Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection


  • Please log in to reply
7 replies to this topic

#1 Prataz

Prataz

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 10 April 2008 - 03:26 AM

Hi,

After using Vundofix, there was still 1 infected file it could not remove. So I then tried VirtumundoBeGone, but still the file could not be removed.
The name of the file that could not be deleted was pmnoLbYo.dll. I don't know what the problem is but it appears to be a spyware trojan that initiates every time you log into windows and slows down the running of the system. Please advise me of how I can get rid of this problem.
Cheers, Paul


Deckard's System Scanner v20071014.68
Run by Paul on 2008-04-10 18:04:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
9: 2008-04-10 08:04:56 UTC - RP134 - Deckard's System Scanner Restore Point
8: 2008-04-10 04:54:42 UTC - RP133 - Removed Norton Security Scan
7: 2008-04-10 04:53:55 UTC - RP132 - Removed Nokia Connectivity Cable Driver
6: 2008-04-10 04:52:24 UTC - RP131 - Removed Windows Live Messenger
5: 2008-04-09 23:35:20 UTC - RP130 - Removed Ad-Aware 2007


-- First Restore Point --
1: 2008-04-08 06:00:37 UTC - RP126 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 77% (more than 75%).
Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-10 18:07:32
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Acer\Empowering Technology\ePower\epm-dm.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\WINDOWS\msn.com
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Paul\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://desktop.optusnet.com.au/dsl/favorites/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F8A4C73-E8F5-4758-BD69-B0777B19743A} - C:\WINDOWS\system32\fccyxuSI.dll (file missing)
O2 - BHO: (no name) - {24E9519B-3F70-429B-99BC-4B2B49B96F66} - C:\WINDOWS\system32\pmnoLbYo.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {804C5753-F3BE-4976-96C5-869F573595D8} - C:\WINDOWS\system32\opnooNGa.dll
O2 - BHO: (no name) - {8E1BFC0E-8AD2-424D-AC8A-06038481516E} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AF355349-6853-4D68-BD9E-3CD40F1E04D5} - (no file)
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [RavAV] C:\WINDOWS\RavMonE.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows live Messenger] msn.com
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [b4e4842d] rundll32.exe "C:\WINDOWS\system32\ifwrrxif.dll",b
O4 - HKLM\..\Run: [BMb7d7b7b1] Rundll32.exe "C:\WINDOWS\system32\uhfwpttn.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: geBssTLD - C:\WINDOWS\system32\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe


--
End of file - 8943 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 UBHelper - c:\windows\system32\drivers\ubhelper.sys
R1 OsaFsLoc - c:\windows\system32\drivers\osafsloc.sys <Not Verified; OSA Technologies; >
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>
R2 EpmPsd (Acer EPM Power Scheme Driver) - c:\windows\system32\drivers\epm-psd.sys <Not Verified; Acer Value Labs, USA; Acer EPM Power Scheme Driver>
R2 EpmShd (Acer EPM System Hardware Driver) - c:\windows\system32\drivers\epm-shd.sys <Not Verified; Acer Value Labs, USA; Acer EPM System Hardware Driver>
R2 int15.sys - c:\acer\empowering technology\erecovery\int15.sys
R2 osaio - c:\windows\system32\drivers\osaio.sys <Not Verified; OSA Technologies, An Avocent Company; Windows ® 2000 DDK driver>
R2 osanbm - c:\windows\system32\drivers\osanbm.sys <Not Verified; Windows ® 2000 DDK provider; OSA int15 Driver>
R3 NdisFilt (OSA NdisFilter Protocol) - c:\windows\system32\drivers\ndisfilt.sys <Not Verified; OSA Technologies; >
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

