Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Zlob


  • Please log in to reply
34 replies to this topic

#1 ucmego

ucmego

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 21 May 2009 - 06:28 PM

Referred here from: http://www.bleepingcomputer.com/forums/t/226994/trojanzlob/ ~ OB

Hi

This is a log from DDS


DDS (Ver_09-05-14.01) - NTFSx86
Run by EDH at 9:22:08.39 on Fri 22/05/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1022.590 [GMT 10:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Windows Live\Family Safety\fsssvc.exe
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Live\Family Safety\fsui.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Documents and Settings\EDH\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)" -"http://www.habbo.com.au/client"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [fssui] "c:\program files\windows live\family safety\fsui.exe" -autorun
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [iLike] c:\program files\ilike\1.2.13\ilikesidebar.exe /checkforupdate
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\edh\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} - hxxp://powersoccer.agame.com/applet/PowerLoader.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://cool-chick-jorgia.spaces.live.com/PhotoUpload/MsnPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab57176.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-14 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2007-12-21 468224]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2008-12-22 55136]
R2 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2008-12-8 533344]
R2 iWinGamesInstaller;iWinGamesInstaller;c:\program files\iwin games\iWinGamesInstaller.exe [2008-3-5 78104]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2008-12-4 226640]
S2 kqe4a6zyn;BsHelpCS;c:\windows\system32\fejouhyhap.exe --> c:\windows\system32\fejouhyhap.exe [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-10 953168]
S2 yhmhe5w2i8o;Crystal Report Application Server;c:\windows\system32\houtoofequ.exe --> c:\windows\system32\houtoofequ.exe [?]
S3 qcusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\drivers\ZTEusbser.sys [2008-6-25 99584]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]

=============== Created Last 30 ================

2009-05-16 08:57 87,552 a------- c:\windows\system32\VACFix.exe
2009-05-15 17:07 162,304 a------- c:\windows\system32\ztvunrar36.dll
2009-05-15 17:07 153,088 a------- c:\windows\system32\UNRAR3.dll
2009-05-15 17:07 77,312 a------- c:\windows\system32\ztvunace26.dll
2009-05-15 17:07 75,264 a------- c:\windows\system32\unacev2.dll
2009-05-15 17:07 69,632 a------- c:\windows\system32\ztvcabinet.dll
2009-05-15 17:07 --d----- c:\program files\Trojan Remover
2009-05-15 17:07 --d----- c:\docume~1\edh\applic~1\Simply Super Software
2009-05-15 17:07 --d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-05-15 14:54 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-15 14:05 2,112 a------- c:\windows\system32\tmp.reg
2009-05-15 08:12 --d----- c:\windows\system32\scripting
2009-05-15 08:12 --d----- c:\windows\l2schemas
2009-05-15 08:12 --d----- c:\windows\system32\en
2009-05-15 08:12 --d----- c:\windows\system32\bits
2009-05-15 08:09 --d----- c:\windows\ServicePackFiles
2009-05-15 08:06 --d----- c:\windows\network diagnostic
2009-05-15 08:01 --d----- c:\windows\EHome
2009-05-14 20:53 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-14 20:32 --d----- c:\docume~1\edh\applic~1\GetRightToGo
2009-05-14 20:32 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-05-14 20:32 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-05-14 20:32 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-05-14 20:32 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-05-14 20:32 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-14 20:32 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-05-14 20:32 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-05-14 20:32 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-05-14 20:32 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-05-14 20:32 2,189,056 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-05-14 20:32 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-05-14 20:32 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-05-14 20:28 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-05-14 20:28 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-05-14 13:33 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-14 13:32 -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-14 13:32 --d----- c:\program files\Lavasoft
2009-05-14 13:31 --d----- c:\program files\CCleaner
2009-05-14 13:30 --d----- c:\docume~1\edh\applic~1\Malwarebytes
2009-05-14 13:30 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-14 13:30 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-14 13:30 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-14 13:30 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-14 13:30 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-14 13:30 --d----- c:\program files\SUPERAntiSpyware
2009-05-14 13:30 --d----- c:\docume~1\edh\applic~1\SUPERAntiSpyware.com

==================== Find3M ====================

2009-05-15 08:14 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-30 01:36 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-03-07 00:22 284,160 a------- c:\windows\system32\pdh.dll

============= FINISH: 9:22:42.09 ===============

Edited by Orange Blossom, 21 May 2009 - 09:37 PM.


