx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljhigh.dll
C:\WINDOWS\system32\mljhigh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnnlkl.dll
C:\WINDOWS\system32\nnnnlkl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nulglgpu.dll
C:\WINDOWS\system32\nulglgpu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnmnnk.dll
C:\WINDOWS\system32\opnmnnk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnopnm.dll
C:\WINDOWS\system32\pmnopnm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomjgff.dll
C:\WINDOWS\system32\qomjgff.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sljxkylw.exe
C:\WINDOWS\system32\sljxkylw.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvvtts.dll
C:\WINDOWS\system32\tuvvtts.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\upglglun.ini
C:\WINDOWS\system32\upglglun.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtuutuv.dll
C:\WINDOWS\system32\vtuutuv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvuvvut.dll
C:\WINDOWS\system32\wvuvvut.dll Has been deleted!

Performing Repairs to the registry.
Done!
cocko
Regular Member
 
Posts: 16
Joined: January 20th, 2007, 3:45 am
Location: Australia

Unread postby Mr_JAk3 » January 20th, 2007, 8:34 am

Hi again, good work :)

You also have a rootkit there...

Download RustBFix from one of the following locations...

http://www.uploads.ejvindh.net/rustbfix.exe

http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe

...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

Nexr step down

Unread postby cocko » January 20th, 2007, 10:00 am

Logfile of HijackThis v1.99.1
Scan saved at 9:57:52 PM, on 20/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wpablan.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\tp4mon.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\VM303_STI.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Documents and Settings\Trish Cant\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {089AD80E-0E1F-452E-8916-4AC80BA2046B} - C:\WINDOWS\System32\ljjgh.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\khfcywx.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\System32\ekfjvwwt.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {D1986A1D-39BC-4DC3-9F4C-04700A8B40F5} - C:\WINDOWS\System32\nnlmm.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunServices: [Windows ASN Services] tfvs.exe
O4 - HKLM\..\RunServices: [Microsoft Configuration 35] microsotl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?b63adb856c414262a9d12d1f21465d8a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?b63adb856c414262a9d12d1f21465d8a
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1336836769
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\System32\svchq0.dll
O20 - Winlogon Notify: ljjgh - C:\WINDOWS\System32\ljjgh.dll (file missing)
O20 - Winlogon Notify: nnlmm - C:\WINDOWS\System32\nnlmm.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Local Security Policy (Windows Local Security Policy) - Unknown owner - C:\WINDOWS\wpablan.exe




************************* Rustock.b-fix -- By ejvindh *************************
Sat 20/01/2007 21:53:39.49

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
No streams found.

Looking for Rustock.b-files in the System32-folder:
system32\lzx32.sys FOUND!
attempting to delete lzx32.sys from system32-folder


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\makykwug

*******************

Script file located at: \??\C:\WINDOWS\lomdcuhx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.
cocko
Regular Member
 
Posts: 16
Joined: January 20th, 2007, 3:45 am
Location: Australia

Unread postby Mr_JAk3 » January 20th, 2007, 12:46 pm

Hi, good :)

Now please run SDFix again in safe mode.

When done:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with the new SDfix report.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

Morning time, and back at it

Unread postby cocko » January 20th, 2007, 8:42 pm

Here are both the log files:
SDFix: Version 1.60

Sun 21/01/2007 - 8:23:44.50

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:

Path:


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Files will be copied to Backups folder and removed:


Could Not Remove C:\WINDOWS\wpablan.exe!


Alternate Streams Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:Explorer"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------
C:\WINDOWS\wpablan.exe Found

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\NTDETECT.COM
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Cants\CONFIG.SYS
C:\Cants\Documents and Settings\Trish Cant\Local Settings\Temp\~WRL0138.tmp
C:\Cants\Documents and Settings\Trish Cant\Local Settings\Temp\~WRL0576.tmp
C:\Cants\Documents and Settings\Trish Cant\Local Settings\Temp\158005199\BIT28A4.tmp
C:\Documents and Settings\Trish Cant\My Documents\Football 2005\~WRL0820.tmp
C:\Documents and Settings\Trish Cant\My Documents\Football 2006\Football 2006\~WRL0285.tmp
C:\Documents and Settings\Trish Cant\My Documents\Football 2006\Football 2006\~WRL2738.tmp
C:\Documents and Settings\Trish Cant\My Documents\Football 2006\Football 2006\~WRL3153.tmp
C:\WINDOWS\system32\mmlnn.tmp
C:\WINDOWS\Temp\$_2341233.TMP
C:\WINDOWS\Temp\$_2341235.TMP