S3 BVRPMPR5 (BVRPMPR5 NDIS Protocol Driver) - c:\windows\system32\drivers\bvrpmpr5.sys <Not Verified; Avanquest Software; BVRPNDIS Rawether for Windows>
S3 ENETHUSB (Speedstream Ethernet USB Adapter) - c:\windows\system32\drivers\enethusb.sys <Not Verified; Siemens Subscriber Networks, Inc.; Speedstream Ethernet USB Adapter>
S3 NETMNT (Acer NetMonitor Protocol) - c:\windows\system32\drivers\netmnt.sys
S3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 AWService (AdminWorks Agent X6) - "c:\acer\empowering technology\admserv.exe" <Not Verified; Avocent Inc.; Acer Empowering framework>

S2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" (file missing)
S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_006A1025&REV_10\4&AD1B67F&0&38F0
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_006A1025&REV_10\4&AD1B67F&0&38F0
Service: RTL8023xp

Class GUID: {4D36E977-E325-11CE-BFC1-08002BE10318}
Description: Generic CardBus Controller
Device ID: PCI\VEN_1524&DEV_1410&SUBSYS_006A1025&REV_01\4&AD1B67F&0&48F0
Manufacturer: Microsoft
Name: Generic CardBus Controller
PNP Device ID: PCI\VEN_1524&DEV_1410&SUBSYS_006A1025&REV_01\4&AD1B67F&0&48F0
Service: pcmcia


-- Scheduled Tasks -------------------------------------------------------------

2008-04-10 11:39:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-10 and 2008-04-10 -----------------------------

2008-04-10 16:35:28 0 d-------- C:\VundoFix Backups
2008-04-10 14:40:48 3648 --a------ C:\WINDOWS\system32\nwuyppcl.dll
2008-04-10 09:47:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-09 17:06:57 3648 --a------ C:\WINDOWS\system32\gqhqkcse.dll
2008-04-09 17:03:56 198229 --ahs---- C:\WINDOWS\system32\aGNoonpo.ini2
2008-04-09 17:03:48 269824 --a------ C:\WINDOWS\system32\opnooNGa.dll
2008-04-09 16:15:25 0 d-------- C:\Program Files\Lavasoft
2008-04-09 16:15:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-09 15:58:42 36864 -----n--- C:\WINDOWS\system32\pmnoLbYo.dll
2008-04-08 21:05:56 0 d-------- C:\Documents and Settings\Paul\Application Data\PC Tools
2008-04-08 21:04:06 0 d-------- C:\Program Files\Common Files\PC Tools
2008-04-08 21:03:57 0 d-------- C:\Program Files\PC Tools AntiVirus
2008-04-08 21:03:57 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-04-08 16:00:27 14023 --ahs---- C:\WINDOWS\system32\ISuxyccf.ini2
2008-04-07 20:39:29 39424 -r-hs---- C:\WINDOWS\msn.com
2008-03-31 17:06:26 0 d-------- C:\Program Files\iPod
2008-03-20 11:23:18 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-14 17:09:20 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-03-14 17:08:16 0 d-------- C:\Program Files\DIFX
2008-03-14 17:08:15 0 d-------- C:\Documents and Settings\Paul\Application Data\Nokia
2008-03-14 17:07:00 0 d-------- C:\Documents and Settings\Paul\Application Data\PC Suite
2008-03-14 17:06:43 0 d-------- C:\Program Files\PC Connectivity Solution
2008-03-14 17:06:29 90624 --a------ C:\WINDOWS\system32\nmwcdcls.dll <Not Verified; Nokia; >
2008-03-14 17:04:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Installations


