Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected: Waawjhxi / Cliconfgv.dll


  • Please log in to reply
28 replies to this topic

#1 mfasig

mfasig

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lancaster County,PA
  • Local time:11:30 AM

Posted 13 August 2008 - 01:58 PM

Hi. I'm getting application error. After opening Outlook, I will get an error re a missing dll.
also get "bad image" errors related to "sauylcjen.dll not a valid Windows image"
According to my research, the processes associated with CLICONFGV.DLL are:
>winlogon.exe
>svchost.exe
>explorer.exe
>rundll32.exe
These are the same programs that give the bad image error.
Thank you.
Michael
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:31 PM, on 8/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
C:\WINDOWS\system32\dllhost.exe
D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
D:\Program Files\iTunesHelper.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
D:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\rundll32.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PCCGUIDE.EXE
D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.support.cusa.canon.com/e2/shared/login.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {93CD0402-63D6-420F-81D7-840E233EF2C6} - c:\windows\system32\cliconfgv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {F6115D0E-EEE2-4B40-9E32-C6A292D34515} - C:\WINDOWS\system32\dmsynthm.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210433024105
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1210557467625
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/boardid/BoardID.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wapgdyhu - C:\WINDOWS\SYSTEM32\cliconfgv.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7008 bytes

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 13 August 2008 - 04:39 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post that in your next reply with a fresh HijackThis log.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 mfasig

mfasig
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lancaster County,PA
  • Local time:11:30 AM

Posted 13 August 2008 - 04:58 PM

Hi Charles. I had already done the scan, in anticipation.
Thank you.
Michael
ComboFix 08-08-12.01 - Family 2008-08-13 1:49:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.298.1033.18.2744 [GMT -4:00]
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Michael\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Michael\Application Data\macromedia\Flash Player\#SharedObjects\A9XWPHVH\interclick.com
C:\Documents and Settings\Michael\Application Data\macromedia\Flash Player\#SharedObjects\A9XWPHVH\interclick.com\ud.sol
C:\Documents and Settings\Michael\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Michael\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\appcert

.
((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.