Finished



"Trish Cant" - 07-01-21 8:31:49 Service Pack 2
ComboFix 07-01-21 - Running from: "C:\Documents and Settings\Trish Cant\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\TRISHC~1\Application Data\SearchToolbarCorp


((((((((((((((((((((((((((((((( Files Created from 2006-12-21 to 2007-01-21 ))))))))))))))))))))))))))))))))))


2007-01-20 21:56 <DIR> d-------- C:\avenger
2007-01-20 21:53 <DIR> d-------- C:\Rustbfix
2007-01-20 17:25 <DIR> d-------- C:\VundoFix Backups
2007-01-20 17:17 <DIR> d-------- C:\SDFix
2007-01-20 16:43 <DIR> d-------- C:\WINDOWS\Prefetch
2007-01-20 15:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-20 15:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-20 15:16 3,008 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-20 15:15 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-01-20 15:15 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-01-20 15:15 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-01-20 15:15 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-01-20 15:15 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-01-20 15:15 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-01-20 14:17 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-01-19 19:40 <DIR> d-------- C:\d12a05332e0da229dcc4
2007-01-19 19:28 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-01-19 19:23 <DIR> d-------- C:\e7be1aef4365eaffca41732c982876b8
2007-01-19 04:29 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-01-18 21:52 <DIR> d-------- C:\Program Files\Windows Defender
2007-01-18 21:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Windows Genuine Advantage
2007-01-18 20:14 9,728 --------- C:\WINDOWS\system32\comsdupd.exe
2007-01-18 20:14 44,928 --------- C:\WINDOWS\system32\drivers\agpcpq.sys
2007-01-18 20:14 43,008 --------- C:\WINDOWS\system32\drivers\amdagp.sys
2007-01-18 20:14 42,752 --------- C:\WINDOWS\system32\drivers\alim1541.sys
2007-01-18 20:14 42,368 --------- C:\WINDOWS\system32\drivers\agp440.sys
2007-01-18 20:14 40,832 --------- C:\WINDOWS\system32\drivers\irbus.sys
2007-01-18 20:14 4,255 --------- C:\WINDOWS\system32\drivers\adv01nt5.dll
2007-01-18 20:14 3,967 --------- C:\WINDOWS\system32\drivers\adv02nt5.dll
2007-01-18 20:14 3,775 --------- C:\WINDOWS\system32\drivers\adv11nt5.dll
2007-01-18 20:14 3,711 --------- C:\WINDOWS\system32\drivers\adv09nt5.dll
2007-01-18 20:14 3,647 --------- C:\WINDOWS\system32\drivers\adv07nt5.dll
2007-01-18 20:14 3,615 --------- C:\WINDOWS\system32\drivers\adv05nt5.dll
2007-01-18 20:14 3,135 --------- C:\WINDOWS\system32\drivers\adv08nt5.dll
2007-01-18 20:13 95,424 --------- C:\WINDOWS\system32\drivers\slnthal.sys
2007-01-18 20:13 896,512 --------- C:\WINDOWS\system32\wmspdmoe.dll
2007-01-18 20:13 88,064 --------- C:\WINDOWS\system32\p2pnetsh.dll
2007-01-18 20:13 870,784 --------- C:\WINDOWS\system32\ati3d1ag.dll
2007-01-18 20:13 86,016 --------- C:\WINDOWS\system32\p2pgasvc.dll
2007-01-18 20:13 86,016 --------- C:\WINDOWS\system32\mdmxsdk.dll
2007-01-18 20:13 81,920 --------- C:\WINDOWS\system32\ieencode.dll
2007-01-18 20:13 81,408 --------- C:\WINDOWS\system32\wscsvc.dll
2007-01-18 20:13 8,192 --------- C:\WINDOWS\system32\smbinst.exe
2007-01-18 20:13 78,464 --------- C:\WINDOWS\system32\drivers\usbvideo.sys
2007-01-18 20:13 755,200 --------- C:\WINDOWS\system32\ir50_32.dll
2007-01-18 20:13 75,776 --------- C:\WINDOWS\system32\strmfilt.dll
2007-01-18 20:13 73,832 --------- C:\WINDOWS\system32\slcoinst.dll
2007-01-18 20:13 73,796 --------- C:\WINDOWS\system32\slserv.exe
2007-01-18 20:13 73,216 --------- C:\WINDOWS\system32\drivers\atintuxx.sys
2007-01-18 20:13 71,680 --------- C:\WINDOWS\system32\blastcln.exe