BC AdBot (Login to Remove)

 


#2 ucmego

ucmego
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 29 May 2009 - 07:19 AM

Hi Guys,

Whats going on no reply yet for topic is everyone busy

Regards
===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 01 June 2009 - 10:08 AM.


#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:10:18 PM

Posted 04 June 2009 - 05:46 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 ucmego

ucmego
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 04 June 2009 - 07:18 PM

Hi

Thanks for your reply

We have Zlob.trojan still running every time we try and remove still comes back
Here is the new log file


DDS (Ver_09-05-14.01) - NTFSx86
Run by EDH at 10:13:12.71 on Fri 05/06/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1022.591 [GMT 10:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Windows Live\Family Safety\fsssvc.exe
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Windows Live\Family Safety\fsui.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\EDH\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)" -"http://www.habbo.com.au/client"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [fssui] "c:\program files\windows live\family safety\fsui.exe" -autorun
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [iLike] c:\program files\ilike\1.2.13\ilikesidebar.exe /checkforupdate
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\edh\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} - hxxp://powersoccer.agame.com/applet/PowerLoader.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://cool-chick-jorgia.spaces.live.com/PhotoUpload/MsnPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab57176.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-14 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2007-12-21 468224]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2008-12-22 55136]
R2 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2008-12-8 533344]
R2 iWinGamesInstaller;iWinGamesInstaller;c:\program files\iwin games\iWinGamesInstaller.exe [2008-3-5 78104]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-10 953168]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2008-12-4 226640]
S2 kqe4a6zyn;BsHelpCS;c:\windows\system32\fejouhyhap.exe --> c:\windows\system32\fejouhyhap.exe [?]
S2 yhmhe5w2i8o;Crystal Report Application Server;c:\windows\system32\houtoofequ.exe --> c:\windows\system32\houtoofequ.exe [?]
S3 qcusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\drivers\ZTEusbser.sys [2008-6-25 99584]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]

=============== Created Last 30 ================

2009-05-16 08:57 87,552 a------- c:\windows\system32\VACFix.exe
2009-05-15 17:07 162,304 a------- c:\windows\system32\ztvunrar36.dll
2009-05-15 17:07 153,088 a------- c:\windows\system32\UNRAR3.dll
2009-05-15 17:07 77,312 a------- c:\windows\system32\ztvunace26.dll
2009-05-15 17:07 75,264 a------- c:\windows\system32\unacev2.dll
2009-05-15 17:07 69,632 a------- c:\windows\system32\ztvcabinet.dll
2009-05-15 17:07 <DIR> --d----- c:\program files\Trojan Remover
2009-05-15 17:07 <DIR> --d----- c:\docume~1\edh\applic~1\Simply Super Software
2009-05-15 17:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-05-15 14:54 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-15 14:05 2,112 a------- c:\windows\system32\tmp.reg
2009-05-15 08:12 <DIR> --d----- c:\windows\system32\scripting
2009-05-15 08:12 <DIR> --d----- c:\windows\l2schemas
2009-05-15 08:12 <DIR> --d----- c:\windows\system32\en
2009-05-15 08:12 <DIR> --d----- c:\windows\system32\bits
2009-05-15 08:09 <DIR> --d----- c:\windows\ServicePackFiles
2009-05-15 08:06 <DIR> --d----- c:\windows\network diagnostic
2009-05-15 08:01 <DIR> --d----- c:\windows\EHome
2009-05-14 20:53 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-14 20:32 <DIR> --d----- c:\docume~1\edh\applic~1\GetRightToGo
2009-05-14 20:32 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-05-14 20:32 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-05-14 20:32 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-05-14 20:32 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-05-14 20:32 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-14 20:32 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-05-14 20:32 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-05-14 20:32 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-05-14 20:32 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-05-14 20:32 2,189,056 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-05-14 20:32 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-05-14 20:32 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-05-14 20:28 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-05-14 20:28 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-05-14 13:33 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-14 13:32 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-14 13:32 <DIR> --d----- c:\program files\Lavasoft
2009-05-14 13:31 <DIR> --d----- c:\program files\CCleaner
2009-05-14 13:30 <DIR> --d----- c:\docume~1\edh\applic~1\Malwarebytes
2009-05-14 13:30 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-14 13:30 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-14 13:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-14 13:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-14 13:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-14 13:30 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-14 13:30 <DIR> --d----- c:\docume~1\edh\applic~1\SUPERAntiSpyware.com

==================== Find3M ====================

2009-05-15 08:14 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-30 01:36 75,776 a------- c:\windows\system32\WS2Fix.exe

============= FINISH: 10:13:46.01 ===============

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 PM

Posted 06 June 2009 - 07:30 PM

Hello.