2008-08-10 13:10 . 2008-08-10 13:10 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\SUPERAntiSpyware.com
2008-08-10 13:10 . 2008-08-10 13:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-06 21:30 . 2008-08-06 21:30 <DIR> d-------- C:\Program Files\iPod
2008-08-06 21:30 . 2008-08-06 21:30 <DIR> d-------- C:\Program Files\Bonjour
2008-07-31 12:08 . 2008-08-02 09:59 <DIR> d-------- C:\Program Files\Comodo
2008-07-31 12:08 . 2008-08-02 09:59 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Comodo
2008-07-31 00:14 . 2008-07-31 00:14 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\DivX
2008-07-30 21:24 . 2008-07-30 21:24 <DIR> d--h----- C:\WINDOWS\PIF
2008-07-18 10:48 . 2008-07-18 10:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-18 10:25 . 2008-07-25 01:58 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\U3
2008-07-15 18:34 . 2004-08-04 00:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-07-15 18:34 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-07-15 18:34 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-07-15 18:34 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-07-15 18:34 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-07-15 18:32 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-07-15 18:31 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-07-15 18:30 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-07-15 18:29 . 2004-08-03 22:41 404,990 --a--c--- C:\WINDOWS\system32\dllcache\slntamr.sys
2008-07-15 18:28 . 2001-08-17 22:36 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-07-15 18:27 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-07-15 18:26 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-07-15 18:25 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-07-15 18:24 . 2001-08-17 12:50 198,144 --a--c--- C:\WINDOWS\system32\dllcache\nv3.sys
2008-07-15 18:23 . 2004-08-04 00:56 1,737,856 --a--c--- C:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-07-15 18:22 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-07-15 18:21 . 2001-08-17 22:36 372,824 --a--c--- C:\WINDOWS\system32\dllcache\iconf32.dll
2008-07-15 18:20 . 2004-08-03 22:41 1,041,536 --a--c--- C:\WINDOWS\system32\dllcache\hsfdpsp2.sys
2008-07-15 18:19 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-07-15 18:18 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-07-15 18:17 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-07-15 18:16 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-07-15 18:15 . 2004-08-04 00:56 1,888,992 --a--c--- C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-07-15 18:14 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-07-14 00:36 . 2008-08-07 01:39 38 --a------ C:\WINDOWS\AviSplitter.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-11 21:32 --------- d-----w C:\Documents and Settings\Michael\Application Data\Move Networks
2008-08-10 17:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-16 05:05 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-14 12:32 --------- d-----w C:\Documents and Settings\Michael\Application Data\Canon
2008-07-13 18:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-12 15:32 --------- d-----w C:\Documents and Settings\Michael\Application Data\AdobeUM
2008-07-10 21:00 --------- d-----w C:\Program Files\Intel Audio Studio
2008-07-10 03:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-06 23:22 --------- d-----w C:\Documents and Settings\Michael\Application Data\Media Player Classic
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 17:52 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-14 04:59 --------- d-----w C:\Program Files\QuickTime
2008-06-14 04:58 --------- d-----w C:\Program Files\Apple Software Update
2008-06-14 01:54 --------- d-----w C:\Program Files\SigmaTel
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 00:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-06-11 00:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 00:07 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-06-11 00:07 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-06-11 00:07 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-06-11 00:04 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-06-08 23:59 3,126 ----a-w C:\WINDOWS\system32\tmp.reg
2008-05-29 13:35 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-05-25 01:54 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-04-24 07:22 1,233 ------w C:\Program Files\GuideMenuSetup.iss
2007-04-06 03:28 1,237 ------w C:\Program Files\WinDVDSetup.iss
2008-05-12 05:32 8 --sh--r C:\WINDOWS\system32\84ED073183.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93CD0402-63D6-420F-81D7-840E233EF2C6}]
2007-07-27 08:00 105472 --a------ c:\windows\system32\cliconfgv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"pccguide.exe"="D:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [2006-03-08 13:30 897089]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-07 01:56 188416]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"iTunesHelper"="D:\Program Files\iTunesHelper.exe" [2008-07-30 10:47 289064]
"UnlockerAssistant"="D:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 00:15 15872]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wapgdyhu]
2007-07-27 08:00 105472 C:\WINDOWS\system32\cliconfgv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 D:\Program Files\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"D:\\Program Files\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 mv61xx;mv61xx;C:\WINDOWS\system32\DRIVERS\mv61xx.sys [2006-11-14 01:32]
R0 vowebbrt;vowebbrt;C:\WINDOWS\system32\drivers\vowebbrt.sys [2007-07-27 08:00]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2008-05-27 11:59]
R2 waawjhxi;NDIS System Helper;C:\WINDOWS\System32\svchost.exe [2007-07-27 08:00]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2008-02-20 21:19]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2007-07-27 08:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2007-07-27 08:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2007-07-27 08:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2007-07-27 08:00]
S4 Np108bderd;Np108bderd;C:\WINDOWS\system32\nvappbar.exe [2008-05-02 22:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
waawjhxi