-- Find3M Report ---------------------------------------------------------------

2008-04-10 14:52:46 0 d-------- C:\Program Files\Windows Live
2008-04-10 10:53:29 0 d-------- C:\Program Files\Common Files
2008-04-03 18:16:15 0 d-------- C:\Program Files\Java
2008-03-31 17:06:57 0 d-------- C:\Program Files\iTunes
2008-03-31 17:04:44 0 d-------- C:\Program Files\QuickTime
2008-03-20 11:24:49 1547 --a------ C:\WINDOWS\mozver.dat
2008-03-08 13:45:21 0 d-------- C:\Program Files\Common Files\CANON
2008-03-08 13:41:14 0 d-------- C:\Program Files\Canon
2008-03-08 13:38:39 0 d--h----- C:\Program Files\CanonBJ
2008-03-03 18:00:49 0 d-------- C:\Documents and Settings\Paul\Application Data\Apple Computer
2008-03-03 17:57:56 0 d-------- C:\Program Files\MoviePod
2008-02-25 11:08:49 0 d-------- C:\Documents and Settings\Paul\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F8A4C73-E8F5-4758-BD69-B0777B19743A}]
C:\WINDOWS\system32\fccyxuSI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24E9519B-3F70-429B-99BC-4B2B49B96F66}]
09/04/2008 03:58 PM 36864 --------- C:\WINDOWS\system32\pmnoLbYo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{804C5753-F3BE-4976-96C5-869F573595D8}]
09/04/2008 05:03 PM 269824 --a------ C:\WINDOWS\system32\opnooNGa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E1BFC0E-8AD2-424D-AC8A-06038481516E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF355349-6853-4D68-BD9E-3CD40F1E04D5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="C:\Windows\RUNXMLPL.exe" [19/05/2005 04:09 PM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04/08/2004 04:00 AM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 04:00 AM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 04:00 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [24/08/2005 11:50 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [24/08/2005 11:47 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [24/08/2005 11:51 AM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [04/02/2005 10:12 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [04/02/2005 10:11 AM]
"SoundMan"="SOUNDMAN.EXE" [15/04/2005 10:01 AM C:\WINDOWS\SOUNDMAN.EXE]
"EPM-DM"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [10/11/2005 06:09 PM]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [09/11/2005 10:04 AM]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [16/11/2005 04:00 PM]
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [24/10/2005 03:45 PM]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [26/07/2005 10:36 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 03:25 AM]
"x3watch"="C:\Program Files\X3watch\x3watch.exe" [28/09/2007 07:50 AM]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [04/04/2007 11:50 AM]
"RavAV"="C:\WINDOWS\RavMonE.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [31/01/2008 10:13 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [19/02/2008 12:10 PM]
"Windows live Messenger"="msn.com" [07/04/2008 08:39 PM C:\WINDOWS\msn.com]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [05/03/2008 09:37 AM]
"b4e4842d"="C:\WINDOWS\system32\ifwrrxif.dll" []
"BMb7d7b7b1"="C:\WINDOWS\system32\uhfwpttn.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 03:45 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [14/10/2004 02:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 04:00 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 9:05:26 PM]
NETGEAR WG111v2 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v2\WG111v2.exe [17/05/2006 3:05:52 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{24E9519B-3F70-429B-99BC-4B2B49B96F66}"= C:\WINDOWS\system32\pmnoLbYo.dll [09/04/2008 03:58 PM 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBssTLD]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\opnooNGa


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5299f15f-9962-11dc-914e-0014a4610977}]
Auto\command- F:\RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf66a580-b736-11dc-918e-0014a4610977}]
Auto\command- RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8120 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-10 18:09:16 ------------




Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.73GHz
Percentage of Memory in Use: 79%
Physical Memory (total/avail): 502.42 MiB / 105.05 MiB
Pagefile Memory (total/avail): 842.25 MiB / 463.82 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1897.38 MiB

C: is Fixed (NTFS) - 26.14 GiB total, 16.44 GiB free.
D: is Fixed (FAT32) - 26.61 GiB total, 26.39 GiB free.
E: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - ST960812A - 55.89 GiB - 3 partitions
\PARTITION0 - Unknown - 3.13 GiB
\PARTITION1 (bootable) - Installable File System - 26.14 GiB - C:
\PARTITION2 - Unknown - 26.62 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