2007-01-18 20:13 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-01-18 20:13 7,680 --------- C:\WINDOWS\system32\kbdsmsno.dll
2007-01-18 20:13 7,680 --------- C:\WINDOWS\system32\kbdsmsfi.dll
2007-01-18 20:13 7,168 --------- C:\WINDOWS\system32\kbdukx.dll
2007-01-18 20:13 7,168 --------- C:\WINDOWS\system32\kbdno1.dll
2007-01-18 20:13 7,168 --------- C:\WINDOWS\system32\kbdfi1.dll
2007-01-18 20:13 7,168 --------- C:\WINDOWS\system32\hccoin.dll
2007-01-18 20:13 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys
2007-01-18 20:13 67,584 --------- C:\WINDOWS\system32\drivers\sdbus.sys
2007-01-18 20:13 63,663 --------- C:\WINDOWS\system32\drivers\ati1rvxx.sys
2007-01-18 20:13 63,488 --------- C:\WINDOWS\system32\drivers\atinxsxx.sys
2007-01-18 20:13 60,416 --------- C:\WINDOWS\system32\fwcfg.dll
2007-01-18 20:13 6,656 --------- C:\WINDOWS\system32\kbdinmal.dll
2007-01-18 20:13 6,656 --------- C:\WINDOWS\system32\kbdinben.dll
2007-01-18 20:13 6,144 --------- C:\WINDOWS\system32\kbdmlt48.dll
2007-01-18 20:13 6,144 --------- C:\WINDOWS\system32\kbdmlt47.dll
2007-01-18 20:13 6,144 --------- C:\WINDOWS\system32\kbdinbe1.dll
2007-01-18 20:13 6,016 --------- C:\WINDOWS\system32\drivers\smbali.sys
2007-01-18 20:13 59,648 --------- C:\WINDOWS\system32\drivers\rfcomm.sys
2007-01-18 20:13 57,856 --------- C:\WINDOWS\system32\drivers\atinbtxx.sys
2007-01-18 20:13 56,623 --------- C:\WINDOWS\system32\drivers\ati1btxx.sys
2007-01-18 20:13 526,848 --------- C:\WINDOWS\system32\p2psvc.dll
2007-01-18 20:13 52,224 --------- C:\WINDOWS\system32\mspmsnsv.dll
2007-01-18 20:13 52,224 --------- C:\WINDOWS\system32\drivers\atinraxx.sys
2007-01-18 20:13 516,768 --------- C:\WINDOWS\system32\ativvaxx.dll
2007-01-18 20:13 50,688 --------- C:\WINDOWS\system32\btpanui.dll
2007-01-18 20:13 50,176 --------- C:\WINDOWS\system32\xmlprovi.dll
2007-01-18 20:13 5,632 --------- C:\WINDOWS\system32\kbdmaori.dll
2007-01-18 20:13 49,152 --------- C:\WINDOWS\system32\powercfg.exe
2007-01-18 20:13 484,864 --------- C:\WINDOWS\system32\wmspdmod.dll
2007-01-18 20:13 48,640 --------- C:\WINDOWS\system32\pnrpnsp.dll
2007-01-18 20:13 46,464 --------- C:\WINDOWS\system32\drivers\gagp30kx.sys
2007-01-18 20:13 452,736 --------- C:\WINDOWS\system32\drivers\mtxparhm.sys
2007-01-18 20:13 44,672 --------- C:\WINDOWS\system32\drivers\uagp35.sys
2007-01-18 20:13 44,032 --------- C:\WINDOWS\system32\twext.dll
2007-01-18 20:13 42,240 --------- C:\WINDOWS\system32\drivers\viaagp.sys
2007-01-18 20:13 41,088 --------- C:\WINDOWS\system32\drivers\sisagp.sys
2007-01-18 20:13 404,990 --------- C:\WINDOWS\system32\drivers\slntamr.sys
2007-01-18 20:13 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2007-01-18 20:13 397,056 --------- C:\WINDOWS\system32\s3gnb.dll
2007-01-18 20:13 384,512 --------- C:\WINDOWS\system32\mp4sdmod.dll
2007-01-18 20:13 38,016 --------- C:\WINDOWS\system32\drivers\bthmodem.sys
2007-01-18 20:13 377,984 --------- C:\WINDOWS\system32\ati2dvaa.dll
2007-01-18 20:13 36,463 --------- C:\WINDOWS\system32\drivers\ati1tuxx.sys
2007-01-18 20:13 36,096 --------- C:\WINDOWS\system32\drivers\intelppm.sys
2007-01-18 20:13 35,456 --------- C:\WINDOWS\system32\drivers\bthprint.sys
2007-01-18 20:13 34,735 --------- C:\WINDOWS\system32\drivers\ati1xsxx.sys
2007-01-18 20:13 327,040 --------- C:\WINDOWS\system32\drivers\ati2mtaa.sys
2007-01-18 20:13 32,866 --------- C:\WINDOWS\system32\slrundll.exe
2007-01-18 20:13 32,866 --------- C:\WINDOWS\slrundll.exe
2007-01-18 20:13 32,768 --------- C:\WINDOWS\system32\ativtmxx.dll
2007-01-18 20:13 32,285 --------- C:\WINDOWS\system32\hsfcisp2.dll
2007-01-18 20:13 312,320 --------- C:\WINDOWS\system32\p2pgraph.dll
2007-01-18 20:13 310,272 --------- C:\WINDOWS\system32\mp43dmod.dll
2007-01-18 20:13 31,744 --------- C:\WINDOWS\system32\drivers\atinxbxx.sys