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\Shell\AutoRun\command - M:\Launch.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{F6115D0E-EEE2-4B40-9E32-C6A292D34515} - C:\WINDOWS\system32\dmsynthm.dll
Toolbar-ID - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\8ut8ai8p.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig?hl=en&source=iglk
FF -: plugin - D:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF -: plugin - D:\Program Files\DivX\DivX Web Player\npdivx32.dll
FF -: plugin - D:\Program Files\Mozilla Plugins\npitunes.dll
FF -: plugin - D:\Program Files\plugins\np_gp.dll
FF -: plugin - D:\Program Files\plugins\npdivx32.dll
FF -: plugin - D:\Program Files\plugins\npDivxPlayerPlugin.dll
FF -: plugin - D:\Program Files\plugins\npnul32.dll
FF -: plugin - D:\Program Files\plugins\NPOFFICE.DLL
FF -: plugin - D:\Program Files\plugins\nppdf32.dll
FF -: plugin - D:\Program Files\plugins\npqtplugin.dll
FF -: plugin - D:\Program Files\plugins\npqtplugin2.dll
FF -: plugin - D:\Program Files\plugins\npqtplugin3.dll
FF -: plugin - D:\Program Files\plugins\npqtplugin4.dll
FF -: plugin - D:\Program Files\plugins\npqtplugin5.dll
FF -: plugin - D:\Program Files\plugins\npqtplugin6.dll
FF -: plugin - D:\Program Files\plugins\npqtplugin7.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 01:50:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-13 1:51:37
ComboFix-quarantined-files.txt 2008-08-13 05:51:34

Pre-Run: 5,885,571,072 bytes free
Post-Run: 5,931,069,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

211 --- E O F --- 2008-08-13 01:18:40

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 14 August 2008 - 02:13 AM

Could I have a new HJT log as well please?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 mfasig

mfasig
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lancaster County,PA
  • Local time:11:30 AM

Posted 14 August 2008 - 06:27 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:15 AM, on 8/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
C:\WINDOWS\system32\dllhost.exe
D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
D:\Program Files\iTunesHelper.exe
D:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
D:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
D:\Program Files\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.support.cusa.canon.com/e2/shared/login.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {93CD0402-63D6-420F-81D7-840E233EF2C6} - c:\windows\system32\cliconfgv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {F6115D0E-EEE2-4B40-9E32-C6A292D34515} - C:\WINDOWS\system32\dmsynthm.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210433024105
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1210557467625
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/boardid/BoardID.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wapgdyhu - C:\WINDOWS\SYSTEM32\cliconfgv.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7205 bytes


Thanks. Michael

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 15 August 2008 - 03:00 PM

Hi Michael,
Please print off a copy of these instructions, and also save them to a Notepad file on your Desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Step #1
Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: (no name) - {93CD0402-63D6-420F-81D7-840E233EF2C6} - c:\windows\system32\cliconfgv.dll
O2 - BHO: (no name) - {F6115D0E-EEE2-4B40-9E32-C6A292D34515} - C:\WINDOWS\system32\dmsynthm.dll (file missing)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: wapgdyhu - C:\WINDOWS\SYSTEM32\cliconfgv.dll


Then close all other windows - you should only see HijackThis on your Desktop - and click the Fix checked button.

Step #2
Reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Find and delete the following file (if present):

C:\WINDOWS\SYSTEM32\cliconfgv.dll

Step #3
Let's clean out your temporary internet files:
Close all open windows before we start.
Go to Start | Control Panel | Internet Options | General.
Click the Delete Cookies button.
Next to it, click the Delete Files button.
When prompted, place a check in: 'Delete all offline content', click OK

If you have Firefox installed, we need to clean out these temporary files as well:
Go to Tools | Options.
Click Privacy.
Press the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to finish, before closing it.
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Now we'll clean other temporary files and your Recycle Bin:
Go to Start | Run | type: cleanmgr | OK.
Let it scan your system for files to remove.
Make sure 'Temporary Files', 'Temporary Internet Files', and 'Recycle Bin' are the only things checked.
Press OK to remove them.

Step #4
Reboot into Normal Mode again.

Please run a scan with Kaspersky Online Scanner.
You will be promted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded click on Next.
Select a target to scan; click on My Computer.
The scan will take a while so be patient and let it run.
Once the scan is complete choose the option to Save as Text.