AV: PC Tools AntiVirus 4.0.0.26 v4.0.0.26 (PC Tools Research Pty Ltd)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"="C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"F:\\RavMonE.exe"="F:\\RavMonE.exe:*:Enabled:RavMonE"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Paul\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOPSCOTCH
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Paul
LOGONSERVER=\\HOPSCOTCH
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Paul\LOCALS~1\Temp
TMP=C:\DOCUME~1\Paul\LOCALS~1\Temp
USERDOMAIN=HOPSCOTCH
USERNAME=Paul
USERPROFILE=C:\Documents and Settings\Paul
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Paul (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\PC Tools AntiVirus\unins000.exe /LOG
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Acer Inc.\Acer English Online Help Creator\Uninst.isu"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acer eDataSecurity Management 1.00.21 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E431C518-2EE2-471E-9234-BE995C36D513}\setup.exe" -l0x9 -removeonly
Acer eLock Management --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{6CA897D0-67F5-4F75-8261-DC8BFCA6DA42}
Acer Empowering Technology framework --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{15B70821-7893-4607-805A-BB80F3EA8279}
Acer ePerformance Management --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{DEE08946-40F0-4890-853E-60A6C3306041}
Acer ePower Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\Setup.exe" -l0x9
Acer ePresentation Management --> C:\WINDOWS\UnInst32.exe AcerePrj.UNI
Acer eSettings Management --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E38BC648-883B-4EE5-966C-94C4B7AB3E0B}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Canon iP3500 series --> "C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP3500_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP3500_series /L0x0009
Canon My Printer --> C:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini
Canon Utilities Easy-PhotoPrint EX --> C:\Program Files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini
Google Photos Screensaver --> MsiExec.exe /X{481E9852-DA0C-403B-ADA4-05D86C8BF9A9}
Intel® Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
MoviePod --> MsiExec.exe /I{46DAC53E-238A-410B-8BEF-2AD64254C398}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVC80_x86 --> MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
NETGEAR WG111v2 wireless USB 2.0 adapter --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{E0F252A6-DE85-4E93-A93B-DFC3537B3965}
NTI Backup NOW! 4 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{385979FE-DC4F-4140-8EAD-A59625000D72} /l1033 BUN4
NTI CD & DVD-Maker --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
OptusNet DSL --> C:\Program Files\OptusNet DSL Internet\Uninstall.exe
PC Connectivity Solution --> MsiExec.exe /I{BA084E7C-8ABA-4670-BDE8-B85E689A5C1B}
PC Tools AntiVirus4.0 --> "C:\Program Files\PC Tools AntiVirus\unins000.exe"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Siemens Subscriber Networks SpeedStream DSL --> C:\Program Files\Siemens Subscriber Networks\SpeedStream DSL\setup.exe -uninstall
SoftV90 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_266D&SUBSYS_006A1025\HXFSETUP.EXE -U -IVEN_8086&DEV_266D&SUBSYS_006A1025
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Windows Driver Package - Nokia Modem (10/12/2007 3.6) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokia_blue_0A5D98F754C6588B2E3DDE89DDEF097075ADFFB7\nokia_bluetooth.inf
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Mail --> MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
X3watch 5.0.5 --> "C:\Program Files\X3watch\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type6005 / Error
Event Submitted/Written: 04/10/2008 04:16:11 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpybotSD.exe, version 1.5.2.20, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type6004 / Error
Event Submitted/Written: 04/10/2008 04:16:11 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpybotSD.exe, version 1.5.2.20, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type6003 / Error
Event Submitted/Written: 04/10/2008 04:16:11 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpybotSD.exe, version 1.5.2.20, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type5970 / Error
Event Submitted/Written: 04/10/2008 02:47:24 PM
Event ID/Source: 215 / ESENT
Event Description:
wlmail (120) WindowsLiveMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Event Record #/Type5960 / Error
Event Submitted/Written: 04/10/2008 02:46:28 PM
Event ID/Source: 215 / ESENT
Event Description:
wlmail (3344) WindowsLiveMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type32624 / Error
Event Submitted/Written: 04/10/2008 05:39:24 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Cyberlink RichVideo Service(CRVS) service failed to start due to the following error:
%%2

Event Record #/Type32620 / Error
Event Submitted/Written: 04/10/2008 05:38:49 PM / 04/10/2008 05:39:19 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type32613 / Error
Event Submitted/Written: 04/10/2008 05:34:12 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type32612 / Error
Event Submitted/Written: 04/10/2008 05:34:08 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type32611 / Error
Event Submitted/Written: 04/10/2008 05:29:19 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.