Please post a new DDS log since it's been 2 days.

Then run Malwarebytes Anti-Malware for me.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 ucmego

ucmego
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 07 June 2009 - 12:22 AM

Hi

Thanks for the reply

Here are the logs from DDS and MBAM



DDS (Ver_09-05-14.01) - NTFSx86
Run by EDH at 15:11:21.18 on Sun 07/06/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1022.537 [GMT 10:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Windows Live\Family Safety\fsssvc.exe
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Live\Family Safety\fsui.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Documents and Settings\EDH\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)" -"http://www.habbo.com.au/client"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [fssui] "c:\program files\windows live\family safety\fsui.exe" -autorun
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [iLike] c:\program files\ilike\1.2.13\ilikesidebar.exe /checkforupdate
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\edh\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} - hxxp://powersoccer.agame.com/applet/PowerLoader.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://cool-chick-jorgia.spaces.live.com/PhotoUpload/MsnPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab57176.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-14 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2007-12-21 468224]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2008-12-22 55136]
R2 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2008-12-8 533344]
R2 iWinGamesInstaller;iWinGamesInstaller;c:\program files\iwin games\iWinGamesInstaller.exe [2008-3-5 78104]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-10 1005904]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2008-12-4 226640]
S2 kqe4a6zyn;BsHelpCS;c:\windows\system32\fejouhyhap.exe --> c:\windows\system32\fejouhyhap.exe [?]
S2 yhmhe5w2i8o;Crystal Report Application Server;c:\windows\system32\houtoofequ.exe --> c:\windows\system32\houtoofequ.exe [?]
S3 qcusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\drivers\ZTEusbser.sys [2008-6-25 99584]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]

=============== Created Last 30 ================

2009-05-16 08:57 87,552 a------- c:\windows\system32\VACFix.exe
2009-05-15 17:07 162,304 a------- c:\windows\system32\ztvunrar36.dll
2009-05-15 17:07 153,088 a------- c:\windows\system32\UNRAR3.dll
2009-05-15 17:07 77,312 a------- c:\windows\system32\ztvunace26.dll
2009-05-15 17:07 75,264 a------- c:\windows\system32\unacev2.dll
2009-05-15 17:07 69,632 a------- c:\windows\system32\ztvcabinet.dll
2009-05-15 17:07 <DIR> --d----- c:\program files\Trojan Remover
2009-05-15 17:07 <DIR> --d----- c:\docume~1\edh\applic~1\Simply Super Software
2009-05-15 17:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-05-15 14:54 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-15 14:05 2,112 a------- c:\windows\system32\tmp.reg
2009-05-15 08:12 <DIR> --d----- c:\windows\system32\scripting
2009-05-15 08:12 <DIR> --d----- c:\windows\l2schemas
2009-05-15 08:12 <DIR> --d----- c:\windows\system32\en
2009-05-15 08:12 <DIR> --d----- c:\windows\system32\bits
2009-05-15 08:09 <DIR> --d----- c:\windows\ServicePackFiles
2009-05-15 08:06 <DIR> --d----- c:\windows\network diagnostic
2009-05-15 08:01 <DIR> --d----- c:\windows\EHome
2009-05-14 20:53 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-14 20:32 <DIR> --d----- c:\docume~1\edh\applic~1\GetRightToGo
2009-05-14 20:32 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-05-14 20:32 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-05-14 20:32 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-05-14 20:32 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-05-14 20:32 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-14 20:32 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-05-14 20:32 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-05-14 20:32 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-05-14 20:32 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-05-14 20:32 2,189,056 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-05-14 20:32 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-05-14 20:32 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-05-14 20:28 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-05-14 20:28 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-05-14 13:33 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-14 13:32 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-14 13:32 <DIR> --d----- c:\program files\Lavasoft
2009-05-14 13:31 <DIR> --d----- c:\program files\CCleaner
2009-05-14 13:30 <DIR> --d----- c:\docume~1\edh\applic~1\Malwarebytes
2009-05-14 13:30 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-14 13:30 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-14 13:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-14 13:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-14 13:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-14 13:30 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-14 13:30 <DIR> --d----- c:\docume~1\edh\applic~1\SUPERAntiSpyware.com