In your next reply I'd like the Kaspersky log and a new Combofix log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 mfasig

mfasig
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lancaster County,PA
  • Local time:11:30 AM

Posted 15 August 2008 - 07:26 PM

Hello Charles. I am now at Step #4 and holding. (I am using another Computer to contact you)
I followed the other steps, but cliconfgv.dll in system32 will not allow itself to be deleted. Additionally, a new copy named
cliconfgv.dll.bak was there. That too would not allow deletion. I tried using FileASSASSIN to unlock and delete the files but that failed as well.
Please Advise.............Thank you.

Michael

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 16 August 2008 - 06:02 AM

Okay, don't worry about it; we'll use something a bit stronger later on.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 mfasig

mfasig
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lancaster County,PA
  • Local time:11:30 AM

Posted 19 August 2008 - 04:10 PM

Hello Charles. I notice the "original filename" changes. An example is "VSS_PS.dll and SCREDIR.dll.

Michael

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 20 August 2008 - 03:57 AM

I'm not sure I understand what you mean Michael. Which original filename?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 mfasig

mfasig
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lancaster County,PA
  • Local time:11:30 AM

Posted 20 August 2008 - 06:24 AM

Hello Charles.
When I run a program called "What's Running", I can veiw many details of various items and associations. When I check the cliconfgv.dll, I can see something called "original file name". It seems to change each time I run this program and check status.
Michael

#12 mfasig

mfasig
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lancaster County,PA
  • Local time:11:30 AM

Posted 20 August 2008 - 05:20 PM

Charles. Here is some additional info from the "What's Running" app.

Module name: cliconfgv.dll

Internal name: scredir.dll

File Description: Smart Card Reader for TS

Original filename: scredir.dll

Processes Using this Module: 3

1: winlogon.exe
2: svhost.exe
3: explorer.exe

Thanks,
Michael

#13 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 21 August 2008 - 04:19 AM

Thanks for that info Michael, I get what you meant now. Could I have the logs I requested please? :thumbsup:

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#14 mfasig

mfasig
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lancaster County,PA
  • Local time:11:30 AM

Posted 21 August 2008 - 10:28 PM

Hello Charles.
I was able to clean-up some items. Most critically, the cliconfgv.dll file.
I still, however cannot delete the registry keys. I've tried using regedt32 in safe-mode logged on as the XP administrator. I tried various registry permission "tweaks"- NG
Here are the requested logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:51 PM, on 8/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\dllhost.exe
D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
D:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.support.cusa.canon.com/e2/shared/login.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {93CD0402-63D6-420F-81D7-840E233EF2C6} - c:\windows\system32\cliconfgv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {F6115D0E-EEE2-4B40-9E32-C6A292D34515} - C:\WINDOWS\system32\dmsynthm.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210433024105
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1210557467625
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/boardid/BoardID.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wapgdyhu - C:\WINDOWS\SYSTEM32\cliconfgv.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 5874 bytes


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, August 21, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 22, 2008 02:05:36
Records in database: 1122622
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
M:\
X:\

Scan statistics:
Files scanned: 77158
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:38:09


File name / Threat name / Threats count
M:\TRANSFER ITEMS FOR RELOAD OF WINDOWS\Admin Desktop Stuff\Documents From C Drive\Ethereal Users Guide\Key logger\ESP_Monitoring_Survailence.MSI Infected: not-a-virus:Monitor.Win32.KeyLogger.aj 1

The selected area was scanned.

Just to be safe, I deleted the Drive M item above.

Thanks.
Michael

#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 22 August 2008 - 04:08 PM

Hello again Michael :thumbsup:
Open Notepad - don't use any other text editor or the script will fail.
Copy and paste the text in the quote box below into the document:

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{93CD0402-63D6-420F-81D7-840E233EF2C6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F6115D0E-EEE2-4B40-9E32-C6A292D34515}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wapgdyhu]


Save this as txtfile CFScript .
Then drag the CFScript into ComboFix.exe as you see in the screenshot below:

Posted Image

This will start ComboFix again.
A new log will be created, which I would like to see in your reply.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users