-- End of Deckard's System Scanner: finished at 2008-04-10 18:09:16 ------------

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:11 AM

Posted 10 April 2008 - 05:01 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {1F8A4C73-E8F5-4758-BD69-B0777B19743A} - C:\WINDOWS\system32\fccyxuSI.dll (file missing)
O2 - BHO: (no name) - {24E9519B-3F70-429B-99BC-4B2B49B96F66} - C:\WINDOWS\system32\pmnoLbYo.dll
O2 - BHO: (no name) - {804C5753-F3BE-4976-96C5-869F573595D8} - C:\WINDOWS\system32\opnooNGa.dll
O2 - BHO: (no name) - {8E1BFC0E-8AD2-424D-AC8A-06038481516E} - (no file)
O2 - BHO: (no name) - {AF355349-6853-4D68-BD9E-3CD40F1E04D5} - (no file)
O4 - HKLM\..\Run: [RavAV] C:\WINDOWS\RavMonE.exe
O4 - HKLM\..\Run: [Windows live Messenger] msn.com
O4 - HKLM\..\Run: [b4e4842d] rundll32.exe "C:\WINDOWS\system32\ifwrrxif.dll",b
O4 - HKLM\..\Run: [BMb7d7b7b1] Rundll32.exe "C:\WINDOWS\system32\uhfwpttn.dll",s
O20 - Winlogon Notify: geBssTLD - C:\WINDOWS\system32\

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\WINDOWS\system32\gqhqkcse.dll
C:\WINDOWS\system32\aGNoonpo.ini2
C:\WINDOWS\system32\opnooNGa.dll
C:\WINDOWS\system32\pmnoLbYo.dll
C:\WINDOWS\system32\ISuxyccf.ini2
C:\WINDOWS\msn.com
C:\WINDOWS\system32\ifwrrxif.dll
C:\WINDOWS\RavMonE.exe
C:\WINDOWS\system32\uhfwpttn.dll

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° If prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the box --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

Reboot back into normal mode.

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"="msv1_0"

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Edited by D-Trojanator, 10 April 2008 - 05:01 AM.


#3 Prataz

Prataz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 10 April 2008 - 06:07 AM

hi david, thanks for your help.

here is the combofix log followed by the hijackthislog. hope its all clean now!