==================== Find3M ====================

2009-05-15 08:14 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-30 01:36 75,776 a------- c:\windows\system32\WS2Fix.exe

============= FINISH: 15:11:56.79 ===============


MBAM log
Malwarebytes' Anti-Malware 1.37
Database version: 2241
Windows 5.1.2600 Service Pack 3

7/06/2009 3:20:30 PM
mbam-log-2009-06-07 (15-20-30).txt

Scan type: Quick Scan
Objects scanned: 94507
Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thanks
Rebooted Trojen still on system

Running
Windows XP Home SP3
P4 3.2 Ghz 1Gb R

Nod 32 Smart Security
Spybot Search & Destroy
Malwarebytes
Ad Aware
Super AntiSpyware

Edited by ucmego, 07 June 2009 - 12:32 AM.


#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 PM

Posted 07 June 2009 - 03:04 PM

Hello.

Please do the following.

Download and Run OTM
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop If you are running on Vista, right click on the file and choose Run As Administrator.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :reg
    [-HKEY_CLASSES_ROOT\multimediaControls.chl]
    :commands
    [EmptyTemp]
    [Reboot]
  • Click the large Posted Image button.
  • If OTM requires are reboot, please allow it to do so.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
Note: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 ucmego

ucmego
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 07 June 2009 - 07:04 PM

Hi

Thank you for the reply here are the logs

========== REGISTRY ==========
Unable to delete registry key HKEY_CLASSES_ROOT\multimediaControls.chl\\ .
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\EDH\Local Settings\Temporary Internet Files\Content.IE5\OD6NGPYZ\iframe[2].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\EDH\Local Settings\Temporary Internet Files\Content.IE5\OD6NGPYZ\signin[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\EDH\Local Settings\Temporary Internet Files\Content.IE5\CDE3S5I7\topic228586[1].html scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\EDH\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_1b4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTM by OldTimer - Version 2.1.0.0 log created on 06082009_093547

Files moved on Reboot...
C:\Documents and Settings\EDH\Local Settings\Temporary Internet Files\Content.IE5\OD6NGPYZ\iframe[2].htm moved successfully.
C:\Documents and Settings\EDH\Local Settings\Temporary Internet Files\Content.IE5\OD6NGPYZ\signin[1].htm moved successfully.
C:\Documents and Settings\EDH\Local Settings\Temporary Internet Files\Content.IE5\CDE3S5I7\topic228586[1].html moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_1b4.dat not found!

Registry entries deleted on Reboot...



GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-08 10:03:53
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF75A287E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF75A2BFE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\multimediaControls.chl\CLSID@ {6BF52A52-394A-11D3-B153-00C04F79FAA6}

---- EOF - GMER 1.0.15 ----

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 PM

Posted 08 June 2009 - 07:15 PM

Hello.

Continue with the following.

Download and Run Script with Swreg.exe

Please download SWREG.exe, and save it to your C:\Windows Directory please.
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the Code.
    @Echo off
    swreg ACL "HKEY_CLASSES_ROOT\multimediaControls.chl" /OA
    swreg ACL "HKEY_CLASSES_ROOT\multimediaControls.chl" /P /GE:F
    swreg NULL DELETE "HKEY_CLASSES_ROOT\multimediaControls.chl"
    
    Reg Query "HKEY_CLASSES_ROOT\multimediaControls.chl" > C:\reglook.txt
    Notepad C:\reglook.txt
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input Remove.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on Remove.bat to run it. You may get a security warning, please select Run. A black window will open and then disappear this is normal. Then Notepad will open, post the contents of notepad in your next reply. Note: If notepad was empty let me know.

Now, perform another quick-scan with Malwarebytes Anti-Malware and post the log once it's complete. Let's see what it finds this time :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 ucmego

ucmego
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 08 June 2009 - 08:40 PM

Hi

Thanks for your reply here are the logs and iam meant to run the Swreg.exe as i only paste it into the windows dir. Hope ive done the right thing, just a little unsure.