2007-01-18 20:13 30,671 --------- C:\WINDOWS\system32\drivers\ati1raxx.sys
2007-01-18 20:13 30,208 --------- C:\WINDOWS\system32\bthserv.dll
2007-01-18 20:13 30,080 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2007-01-18 20:13 3,901 --------- C:\WINDOWS\system32\drivers\siint5.dll
2007-01-18 20:13 29,455 --------- C:\WINDOWS\system32\drivers\ati1xbxx.sys
2007-01-18 20:13 29,184 --------- C:\WINDOWS\system32\sdhcinst.dll
2007-01-18 20:13 29,056 --------- C:\WINDOWS\system32\drivers\ip6fw.sys
2007-01-18 20:13 286,792 --------- C:\WINDOWS\system32\slextspk.dll
2007-01-18 20:13 28,672 --------- C:\WINDOWS\system32\drivers\atinsnxx.sys
2007-01-18 20:13 274,304 --------- C:\WINDOWS\system32\drivers\bthport.sys
2007-01-18 20:13 262,784 --------- C:\WINDOWS\system32\drivers\http.sys
2007-01-18 20:13 26,624 --------- C:\WINDOWS\system32\drivers\usbehci.sys
2007-01-18 20:13 26,367 --------- C:\WINDOWS\system32\drivers\ati1snxx.sys
2007-01-18 20:13 25,600 --------- C:\WINDOWS\system32\drivers\hidbth.sys
2007-01-18 20:13 25,471 --------- C:\WINDOWS\system32\drivers\watv10nt.sys
2007-01-18 20:13 25,471 --------- C:\WINDOWS\system32\drivers\atv04nt5.dll
2007-01-18 20:13 24,576 --------- C:\WINDOWS\system32\httpapi.dll
2007-01-18 20:13 233,472 --------- C:\WINDOWS\system32\wmpdxm.dll
2007-01-18 20:13 229,376 --------- C:\WINDOWS\system32\ati2cqag.dll
2007-01-18 20:13 220,032 --------- C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2007-01-18 20:13 22,528 --------- C:\WINDOWS\system32\fltmc.exe
2007-01-18 20:13 22,271 --------- C:\WINDOWS\system32\drivers\watv06nt.sys
2007-01-18 20:13 21,343 --------- C:\WINDOWS\system32\drivers\ati1ttxx.sys
2007-01-18 20:13 21,183 --------- C:\WINDOWS\system32\drivers\atv01nt5.dll
2007-01-18 20:13 201,728 --------- C:\WINDOWS\system32\ati2dvag.dll
2007-01-18 20:13 200,192 --------- C:\WINDOWS\system32\ir50_qc.dll
2007-01-18 20:13 20,992 --------- C:\WINDOWS\system32\bthci.dll
2007-01-18 20:13 193,024 --------- C:\WINDOWS\system32\fsquirt.exe
2007-01-18 20:13 188,508 --------- C:\WINDOWS\system32\slgen.dll
2007-01-18 20:13 183,808 --------- C:\WINDOWS\system32\ir50_qcx.dll
2007-01-18 20:13 180,360 --------- C:\WINDOWS\system32\drivers\ntmtlfax.sys
2007-01-18 20:13 18,944 --------- C:\WINDOWS\system32\drivers\bthusb.sys
2007-01-18 20:13 17,408 --------- C:\WINDOWS\system32\winshfhc.dll
2007-01-18 20:13 17,279 --------- C:\WINDOWS\system32\drivers\atv10nt5.dll
2007-01-18 20:13 17,024 --------- C:\WINDOWS\system32\drivers\bthenum.sys
2007-01-18 20:13 168,448 --------- C:\WINDOWS\system32\wmerror.dll
2007-01-18 20:13 166,912 --------- C:\WINDOWS\system32\drivers\s3gnbm.sys
2007-01-18 20:13 16,896 --------- C:\WINDOWS\system32\fltlib.dll
2007-01-18 20:13 151,552 --------- C:\WINDOWS\system32\wmidx.dll
2007-01-18 20:13 15,872 --------- C:\WINDOWS\system32\w3ssl.dll
2007-01-18 20:13 15,488 --------- C:\WINDOWS\system32\drivers\mssmbios.sys
2007-01-18 20:13 15,423 --------- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
2007-01-18 20:13 15,104 --------- C:\WINDOWS\system32\drivers\hidir.sys
2007-01-18 20:13 14,336 --------- C:\WINDOWS\system32\drivers\atinpdxx.sys
2007-01-18 20:13 14,336 --------- C:\WINDOWS\system32\auditusr.exe
2007-01-18 20:13 14,143 --------- C:\WINDOWS\system32\drivers\atv06nt5.dll
2007-01-18 20:13 13,824 --------- C:\WINDOWS\system32\wscntfy.exe
2007-01-18 20:13 13,824 --------- C:\WINDOWS\system32\drivers\atinttxx.sys
2007-01-18 20:13 13,824 --------- C:\WINDOWS\system32\drivers\atinmdxx.sys
2007-01-18 20:13 13,824 --------- C:\WINDOWS\system32\cmsetacl.dll
2007-01-18 20:13 13,776 --------- C:\WINDOWS\system32\drivers\recagent.sys
2007-01-18 20:13 13,568 --------- C:\WINDOWS\system32\drivers\wacompen.sys