ComboFix 08-04-09.8 - Paul 2008-04-10 20:47:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.200 [GMT 10:00]
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMb7d7b7b1.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aGNoonpo.ini
C:\WINDOWS\system32\aGNoonpo.ini2
C:\WINDOWS\system32\ceykcxbx.dll
C:\WINDOWS\system32\iajyqdjc.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\opnooNGa.dll
C:\WINDOWS\system32\pmnoLbYo.dll
C:\WINDOWS\system32\xbxckyec.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-10 18:45 . 2008-04-10 18:45 3,648 --a------ C:\WINDOWS\system32\mgtlewcw.dll
2008-04-10 18:04 . 2008-04-10 18:04 <DIR> d-------- C:\Deckard
2008-04-10 16:35 . 2008-04-10 16:56 <DIR> d-------- C:\VundoFix Backups
2008-04-10 16:05 . 2004-08-04 04:00 123,392 --a------ C:\WINDOWS\system32\mplay32.exe
2008-04-10 16:05 . 2004-08-04 04:00 123,392 --a------ C:\WINDOWS\system32\dllcache\mplay32.exe
2008-04-10 16:02 . 2004-08-04 04:00 345,088 --a------ C:\WINDOWS\system32\hypertrm.dll
2008-04-10 14:40 . 2008-04-10 14:40 3,648 --a------ C:\WINDOWS\system32\nwuyppcl.dll
2008-04-10 09:47 . 2008-04-10 09:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-10 09:47 . 2008-04-10 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-09 16:15 . 2008-04-09 16:15 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-09 16:15 . 2008-04-10 09:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-08 21:05 . 2008-04-09 08:57 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\PC Tools
2008-04-08 21:04 . 2008-04-08 21:04 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-04-08 21:04 . 2007-12-06 16:51 28,568 --a------ C:\WINDOWS\system32\drivers\AVHook.sys
2008-04-08 21:04 . 2007-12-06 16:51 21,912 --a------ C:\WINDOWS\system32\drivers\AVRec.sys
2008-04-08 21:04 . 2008-02-12 11:44 21,904 --a------ C:\WINDOWS\system32\drivers\AVFilter.sys
2008-04-08 21:03 . 2008-04-10 20:37 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2008-04-08 21:03 . 2008-04-08 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-04-08 16:00 . 2008-04-09 09:38 14,074 --ahs---- C:\WINDOWS\system32\ISuxyccf.ini
2008-03-31 17:06 . 2008-03-31 17:06 <DIR> d-------- C:\Program Files\iPod
2008-03-20 11:23 . 2008-03-20 11:23 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-14 17:09 . 2008-03-14 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-03-14 17:08 . 2008-03-14 17:08 <DIR> d-------- C:\Program Files\DIFX
2008-03-14 17:08 . 2008-03-14 17:31 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Nokia
2008-03-14 17:07 . 2008-03-14 17:27 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\PC Suite
2008-03-14 17:06 . 2008-03-14 17:06 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-03-14 17:06 . 2007-02-22 09:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-03-14 17:04 . 2008-03-14 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 10:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\x3watch
2008-04-10 10:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-10 08:39 --------- d-----w C:\Program Files\Windows Live
2008-04-10 08:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-03 08:16 --------- d-----w C:\Program Files\Java
2008-03-31 07:06 --------- d-----w C:\Program Files\iTunes
2008-03-31 07:04 --------- d-----w C:\Program Files\QuickTime
2008-03-08 03:45 --------- d-----w C:\Program Files\Common Files\CANON
2008-03-08 03:41 --------- d-----w C:\Program Files\Canon
2008-03-08 03:39 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-03-08 03:38 --------- d--h--w C:\Program Files\CanonBJ
2008-03-03 08:00 --------- d-----w C:\Documents and Settings\Paul\Application Data\Apple Computer
2008-03-03 07:57 --------- d-----w C:\Program Files\MoviePod
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F8A4C73-E8F5-4758-BD69-B0777B19743A}]
C:\WINDOWS\system32\fccyxuSI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24E9519B-3F70-429B-99BC-4B2B49B96F66}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{804C5753-F3BE-4976-96C5-869F573595D8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E1BFC0E-8AD2-424D-AC8A-06038481516E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF355349-6853-4D68-BD9E-3CD40F1E04D5}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="C:\Windows\RUNXMLPL.exe" [2005-05-19 16:09 32768]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 04:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 04:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 04:00 455168]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-08-24 11:50 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-08-24 11:47 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-08-24 11:51 114688]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 10:12 102490]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 10:11 708698]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 10:01 77824 C:\WINDOWS\SOUNDMAN.EXE]
"EPM-DM"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-10 18:09 212992]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 10:04 3084288]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 16:00 397312]
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 15:45 2462208]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-07-26 10:36 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 03:25 144784]
"x3watch"="C:\Program Files\X3watch\x3watch.exe" [2007-09-28 07:50 299008]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 11:50 1603152]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 22:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 12:10 267048]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-03-05 09:37 1238928]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
NETGEAR WG111v2 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2006-05-17 15:05:52 2297856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBssTLD]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15856:TCP"= 15856:TCP:NortonAV
"17974:TCP"= 17974:TCP:NortonAV
"15790:TCP"= 15790:TCP:NortonAV
"15941:TCP"= 15941:TCP:NortonAV
"14167:TCP"= 14167:TCP:NortonAV
"12676:TCP"= 12676:TCP:NortonAV
"15942:TCP"= 15942:TCP:NortonAV
"17269:TCP"= 17269:TCP:NortonAV
"16022:TCP"= 16022:TCP:NortonAV
"13729:TCP"= 13729:TCP:NortonAV
"16970:TCP"= 16970:TCP:NortonAV
"18375:TCP"= 18375:TCP:NortonAV
"15767:TCP"= 15767:TCP:NortonAV
"12468:TCP"= 12468:TCP:NortonAV
"18721:TCP"= 18721:TCP:NortonAV
"12881:TCP"= 12881:TCP:NortonAV
"13196:TCP"= 13196:TCP:NortonAV
"12104:TCP"= 12104:TCP:NortonAV
"15147:TCP"= 15147:TCP:NortonAV
"14128:TCP"= 14128:TCP:NortonAV
"12545:TCP"= 12545:TCP:NortonAV
"16665:TCP"= 16665:TCP:NortonAV
"15940:TCP"= 15940:TCP:NortonAV
"14415:TCP"= 14415:TCP:NortonAV
"15023:TCP"= 15023:TCP:NortonAV