Regards





! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\multimediaControls.chl

HKEY_CLASSES_ROOT\multimediaControls.chl\CLSID



Malwarebytes' Anti-Malware 1.37
Database version: 2250
Windows 5.1.2600 Service Pack 3

9/06/2009 11:34:04 AM
mbam-log-2009-06-09 (11-34-04).txt

Scan type: Quick Scan
Objects scanned: 95301
Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 PM

Posted 09 June 2009 - 04:20 PM

Hello.

Please do the folllowing. We'll try this again.
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the Code.
    @Echo off
    
    swreg ACL "HKEY_CLASSES_ROOT\multimediaControls.chl" /OA > C:\check.txt
    swreg ACL "HKEY_CLASSES_ROOT\multimediaControls.chl" /P /GE:F >> C:\check.txt
    swreg NULL DELETE "HKEY_CLASSES_ROOT\multimediaControls.chl" >> C:\check.txt
    swreg ACL "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\multimediaControls.chl" /OA >> C:\check.txt
    swreg ACL "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\multimediaControls.chl" /P /GE:F >> C:\check.txt
    swreg NULL DELETE "HKEY_LOCAL_MACHINE\multimediaControls.chl" >> C:\check.txt
    
    Notepad C:\check.txt
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input Remove.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on Remove.bat to run it. You may get a security warning, please select Run. A black window will open and then disappear this is normal. Then Notepad will open, post the contents of notepad in your next reply.

Re-run MBAM with a quick scan again.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 ucmego

ucmego
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 09 June 2009 - 06:23 PM

Hi

Thanks for the reply

In the notepad file do we copy everything in the box like this or is incorrect here are the logs

@Echo off

swreg ACL "HKEY_CLASSES_ROOT\multimediaControls.chl" /OA > C:\check.txt
swreg ACL "HKEY_CLASSES_ROOT\multimediaControls.chl" /P /GE:F >> C:\check.txt
swreg NULL DELETE "HKEY_CLASSES_ROOT\multimediaControls.chl" >> C:\check.txt
swreg ACL "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\multimediaControls.chl" /OA >> C:\check.txt
swreg ACL "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\multimediaControls.chl" /P /GE:F >> C:\check.txt
swreg NULL DELETE "HKEY_LOCAL_MACHINE\multimediaControls.chl" >> C:\check.txt

Notepad C:\check.txt


Ownerchange for "HKEY_CLASSES_ROOT\multimediaControls.chl" to Administrators group was successful
Registrykey: "HKEY_CLASSES_ROOT\multimediaControls.chl"
Granting Registry rights (F access for This Key) for "Everyone"
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2005

SWReg Operation [Parameters]
Operation = QUERY | ADD | DELETE | COPY | SAVE | LOAD | UNLOAD |
RESTORE | COMPARE | EXPORT | IMPORT | MOVE | ACL

Return Code: (Except of SWReg COMPARE)

0 - Successful
1 - Failed

For help on a specific operation type:
SWReg Operation /?

Examples:
SWReg QUERY /?
SWReg ADD /?
SWReg DELETE /?
SWReg COPY /?
SWReg SAVE /?
SWReg RESTORE /?
SWReg LOAD /?
SWReg UNLOAD /?
SWReg COMPARE /?
SWReg EXPORT /?
SWReg IMPORT /?
SWReg MOVE /?
SWReg ACL /?

DISCLAIMER
Official download location: SteelWerX (http://www.xs4all.nl/~fstaal01)
Mirrors: Atribune.org (http://www.atribune.org)
BleepingComputer.com (http://www.bleepingcomputer.com)
Spyware Times (http://www.spywaretimes.com)

SteelWerX is not liable for damages of any kind arising from the use of
this program.

Ownerchange for "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\multimediaControls.chl" to Administrators group was successful
Registrykey: "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\multimediaControls.chl"
Granting Registry rights (F access for This Key) for "Everyone"
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2005

SWReg Operation [Parameters]
Operation = QUERY | ADD | DELETE | COPY | SAVE | LOAD | UNLOAD |
RESTORE | COMPARE | EXPORT | IMPORT | MOVE | ACL

Return Code: (Except of SWReg COMPARE)

0 - Successful
1 - Failed

For help on a specific operation type:
SWReg Operation /?