2007-01-18 20:13 13,240 --------- C:\WINDOWS\system32\drivers\slwdmsup.sys
2007-01-18 20:13 129,536 --------- C:\WINDOWS\system32\xmlprov.dll
2007-01-18 20:13 129,535 --------- C:\WINDOWS\system32\drivers\slnt7554.sys
2007-01-18 20:13 126,686 --------- C:\WINDOWS\system32\drivers\mtlmnt5.sys
2007-01-18 20:13 124,800 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2007-01-18 20:13 12,672 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2007-01-18 20:13 12,672 --------- C:\WINDOWS\system32\drivers\mutohpen.sys
2007-01-18 20:13 12,047 --------- C:\WINDOWS\system32\drivers\ati1pdxx.sys
2007-01-18 20:13 118,784 --------- C:\WINDOWS\system32\msdadiag.dll
2007-01-18 20:13 116,224 --------- C:\WINDOWS\system32\p2p.dll
2007-01-18 20:13 114,688 --------- C:\WINDOWS\system32\wmpasf.dll
2007-01-18 20:13 11,935 --------- C:\WINDOWS\system32\drivers\wadv11nt.sys
2007-01-18 20:13 11,871 --------- C:\WINDOWS\system32\drivers\wadv09nt.sys
2007-01-18 20:13 11,868 --------- C:\WINDOWS\system32\drivers\mdmxsdk.sys
2007-01-18 20:13 11,807 --------- C:\WINDOWS\system32\drivers\wadv07nt.sys
2007-01-18 20:13 11,615 --------- C:\WINDOWS\system32\drivers\ati1mdxx.sys
2007-01-18 20:13 11,359 --------- C:\WINDOWS\system32\drivers\atv02nt5.dll
2007-01-18 20:13 11,325 --------- C:\WINDOWS\system32\drivers\vchnt5.dll
2007-01-18 20:13 11,295 --------- C:\WINDOWS\system32\drivers\wadv08nt.sys
2007-01-18 20:13 11,136 --------- C:\WINDOWS\system32\drivers\sffdisk.sys
2007-01-18 20:13 108,032 --------- C:\WINDOWS\system32\wshbth.dll
2007-01-18 20:13 104,960 --------- C:\WINDOWS\system32\drivers\atinrvxx.sys
2007-01-18 20:13 100,992 --------- C:\WINDOWS\system32\drivers\bthpan.sys
2007-01-18 20:13 10,240 --------- C:\WINDOWS\system32\drivers\sffp_sd.sys
2007-01-18 20:13 1,897,408 --------- C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-01-18 20:13 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2007-01-18 20:13 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2007-01-18 20:13 1,309,184 --------- C:\WINDOWS\system32\drivers\mtlstrm.sys
2007-01-18 20:13 1,119,744 --------- C:\WINDOWS\system32\wmsdmoe2.dll
2007-01-18 20:13 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2007-01-18 20:13 1,001,472 --------- C:\WINDOWS\system32\wmvdmoe2.dll
2007-01-18 20:13 <DIR> d-------- C:\WINDOWS\provisioning
2007-01-18 20:13 <DIR> d-------- C:\WINDOWS\peernet
2007-01-18 20:08 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-01-18 20:01 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2007-01-18 19:56 <DIR> d-------- C:\WINDOWS\EHome
2007-01-10 14:10 277,044 --a------ C:\WINDOWS\system32\geefg.dll
2007-01-10 09:38 0 --a------ C:\wrncp.exe
2007-01-10 09:38 0 --a------ C:\cfcee.exe
2007-01-10 09:38 0 --a------ C:\bapveao.exe
2007-01-10 09:37 0 --a------ C:\mfye.exe
2007-01-09 22:48 107,520 --------- C:\WINDOWS\wpablan.exe
2007-01-09 17:21 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-09 14:45 277,044 --a------ C:\WINDOWS\system32\khhgd.dll
2007-01-06 16:50 0 --a------ C:\wuvhs.exe
2007-01-06 16:45 <DIR> d-------- C:\DOCUME~1\TRISHC~1\Application Data\AVG7
2007-01-06 16:27 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\AVG7
2007-01-06 16:26 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-01-06 16:26 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2007-01-06 16:26 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-01-06 16:26 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-01-06 16:26 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-01-06 16:26 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-01-06 16:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft
2007-01-06 15:50 0 --a------ C:\qnbndeof.exe
2007-01-06 15:50 0 --a------ C:\ghkv.exe
2007-01-06 15:09 484,793 --ahs---- C:\WINDOWS\system32\mmlnn.bak2