R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 17:20]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 12:10]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-07 17:08]
R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 13:46]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 15:58]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 14:57]
R3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 14:34]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-27 16:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-10 01:39:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 20:51:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\RtlGina2.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-10 20:54:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-10 10:54:13
Pre-Run: 17,534,077,952 bytes free
Post-Run: 17,473,719,296 bytes free
.
2008-04-08 23:44:48 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:46 PM, on 10/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F8A4C73-E8F5-4758-BD69-B0777B19743A} - C:\WINDOWS\system32\fccyxuSI.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://desktop.optusnet.com.au/dsl/favorites/homepage
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: geBssTLD - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7608 bytes

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:11 AM

Posted 10 April 2008 - 11:24 AM

Good work! Let's continue.. :thumbsup:
Again you might want to print this, as we will be going into safe mode.

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {1F8A4C73-E8F5-4758-BD69-B0777B19743A} - C:\WINDOWS\system32\fccyxuSI.dll (file missing)
O20 - Winlogon Notify: geBssTLD - C:\WINDOWS\

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\WINDOWS\system32\mgtlewcw.dll
C:\WINDOWS\system32\nwuyppcl.dll

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

Reboot back into normal mode.

Please perform this online scan: Kaspersky Webscan
Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.

When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

Click start > run and type the following and hit enter: attrib -h -s -a C:\WINDOWS\system32\ISuxyccf.ini

Then, please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.
Paste the following bold part into the Suspicious File Packer window:

C:\WINDOWS\system32\ISuxyccf.ini

Allow SFP to pack the file. This will generate a CAB archive on your desktop.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.

#5 Prataz

Prataz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 11 April 2008 - 06:25 AM

Here is the Kaspersky scan results and the new Hijackthis log.
Cheers, Paul

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:28 PM, on 11/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F8A4C73-E8F5-4758-BD69-B0777B19743A} - C:\WINDOWS\system32\fccyxuSI.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.1.35\ilikesidebar.exe /checkforupdate (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.1.35\ilikesidebar.exe /checkforupdate (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://desktop.optusnet.com.au/dsl/favorites/homepage
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: geBssTLD - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7292 bytes




Friday, April 11, 2008 9:08:53 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/04/2008
Kaspersky Anti-Virus database records: 697222
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 41944
Number of viruses found 3
Number of infected objects 24
Number of suspicious objects 0
Duration of the scan process 01:13:32

