Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constant Pop Ups And Baloon Messages Of Backdoor Trojans.


  • Please log in to reply
5 replies to this topic

#1 dnd007

dnd007

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 27 October 2007 - 05:28 PM

I use Firefox and I still get IE pop ups and my computer constantly shows baloons that I have back door trojans that are stealing my info. I ran AVG and the problem still persists. Here is my Hijack this log. My Radeon9500 display drivers are also crashing, not sure if its due tot he virus/malwere?? Please help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:28:19 PM, on 10/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\xybfhhxi.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
F:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SealedMedia\sealmon.exe
C:\WINDOWS\plite731.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ISM2\ISMPack8.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rmlsweb.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r1.attbi.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DEC724E-FD72-4444-BC3A-F8B1472E2416} - C:\WINDOWS\System32\geebb.dll (file missing)
O2 - BHO: (no name) - {1f03bb04-1f3a-4677-b5d2-30f06e23f1e3} - C:\WINDOWS\System32\xbbpldk.dll
O2 - BHO: (no name) - {353DF515-11A3-43A5-B634-DFF472E2D007} - C:\Program Files\Outlook Express\wozefom4444.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\System32\vtusstt.dll (file missing)
O2 - BHO: (no name) - {89BB9CAF-7BAD-112D-EB07-3A6B01015731} - C:\DOCUME~1\Default\APPLIC~1\TRAYON~1\Wait idle.exe (file missing)
O2 - BHO: (no name) - {8A5883BF-DEDC-4318-9BF4-E4DDB59FE5B5} - C:\Program Files\Outlook Express\wozefom83122.dll
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\System32\ifwfvynf.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-716D74632608} - C:\WINDOWS\System32\mtc2608.dll (file missing)
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - C:\WINDOWS\System32\wer1316.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\System32\ifwfvynf.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "f:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [time 2 trust seek] C:\Documents and Settings\All Users\Application Data\else lite time 2\Defy Eq.exe
O4 - HKLM\..\Run: [Windows LSASS Service] F:\DAO\svchost.exe
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\converter\fdm.exe -autorun
O4 - HKCU\..\Run: [Win open] C:\DOCUME~1\Default\APPLIC~1\POPFOR~1\setup help ford.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ISMPack8] "C:\Program Files\ISM2\ISMPack8.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.rmlsweb.com
O15 - Trusted IP range: 64.127.104.144
O15 - Trusted IP range: 64.127.104.144 (HKLM)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {10DE6CF7-3E36-445B-985D-07603082B36B} (FormLoader.Loader) - https://forms.orefonline.com/OLF/Runtime/FormLoader_RMLS.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.rmlsweb.com/XMLSearch/XMLCache.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146862633843
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: ifwfvynf - C:\WINDOWS\SYSTEM32\ifwfvynf.dll
O20 - Winlogon Notify: vtusstt - vtusstt.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\b3duZXIg\command.exe (file missing)
O23 - Service: DomainService - - C:\WINDOWS\System32\xybfhhxi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\fsortymyhdefs.html

--
End of file - 8976 bytes

Edited by dnd007, 27 October 2007 - 05:31 PM.


BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:27 PM

Posted 27 October 2007 - 08:02 PM

Hello there and welcome to Bleeping Computer's security forum. :thumbsup:

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#3 dnd007

dnd007
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 28 October 2007 - 04:24 AM

Here is the combo fix log next to the new hijackthis log. Thank you ahead of time!



