Free Malware Removal Forum

[Earendil]

I'm a new member that picked up possibly a trojan yesterday. I think it was through a spoofed video codec install.

i scanned with my AVG yesterday and it found an installer for .Zlob

this morning my machine had tons of popups and phoney spy and malware remover ads all over and i can't pull up my task manager to remove anything. i keep getting a flashing red circle with a white "x" in the tooltray that comes and goes.

randomly programs i have open will flash to be on top of whatever i'm working on at the moment.

i ran hijackthis and here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:26 PM, on 1/10/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\avgagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Logi_MwX.Exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\neos\neos.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Paltalk Messenger\palstart.exe
C:\PROGRA~1\Grisoft\AVG7\avgwa.dat
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm ... Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.227.17.30:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: XTN Monitor - {D7A1D78A-8423-4660-AE43-01F15E11AD7E} - C:\WINNT\dnqdlpmmwv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: The epxonwo - {BFAA078B-58E2-4E6C-BD54-BA2A5C6DA153} - C:\DOCUME~1\JMAXSO~1.TVC\LOCALS~1\Temp\ac8zt2\epxonwo.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [neos.exe] C:\Program Files\neos\neos.exe --background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Linked Ima&ges - C:\Program Files\IEimageN\IEimageN.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Linked Images - {D8980DE8-9D4C-4fb0-8FB4-95B1FA4125AD} - C:\Program Files\IEimageN\IEimageN.htm
O9 - Extra 'Tools' menuitem: Linked Ima&ges - {D8980DE8-9D4C-4fb0-8FB4-95B1FA4125AD} - C:\Program Files\IEimageN\IEimageN.htm
O15 - Trusted Zone: *.uswired4ed.net
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tvcalbny.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tvcalbny.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tvcalbny.local
O21 - SSODL: bgntlvo - {B1316B22-A2CE-4F81-B1F0-89EE8A6D01BA} - C:\WINNT\bgntlvo.dll
O21 - SSODL: asvdnmo - {4A2A6835-9C68-4E45-BE02-5194A4160C92} - C:\WINNT\asvdnmo.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Remote Support Service (AvgAgent) (avgagent) - Unknown owner - avgagent.exe (file missing)
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7827 bytes

any and all assistance anyone could give would be appreciated.

i just ran another full AVG scan and it didn't turn anything up.

[SpotCheckBilly]

Hello Earendil,

Welcome to the MRU forums.

Sorry it took so long for someone to respond. As you can probably see it's very busy around here and there often are just not enough of us to keep up.

===Very Important===

The instructions in this thread have been specifically designed for THIS USER'S MACHINE ONLY . You should not use these instructions to clean your machine. Doing so could cause irreparable damage to your machine. If you need assistance, please start your own thread.

=================

Something to keep in mind as we work through this fix. Please do not run any scans/tools or other fixes unless I ask you to. This is very important for two reasons:
1. Infections usually require that steps be done in specific order to make sure it is cleaned out completely.
2. Most of the tools that we use nowadays can cause irreparable damage to your computer if not used correctly.

That being said, let's get started.

Please download SmitfraudFix (by S!Ri) to your Desktop.
Next, please download : AVG Anti-Spyware 7.5 and save it to your desktop. This is a 30 day trial of the program

1. Locate the setup icon icon on the desktop
2. Double-click it to launch setup.
3. Select Change state to inactive to disable 'Resident Shield' and 'Automatic Updates'
4. Right click the AVG Anti-Spyware icon in the system tray.
5. Uncheck Start with Windows.
   
   Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
   
6. On the main screen select the Update icon .
7. Select the Update now link.
8. Next select the Start Update button. The update will start and a progress bar will show the updates being installed.
   
   If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
   
9. Once the update has completed select the Scanner icon at the top of the screen.
10. Select the Settings tab.
11. In the Settings screen click on Recommended actions.
12. Select Quarantine.
13. Under Reports"
    • Select Automatically generate report after every scan"
    • Un-Select Only if threats were found"
    Close AVG Anti-Spyware.
    
    Do Not run a scan just yet. We will shortly.
    
    Double-click smitfraudfix.exe
    • Select option #1- Search by typing 1.
    • Hit Enter. NOTE: The scan will take some time so please be patient while it works.
    • When scan is complete, the results will be displayed in Notepad .
    • A log file named rapport.txt will be created in your root drive, typically Local Disk C: OR the partition where your operating system is installed.

NOTE: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a RiskTool; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between good and malicious use of such programs, therefore they may alert the user. Reference article

IMPORTANT: Do NOT run any other options until you are asked to do so!

In your next reply, please post:
c:\rapport.txt

SpotCheckBilly

[NonSuch]

Due to a lack of response this topic is now closed.

If you still require help, please open a new thread in the Malware Removal forum and wait
for a new helper.

If you have been helped and wish to donate to help with the costs of this volunteer site,
please read Donations For Malware Removal