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Report Logs\Report39549.809571759259.xml Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ho7nefol.default\cert8.db Object is locked skipped
C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ho7nefol.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ho7nefol.default\history.dat Object is locked skipped
C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ho7nefol.default\key3.db Object is locked skipped
C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ho7nefol.default\parent.lock Object is locked skipped
C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ho7nefol.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ho7nefol.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Paul\Application Data\PC Tools\PC Tools AntiVirus\Application Logs\PCToolsAntivirus.txt Object is locked skipped
C:\Documents and Settings\Paul\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\ho7nefol.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\ho7nefol.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\ho7nefol.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\ho7nefol.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Temp\~DFF56B.tmp Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Paul\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Paul\ntuser.dat.LOG Object is locked skipped
C:\Program Files\PC Tools AntiVirus\PCTAVService.txt Object is locked skipped
C:\Program Files\PC Tools AntiVirus\~ulo Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ceykcxbx.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnoLbYo.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-04-10_205122.73.zip/Documents and Settings/Paul/Desktop/catchme.zip/opnooNGa.dll Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-04-10_205122.73.zip/Documents and Settings/Paul/Desktop/catchme.zip Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-04-10_205122.73.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP126\A0013748.com Infected: Backdoor.Win32.IRCBot.cht skipped
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP128\A0013895.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxj skipped
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP128\A0013896.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP133\A0017252.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP133\A0017253.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP133\A0017254.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP133\A0017256.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP133\A0017257.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP133\A0017269.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP135\A0018369.com Infected: Backdoor.Win32.IRCBot.cht skipped
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP136\A0018402.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP136\A0018404.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP136\change.log Object is locked skipped
C:\VundoFix Backups\efcBsPHW.dll.bad Infected: Packed.Win32.Monder.gen skipped
C:\VundoFix Backups\ifwrrxif.dll.bad Infected: Packed.Win32.Monder.gen skipped
C:\VundoFix Backups\phhjnijk.dll.bad Infected: Packed.Win32.Monder.gen skipped
C:\VundoFix Backups\pmnoLbYo.dll.bad Infected: Packed.Win32.Monder.gen skipped
C:\VundoFix Backups\tuvSifEv.dll.bad Infected: Packed.Win32.Monder.gen skipped
C:\VundoFix Backups\urqQhEtu.dll.bad Infected: Packed.Win32.Monder.gen skipped
C:\VundoFix Backups\vtUolMfe.dll.bad Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\RTacDbg.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:11 AM

Posted 11 April 2008 - 11:30 AM

Just a couple of things left to do now.. :thumbsup:

Please find and delete the following folders:
C:\QooBox
C:\VundoFix Backups

We need to purge your infected system restore points.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Check Turn off System Restore, click Apply, and then click OK.
More information on how to disable your system restore can be found here.

We want to create a new, clean restore point. Please first reboot your computer.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Uncheck "Turn off System Restore", click Apply, and then click OK.

Click Start > All Programs > Accessories > System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create, and after it has created the restore point, click "Close".
Further instructions on creating a restore point can be found here

By the way, the file you uploaded appears to be harmless, so we'll leave it alone.

Please reboot a final time and let me know how the PC is running.
I see a clean Hijackthis log now!

#7 Prataz

Prataz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 15 April 2008 - 04:12 AM

com is running fine, thanks heaps for the help!
heres the latest hijackthis log file!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:10:02 PM, on 15/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Documents and Settings\Paul\My Documents\Virus Removal\Programs\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.1.35\ilikesidebar.exe /checkforupdate (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.1.35\ilikesidebar.exe /checkforupdate (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://desktop.optusnet.com.au/dsl/favorites/homepage
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8126 bytes

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:11 AM

Posted 15 April 2008 - 02:47 PM

Glad I could help! :thumbsup:
The latest log is looking clean!
Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. This link has listings of stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users