ComboFix 07-10-26.4 - Default 2007-10-28 1:15:17.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.196 [GMT -7:00]
Running from: C:\Documents and Settings\Default\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Default\Application Data\macromedia\Flash Player\#SharedObjects\BSD2WVPB\www.broadcaster.com
C:\Documents and Settings\Default\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Default\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Default\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Default\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Default\Favorites\Online Security Guide.lnk
C:\Program Files\Internet Explorer\fsortymyhdefs.html
C:\Program Files\ISM
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\ISM2
C:\Program Files\ISM2\cringupd.exe
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\ISM2\ISMPack8.exe
C:\Program Files\ISM2\targets.gz
C:\Program Files\Outlook Express\wozefom4444.dll
C:\Program Files\Outlook Express\wozefom83122.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fCOe
C:\Temp\fCOe\tOasF.log
C:\temp\tn3
C:\WINDOWS\hosts
C:\WINDOWS\start.exe
C:\WINDOWS\system32\d3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\f22
C:\WINDOWS\system32\ifwfvynf.dllbox
C:\WINDOWS\system32\oTt02e
C:\WINDOWS\system32\p8
C:\WINDOWS\system32\p8\stallbb1.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\s2
C:\WINDOWS\system32\s2\EMDT83122.exe
C:\WINDOWS\system32\v1
C:\WINDOWS\system32\xbbpldk.dll
C:\WINDOWS\system32\xybfhhxi.exe
C:\WINDOWS\TTC-4444.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\core
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-28 )))))))))))))))))))))))))))))))
.

2007-10-28 01:14 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-26 21:45 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-26 21:45 <DIR> d-------- C:\Documents and Settings\Default\Application Data\AVG7
2007-10-26 21:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-26 21:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-26 21:40 340,032 --a------ C:\WINDOWS\SYSTEM32\ifwfvynf.dll
2007-10-26 21:39 340,032 --a------ C:\WINDOWS\SYSTEM32\qkokagma.dll
2007-10-26 17:43 <DIR> d--hs---- C:\FOUND.010
2007-10-26 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-26 11:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-26 09:34 410,088 ---hs---- C:\WINDOWS\SYSTEM32\bbeeg.bak2
2007-10-26 09:31 <DIR> d--hs---- C:\FOUND.009
2007-10-25 19:10 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-10-25 15:02 6,465 ---hs---- C:\WINDOWS\SYSTEM32\bbeeg.bak1
2007-10-25 14:57 <DIR> d--hs---- C:\WINDOWS\b3duZXIg
2007-10-25 14:57 <DIR> d-------- C:\Temp
2007-10-25 14:57 294,668 --a------ C:\WINDOWS\frexup2.exe
2007-10-25 14:57 13,824 --a------ C:\WINDOWS\plite731.exe
2007-10-25 14:57 179 --a------ C:\WINDOWS\tsitra1000106.exe
2007-10-25 14:57 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-10-21 17:56 <DIR> d-------- C:\ATI
2007-10-21 17:56 110,677 --------- C:\WINDOWS\SYSTEM32\ati2sgag.exe
2007-10-21 11:58 <DIR> d--hs---- C:\FOUND.008
2007-10-20 22:51 552 --a------ C:\WINDOWS\SYSTEM32\d3d8caps.dat
2007-10-20 14:30 <DIR> d-------- C:\Documents and Settings\Default\Application Data\ATI
2007-10-20 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2007-10-20 14:09 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-10-20 13:40 <DIR> d-------- C:\WINDOWS\LogFiles
2007-10-20 13:30 <DIR> d--hs---- C:\FOUND.007
2007-10-15 23:33 12,160 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mouhid.sys
2007-10-15 23:33 12,160 --a------ C:\WINDOWS\SYSTEM32\dllcache\mouhid.sys
2007-10-11 12:59 <DIR> d--hs---- C:\FOUND.006
2007-10-09 22:09 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-10-08 17:26 <DIR> d--hs---- C:\FOUND.005
2007-09-29 21:04 <DIR> d-------- C:\Program Files\Common Files\NSV