Examples:
SWReg QUERY /?
SWReg ADD /?
SWReg DELETE /?
SWReg COPY /?
SWReg SAVE /?
SWReg RESTORE /?
SWReg LOAD /?
SWReg UNLOAD /?
SWReg COMPARE /?
SWReg EXPORT /?
SWReg IMPORT /?
SWReg MOVE /?
SWReg ACL /?

DISCLAIMER
Official download location: SteelWerX (http://www.xs4all.nl/~fstaal01)
Mirrors: Atribune.org (http://www.atribune.org)
BleepingComputer.com (http://www.bleepingcomputer.com)
Spyware Times (http://www.spywaretimes.com)

SteelWerX is not liable for damages of any kind arising from the use of
this program.


Malwarebytes' Anti-Malware 1.37
Database version: 2256
Windows 5.1.2600 Service Pack 3

10/06/2009 9:22:45 AM
mbam-log-2009-06-10 (09-22-45).txt

Scan type: Quick Scan
Objects scanned: 95718
Time elapsed: 2 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 PM

Posted 11 June 2009 - 05:25 PM

Hello.

This embedded null registry key doesn't seem to be deleted for some reason.

Let's try this again and if it still doesn't work we'll try something else.

Please Reboot your computer now.

After the reboot please perform the following steps. Please close any other programs you have opened.

FIRST BACKUP YOUR REGISTRY:

Backup Registry with ERUNT

This tool will create a complete backup of your registry. A backup is created to ensure we have backup so encase anything goes wrong we can deal with it. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

How to Restore from the ERUNT Backup

Only restore from the backups if instructed to, or you need to do so. You need it if after doing something, your computer will only boot in Safe Mode and you are unable to contact us (or anyone else) for help by other means, or if your computer will not boot into Windows at all.

To restore if you can boot, navigate to C:\WINDOWS\erdnt, choose the folder with the most recent date, and double click ERDNT.EXE. Check all boxes in the restoration options.

To restore from the Recovery Console using the Windows CD:
  • Turn on your machine with the disk in the drive.
  • Type in the number of the Windows installation you want to repair (usually 1), then press Enter.
  • Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.
  • Type without quotes "cd erdnt" followed by Enter.
  • Type without quotes "dir" followed by Enter. This will list out the available folders, whose names are the date on which the backup was taken in (M)M-DD-YYYY format. Try the most recent dates first.
  • Type without quotes "cd **name of the folder**" followed by Enter.
  • Type without quotes "batch erdnt.con" followed by Enter.
  • Type without quotes "exit" followed by Enter.
  • Remove your CD from the drive and reboot your computer into the restored registry. If you still cannot boot, try again with an earlier restore date.




  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the Code.
    @Echo off
    
    swreg ACL "HKEY_CLASSES_ROOT\multimediaControls.chl" /OA
    swreg ACL "HKEY_CLASSES_ROOT\multimediaControls.chl" /P /GE:F 
    swreg NULL DELETE "HKEY_CLASSES_ROOT\multimediaControls.chl" 
    swreg DELETE "HKEY_CLASSES_ROOT\multimediaControls.chl" 
    
    shutdown -r
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input Remove.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on Remove.bat to run it. You may get a security warning, please select Run. A black window will open and then disappear this is normal. Then a window will open informing you the computer will shut-down in 30 seconds. Please close any programs in this time period and when 30 seconds pass, it will restart your computer automatically.

Once the restart is done, please Re-run MBAM with a quick scan again and post the log back.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 ucmego

ucmego
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 11 June 2009 - 09:58 PM

Hi,

thanks for the reply here is the log

Malwarebytes' Anti-Malware 1.37
Database version: 2256
Windows 5.1.2600 Service Pack 3

12/06/2009 12:56:01 PM
mbam-log-2009-06-12 (12-56-01).txt

Scan type: Quick Scan
Objects scanned: 95504
Time elapsed: 2 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 PM

Posted 13 June 2009 - 11:12 AM

Hello.

Let's do the following please. I'll look into this later on.


We'll start off with Combofix and remove that key.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2
Link 3

Please refer to this page for full instructions on how to run ComboFix.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users