2007-01-06 15:08 486,164 --ahs---- C:\WINDOWS\system32\mmlnn.ini2
2007-01-06 15:05 0 --a------ C:\hioxmh.exe
2007-01-06 15:04 0 --a------ C:\twjyq.exe
2007-01-06 12:49 484,612 --ahs---- C:\WINDOWS\system32\mmlnn.bak1
2007-01-06 09:41 390 --a------ C:\efhh.exe
2007-01-06 09:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Avg7
2007-01-03 08:38 277,044 --a------ C:\WINDOWS\system32\fccby.dll
2007-01-03 07:54 277,044 --a------ C:\WINDOWS\system32\opnmn.dll
2006-12-24 19:03 89,600 --a------ C:\WINDOWS\dbmio32.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-21 08:31 -------- d-------- C:\DOCUME~1\TRISHC~1\Application Data\skype
2007-01-19 04:46 -------- d-------- C:\Program Files\messenger
2007-01-19 04:29 -------- d-------- C:\Program Files\skype
2007-01-18 21:50 -------- d-------- C:\Program Files\microsoft antispyware
2007-01-18 20:13 -------- d-------- C:\Program Files\movie maker
2007-01-18 20:07 -------- d-------- C:\Program Files\windows nt
2007-01-18 19:09 -------- d-------- C:\Program Files\yahoo!
2007-01-09 17:21 -------- d-------- C:\Program Files\grisoft
2007-01-03 08:29 -------- d-------- C:\DOCUME~1\TRISHC~1\Application Data\msn6
2006-12-24 18:50 1280 --a------ C:\suhdlog.sys
2006-12-23 10:36 102060 --a------ C:\spb_install.exe
2006-12-20 19:07 5120 --a------ C:\gmituqsf.exe
2006-12-20 08:37 120661 --a------ C:\efgh.exe
2006-11-23 10:01 -------- d---s---- C:\DOCUME~1\TRISHC~1\Application Data\microsoft
2006-11-23 05:48 -------- d-------- C:\Program Files\windows live toolbar
2006-11-23 03:02 -------- d-------- C:\Program Files\msxml 4.0
2006-11-08 13:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"OM_Monitor"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\Monitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TrackPointSrv"="tp4mon.exe"
"Net-It Launcher"="C:\\WINDOWS\\System32\\NILaunch.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Alcatel\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"BigDog303"="C:\\WINDOWS\\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"OM_Monitor"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\FirstStart.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Windows ASN Services"="tfvs.exe"
"Microsoft Configuration 35"="microsotl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RtlWake.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\RtlWake.lnk"
"backup"="C:\\WINDOWS\\pss\\RtlWake.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\BELKIN~1\\BELKIN~1\\RtlWake.exe "
"item"="RtlWake"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DllRunning]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nulglgpu"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\System32\\nulglgpu.dll\",setvm"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Configuration 35]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="microsotl"
"hkey"="HKLM"
"command"="microsotl.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\WINDOWS\System32\svchq0.dll"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{0A2179D5-D1BE-4C12-AA54-0BCEC5009B5A}"="Microsoft Printer Sheduler"
"{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}"="Network Neighborhood"
"{8A5849C4-93F3-429D-FF34-660A2068897C}"="OpenGL additional"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"WinUpgrade"="C:\\WINDOWS\\TEMP\\dldr114854399.exe"
"ttool"="C:\\WINDOWS\\9129837.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"WinUpgrade"="C:\\WINDOWS\\TEMP\\dldr114854399.exe"
"ttool"="C:\\WINDOWS\\9129837.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjgh
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnlmm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 07-01-21 8:36:36
cocko
Regular Member
 