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-07-31 02:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
2007-07-31 02:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-31 02:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-31 02:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-31 02:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
2007-07-31 02:19 43,352 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-31 02:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-31 02:19 271,224 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-31 02:19 207,736 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-31 02:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-31 02:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-31 02:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
2007-07-31 02:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2004-02-02 08:37 3,770,175 ------w C:\Documents and Settings\GameSpot DLX Secure Delivery\cod_1.2_mp_patch.exe
2003-04-26 20:06 723 ----a-w C:\Program Files\INSTALL.LOG
2002-02-20 21:14 266 --sh--w C:\Program Files\desktop.ini
2002-02-20 21:14 11,079 ---h--w C:\Program Files\folder.htt
2005-12-29 01:49:42 3,662 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2004-10-19 05:26:50 56 --sh--r C:\WINDOWS\SYSTEM32\6CFFF28B74.sys
2003-11-14 21:07:38 8 --sh--w C:\WINDOWS\All Users\DRM\pdrm.dat
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\b3duZXIg\vaxRtrK0.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DEC724E-FD72-4444-BC3A-F8B1472E2416}]
C:\WINDOWS\System32\geebb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}]
C:\WINDOWS\System32\vtusstt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89BB9CAF-7BAD-112D-EB07-3A6B01015731}]
C:\DOCUME~1\Default\APPLIC~1\TRAYON~1\Wait idle.exe

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-26 21:40 340032 --a------ C:\WINDOWS\system32\ifwfvynf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF021F40-3E14-23A5-CBA2-716D74632608}]
C:\WINDOWS\System32\mtc2608.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF021F40-3E14-23A5-CBA2-717765721316}]
C:\WINDOWS\System32\wer1316.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\ifwfvynf.dll [2007-10-26 21:40 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2002-08-29 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"SoundMan"="soundman.exe" [2001-05-29 10:02 C:\WINDOWS\soundman.exe]
"Lexmark X5100 Series"="C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 05:49]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-14 11:34]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-13 16:04]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-11-26 15:27]
"DAEMON Tools"="f:\Program Files\DAEMON Tools\daemon.exe" [2005-11-08 15:00]
"time 2 trust seek"="C:\Documents and Settings\All Users\Application Data\else lite time 2\Defy Eq.exe" []
"sealmon"="C:\Program Files\SealedMedia\sealmon.exe" [2006-12-19 14:27]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" []
"plite731"="C:\WINDOWS\plite731.exe" [2007-10-25 14:57]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-26 21:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Download Manager"="C:\Program Files\converter\fdm.exe" []
"Win open"="C:\DOCUME~1\Default\APPLIC~1\POPFOR~1\setup help ford.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"ISMPack8"="C:\Program Files\ISM2\ISMPack8.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 05:05:56]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2002-08-08 13:44:41]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}"= C:\WINDOWS\System32\vtusstt.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ifwfvynf]
ifwfvynf.dll 2007-10-26 21:40 340032 C:\WINDOWS\SYSTEM32\ifwfvynf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtusstt]
vtusstt.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe
"ATTBroadbandUpdate"=C:\Program Files\AT&T\BBClient\Programs\SAUpdate.exe
"AVG_CC"=C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
"sp"=regedit -s C:\WINDOWS\sp.reg
"Uninstall0001"="C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.stripsaver.com!StatsStripSaver
"WinampAgent"="C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
"XupiterStartup"=C:\Program Files\Xupiter\XupiterStartup.exe
"XupiterCfgLoader"=C:\Program Files\Xupiter\XTCfgLoader.exe
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\SYSTEM32\nvcpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Bart Station"=C:\Program Files\ISP50\hta\station.sbrt
"Lexmark X5100 Series"="C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
"LexStart"=lexstart.exe

R3 SaiNtHid;SaiNtHid;C:\WINDOWS\System32\DRIVERS\SaiNtHid.sys
R3 SaiNtSub;SaiNtSub;C:\WINDOWS\System32\DRIVERS\SaiNtSub.sys
R3 SUNPLUS;SightCAM PC-100p;C:\WINDOWS\System32\Drivers\SPIXNEW.SYS
S3 acfva;acfva;C:\WINDOWS\System32\DRIVERS\acfva.sys
S3 o1394bul;o1394bul;\??\C:\DOCUME~1\Default\LOCALS~1\Temp\o1394bul.sys

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>IEPerUser]
RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}.Restore]
rundll32.exe advpack.dll,UserUnInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]
rundll32.exeadvpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2007-10-28 01:38:02 C:\WINDOWS\Tasks\Uninstall Expiration Reminder.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-28 01:20:07
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-28 1:21:10 - machine was rebooted
.
--- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:57 AM, on 10/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
F:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SealedMedia\sealmon.exe
C:\WINDOWS\plite731.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rmlsweb.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r1.attbi.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DEC724E-FD72-4444-BC3A-F8B1472E2416} - C:\WINDOWS\System32\geebb.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\System32\vtusstt.dll (file missing)
O2 - BHO: (no name) - {89BB9CAF-7BAD-112D-EB07-3A6B01015731} - C:\DOCUME~1\Default\APPLIC~1\TRAYON~1\Wait idle.exe (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\ifwfvynf.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-716D74632608} - C:\WINDOWS\System32\mtc2608.dll (file missing)
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - C:\WINDOWS\System32\wer1316.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ifwfvynf.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "f:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [time 2 trust seek] C:\Documents and Settings\All Users\Application Data\else lite time 2\Defy Eq.exe
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\converter\fdm.exe -autorun
O4 - HKCU\..\Run: [Win open] C:\DOCUME~1\Default\APPLIC~1\POPFOR~1\setup help ford.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ISMPack8] "C:\Program Files\ISM2\ISMPack8.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.rmlsweb.com
O15 - Trusted IP range: 64.127.104.144
O15 - Trusted IP range: 64.127.104.144 (HKLM)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {10DE6CF7-3E36-445B-985D-07603082B36B} (FormLoader.Loader) - https://forms.orefonline.com/OLF/Runtime/FormLoader_RMLS.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.rmlsweb.com/XMLSearch/XMLCache.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146862633843
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: ifwfvynf - C:\WINDOWS\SYSTEM32\ifwfvynf.dll
O20 - Winlogon Notify: vtusstt - vtusstt.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 8134 bytes

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:27 PM

Posted 28 October 2007 - 10:22 AM

Good work! Let's continue.. :thumbsup:

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {1DEC724E-FD72-4444-BC3A-F8B1472E2416} - C:\WINDOWS\System32\geebb.dll (file missing)
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\System32\vtusstt.dll (file missing)
O2 - BHO: (no name) - {89BB9CAF-7BAD-112D-EB07-3A6B01015731} - C:\DOCUME~1\Default\APPLIC~1\TRAYON~1\Wait idle.exe (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\ifwfvynf.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-716D74632608} - C:\WINDOWS\System32\mtc2608.dll (file missing)
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - C:\WINDOWS\System32\wer1316.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ifwfvynf.dll
O4 - HKLM\..\Run: [time 2 trust seek] C:\Documents and Settings\All Users\Application Data\else lite time 2\Defy Eq.exe
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKCU\..\Run: [Win open] C:\DOCUME~1\Default\APPLIC~1\POPFOR~1\setup help ford.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O20 - Winlogon Notify: ifwfvynf - C:\WINDOWS\SYSTEM32\ifwfvynf.dll
O20 - Winlogon Notify: vtusstt - vtusstt.dll (file missing)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\SYSTEM32\ifwfvynf.dll
C:\WINDOWS\SYSTEM32\qkokagma.dll
C:\WINDOWS\SYSTEM32\bbeeg.bak2
C:\WINDOWS\SYSTEM32\bbeeg.bak1
C:\WINDOWS\frexup2.exe
C:\WINDOWS\plite731.exe
C:\WINDOWS\tsitra1000106.exe
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\System32\geebb.dll
C:\WINDOWS\System32\vtusstt.dll
C:\WINDOWS\System32\mtc2608.dll
C:\WINDOWS\System32\wer1316.dll

Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".

Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:
C:\WINDOWS\b3duZXIg
C:\Documents and Settings\All Users\Application Data\else lite time 2
C:\Documents and Settings\Default\Application Data\popfor~1 (folder starting with "popfor")

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

Close all instances of Internet Explorer .
Go to your control panel and open "Internet Options".
Click on the "General" tab.
Click the "Delete Cookies" button, then the "Delete Files" button.
If prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

Go to start and click on the "run" button.
Type the following in the box --> cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
Press OK to remove them.

Reboot back into normal mode.

Please perform this online scan: Kaspersky Webscan
Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.

When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

Also, download this tool to your desktop:
http://www.uploads.ejvindh.net/rootchk.exe
Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread.

Notice: Some security-programs prevent the creation of dummy drivers with certain names. This may cause false positives. If the log of rootchk contains a lot of hidden drivers, you may want to turn of your security programs while rootchk is scanning (you should then unhook your network connection as well)

#5 dnd007

dnd007
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 28 October 2007 - 08:40 PM

I did everything you said. Here are the following logs. thanks in advance!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:18 PM, on 10/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\QuickTime\qttask.exe
F:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\SealedMedia\sealmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rmlsweb.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r1.attbi.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\ifwfvynf.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ifwfvynf.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "f:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\converter\fdm.exe -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ISMPack8] "C:\Program Files\ISM2\ISMPack8.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.rmlsweb.com
O15 - Trusted IP range: 64.127.104.144
O15 - Trusted IP range: 64.127.104.144 (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {10DE6CF7-3E36-445B-985D-07603082B36B} (FormLoader.Loader) - https://forms.orefonline.com/OLF/Runtime/FormLoader_RMLS.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.rmlsweb.com/XMLSearch/XMLCache.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146862633843
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: ifwfvynf - ifwfvynf.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 6871 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, October 28, 2007 4:29:58 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/10/2007
Kaspersky Anti-Virus database records: 447714
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 66463
Number of viruses found: 14
Number of infected objects: 79
Number of suspicious objects: 0
Duration of the scan process: 01:03:33

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\DRIVERS\sptd9421.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\dtscsi.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\secure33.txt Infected: not-virus:Hoax.Win32.Renos.y skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{902FB9C3-BE4B-4772-AE38-166E21F524D9}.bin Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071028-121438-813.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071028-122038-440.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\!KillBox\plite731.exe Infected: not-a-virus:AdWare.Win32.Agent.lv skipped
C:\!KillBox\frexup2.exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\!KillBox\frexup2.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\!KillBox\frexup2.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\!KillBox\frexup2.exe NSIS: infected - 3 skipped
C:\!KillBox\qkokagma.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\!KillBox\ifwfvynf.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\xybfhhxi.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\s2\EMDT83122.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\s2\EMDT83122.exe.vir NSIS: infected - 1 skipped
C:\qoobox\Quarantine\C\WINDOWS\hosts.vir Infected: Trojan.Win32.Qhost.m skipped
C:\qoobox\Quarantine\C\WINDOWS\TTC-4444.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\WINDOWS\TTC-4444.exe.vir NSIS: infected - 1 skipped
C:\qoobox\Quarantine\C\Program Files\Outlook Express\wozefom83122.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\Program Files\Outlook Express\wozefom4444.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\SealedMedia\Data\sealmon.db Object is locked skipped
C:\Documents and Settings\All Users\Documents\SealedMedia\Data\sealnl.key Object is locked skipped
C:\Documents and Settings\All Users\Documents\SealedMedia\Data\sealnl.idx Object is locked skipped
C:\Documents and Settings\All Users\Documents\SealedMedia\Data\sealnl.db Object is locked skipped
C:\Documents and Settings\All Users\Documents\SealedMedia\Data\sealnl.db.0 Object is locked skipped
C:\Documents and Settings\All Users\Documents\SealedMedia\Data\sealnl.db.1 Object is locked skipped
C:\Documents and Settings\All Users\Documents\SealedMedia\Data\sealnl.db.2 Object is locked skipped
C:\Documents and Settings\All Users\Documents\SealedMedia\Data\sealnl.db.3 Object is locked skipped
C:\Documents and Settings\All Users\Documents\SealedMedia\Data\sealnl.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\SealedMedia\offline.txt Object is locked skipped
C:\Documents and Settings\Default\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Default\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default\Local Settings\History\History.IE5\MSHist012007102820071029\index.dat Object is locked skipped
C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Default\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Default\Local Settings\Application Data\Adobe\Acrobat\8.0\Updater\updater.log Object is locked skipped
C:\Documents and Settings\Default\Local Settings\Application Data\Adobe\Updater5\aumLib.log Object is locked skipped
C:\Documents and Settings\Default\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Default\.jpi_cache\file\1.0\Dummy.class-63644d4e-51504867.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP827\A0103123.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP827\A0103124.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP827\A0103126.exe Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP827\A0103127.dll Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP828\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP828\snapshot\MFEX-2.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP828\snapshot\MFEX-3.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP828\snapshot\MFEX-4.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP828\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP828\snapshot\MFEX-6.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP828\snapshot\MFEX-7.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP828\snapshot\MFEX-8.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP828\snapshot\MFEX-9.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP828\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP828\snapshot\MFEX-11.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP828\snapshot\MFEX-12.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP828\snapshot\MFEX-13.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP828\snapshot\MFEX-14.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP828\snapshot\MFEX-17.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP828\snapshot\MFEX-18.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP828\snapshot\MFEX-19.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP828\snapshot\MFEX-20.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP828\snapshot\MFEX-21.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP829\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP829\snapshot\MFEX-2.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP829\snapshot\MFEX-3.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP829\snapshot\MFEX-4.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP829\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP829\snapshot\MFEX-6.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP829\snapshot\MFEX-7.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP829\snapshot\MFEX-8.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP829\snapshot\MFEX-9.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP829\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP829\snapshot\MFEX-11.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP829\snapshot\MFEX-12.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP829\snapshot\MFEX-13.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP829\snapshot\MFEX-14.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP829\snapshot\MFEX-17.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP829\snapshot\MFEX-18.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP829\snapshot\MFEX-19.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP829\snapshot\MFEX-20.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP829\snapshot\MFEX-21.DAT Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP829\A0103232.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP832\A0106506.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP832\A0106507.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP832\A0106508.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP832\A0106514.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP832\A0106514.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP832\A0106517.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP832\A0106517.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP832\A0106701.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP832\A0106702.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP832\A0106703.exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP832\A0106703.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP832\A0106703.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP832\A0106703.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP832\A0106704.exe Infected: not-a-virus:AdWare.Win32.Agent.lv skipped
C:\System Volume Information\_restore{37A8249B-691C-4431-9058-E062B5964DD9}\RP832\change.log Object is locked skipped
F:\NetPumper\ZM\NP_0025_1.exe Infected: Packed.Win32.PolyCrypt.d skipped
F:\Program Files\DAEMON Tools\SetupDTSB.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

Scan process completed.

********************************* ROOTCHK-(21-09-07)-LOG, by ejvindh
Sun 10/28/2007 16:32:32.43

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end


catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-28 16:32:33
Windows 5.1.2600 Service Pack 1
scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

hidden processes: 0
hidden services: 0
hidden files: 0

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:27 PM

Posted 29 October 2007 - 04:32 AM

Hey there, not much left to do now I hope...

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\ifwfvynf.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ifwfvynf.dll (file missing)
O15 - Trusted Zone: www.rmlsweb.com
O15 - Trusted IP range: 64.127.104.144
O15 - Trusted IP range: 64.127.104.144 (HKLM)
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.rmlsweb.com/XMLSearch/XMLCache.CAB
O20 - Winlogon Notify: ifwfvynf - ifwfvynf.dll (file missing)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\WINDOWS\SYSTEM32\secure33.txt
C:\!KillBox
C:\qoobox
F:\NetPumper\ZM\NP_0025_1.exe
F:\Program Files\DAEMON Tools\SetupDTSB.exe
(those last two are probably infected cracks or installers, it's best to get rid of them or redownload them)

Reboot back into normal mode and post a new Hijackthis log.
How is the system running now? :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users