Posts: 16
Joined: January 20th, 2007, 3:45 am
Location: Australia

Unread postby Mr_JAk3 » January 21st, 2007, 6:34 am

Hi again :)

I suspect that there might be something else hiding. We'll run a rootkit scanner.

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.majorgeeks.com/GMER_d5198.html

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply. You may need several posts to include everything

Warning ! Please, do not select the "Show all" checkbox during the scan.
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

Not a lot in this

Unread postby cocko » January 21st, 2007, 8:35 am

I hope the lack of data here is a good sign not because of my errors :?

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-21 20:29:35
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F9A8C85A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F9A8C85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F9A8C85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F9A8C85A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F9A8C85A] avgtdi.sys

---- EOF - GMER 1.0.12 ----
cocko
Regular Member
 
Posts: 16
Joined: January 20th, 2007, 3:45 am
Location: Australia

Unread postby Mr_JAk3 » January 21st, 2007, 9:04 am

Hi again, good work :)

Before we'll continue I would like you to upload a malware file for further inspection.

Make your hidden files visible:
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Uncheck "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.
Please go here to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
    • Click "Browse" on the 1. field.
      Browse to the following file and click the file with your mouse, press "Open"
      C:\WINDOWS\wpablan.exe
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File
Thank you :thumbright:

You should print these instructions or save these to a text file. Follow these instructions carefully.

Open AVG Anti-Spyware:
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Create a new folder for HijackThis and move HijackThis.exe into it.

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

==================

Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.
wpablan.exe

Disable the bad service
  • Start
  • Run
  • Type services.msc to the field and press enter.
  • A window opens, scroll down to Local Security Policy (Windows Local Security Policy)
  • Rightclick it and choose Stop
  • Then choose Properties
  • Set Startup to Disabled
  • Click Apply and OK.
Then, open HijackThis.
  • Open the Misc Tools section
  • Delete an NT service
  • Copy the following line to the box and press OK; Windows Local Security Policy
  • Answer Yes
  • Close HIjackThis
Backup your registry:
  • Start
  • Run
  • Type the following to the box and hit Ok: regedit
  • A window opens, click on File
  • Choose Export form the menu
  • Change the save location to C:\
  • Give the filename, RegBackUp
  • Make sure that the filetype is set to Registryfiles (*.reg)
  • Click on Save and Close the window

Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Windows ASN Services"=-
"Microsoft Configuration 35"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DllRunning]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Configuration 35]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{0A2179D5-D1BE-4C12-AA54-0BCEC5009B5A}"=-
"{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}"=-
"{8A5849C4-93F3-429D-FF34-660A2068897C}"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"WinUpgrade"=-
"ttool"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"WinUpgrade"=-
"ttool"=-


Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O2 - BHO: (no name) - {089AD80E-0E1F-452E-8916-4AC80BA2046B} - C:\WINDOWS\System32\ljjgh.dll (file missing)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\khfcywx.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\System32\ekfjvwwt.dll (file missing)
O2 - BHO: (no name) - {D1986A1D-39BC-4DC3-9F4C-04700A8B40F5} - C:\WINDOWS\System32\nnlmm.dll (file missing)
O4 - HKLM\..\RunServices: [Windows ASN Services] tfvs.exe
O4 - HKLM\..\RunServices: [Microsoft Configuration 35] microsotl.exe
O20 - AppInit_DLLs: C:\WINDOWS\System32\svchq0.dll
O20 - Winlogon Notify: ljjgh - C:\WINDOWS\System32\ljjgh.dll (file missing)
O20 - Winlogon Notify: nnlmm - C:\WINDOWS\System32\nnlmm.dll (file missing)

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\geefg.dll
C:\wrncp.exe
C:\cfcee.exe
C:\WINDOWS\9129837.exe
C:\bapveao.exe
C:\mfye.exe
C:\WINDOWS\wpablan.exe
C:\WINDOWS\system32\khhgd.dll
C:\wuvhs.exe
C:\qnbndeof.exe
C:\ghkv.exe
C:\WINDOWS\System32\svchq0.dll
C:\WINDOWS\system32\mmlnn.bak2
C:\WINDOWS\system32\mmlnn.ini2
C:\hioxmh.exe
C:\twjyq.exe
C:\WINDOWS\system32\mmlnn.bak1
C:\efhh.exe
C:\WINDOWS\system32\fccby.dll
C:\WINDOWS\system32\opnmn.dll
C:\WINDOWS\dbmio32.dll
C:\spb_install.exe
C:\gmituqsf.exe
C:\efgh.exe
C:\WINDOWS\System32\nulglgpu.dll

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.

Use the Windows search
  • Start
  • Search
  • All files and folders
  • More advanced options
Checkmark these options:
  • "Search system folders"
  • "Search hidden files and folders"
  • "Search subfolders"
  • Search for this and delete if found: microsotl.exe
  • Search for this and delete if found: tfvs.exe
Run ATF Cleaner
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

This is starting to look better

Unread postby cocko » January 21st, 2007, 5:20 pm

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:13:04 AM 22/01/2007

+ Scan result:



C:\!KillBox\spb_install.exe/neo.exe -> Downloader.Small.edb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Com\neo.exe -> Downloader.Small.edb : Cleaned with backup (quarantined).
C:\SDFix\backups_old1\backups.zip/backups/daoprint.dll -> Not-A-Virus.SpamTool.Win32.Agent.t : Cleaned with backup (quarantined).
C:\SDFix\backups_old1\backups.zip/backups/rpcc.dll -> Proxy.Horst : Cleaned with backup (quarantined).
C:\VundoFix Backups\awtqnkh.dll.bad -> Trojan.AutoAff : Cleaned with backup (quarantined).
C:\VundoFix Backups\khfcywx.dll.bad -> Trojan.AutoAff : Cleaned with backup (quarantined).
C:\VundoFix Backups\mljhigh.dll.bad -> Trojan.AutoAff : Cleaned with backup (quarantined).
C:\VundoFix Backups\pmnopnm.dll.bad -> Trojan.AutoAff : Cleaned with backup (quarantined).
C:\VundoFix Backups\qomjgff.dll.bad -> Trojan.AutoAff : Cleaned with backup (quarantined).


::Report end



Logfile of HijackThis v1.99.1
Scan saved at 5:16:45 AM, on 22/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?b63adb856c414262a9d12d1f21465d8a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?b63adb856c414262a9d12d1f21465d8a
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1336836769
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)

:lol:
cocko
Regular Member
 
Posts: 16
Joined: January 20th, 2007, 3:45 am
Location: Australia
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 58 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware