Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Real Sluggish ....can Someone Read My Hjt Log?


  • Please log in to reply
13 replies to this topic

#1 goldeelocks

goldeelocks

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 02 May 2006 - 08:32 PM

Hi There ...

My computer has been running real slow all the time ... almost like there is something running. I have tried some of the suggestions I have seen in other posts, and it has helped ALOT ... although it still seems sluggish.

I'm sure there are quite a few things in my log that need to be removed, and hopefully someone here can help me!!

I appreciate any help that can be offered!!

Logfile of HijackThis v1.99.1
Scan saved at 9:25:13 PM, on 5/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\Service.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\WINDOWS\MemAlloc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1136481700\ee\AOLHostManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1136481700\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F3 - REG:win.ini: run=C:\WINDOWS\inet20091\services.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\rpcs_863.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6F9B43D7-E0D3-4965-A51B-7CB7B66AA4D0} - C:\WINDOWS\System32\jhplfgnp.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: CIEPl Object - {83B14523-CBC9-447B-8B1E-2482DB2ABE73} - C:\WINDOWS\System32\setdrv32.dll
O2 - BHO: (no name) - {8ABA59B9-8851-42AF-AB62-7F2B0F1F91C2} - C:\WINDOWS\System32\ffboveww.dll
O2 - BHO: (no name) - {C33C8573-91DA-4B8F-9367-30869932CB67} - C:\WINDOWS\System32\ffboveww.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MemAlloc] C:\WINDOWS\MemAlloc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136481700\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /A "C:\WINDOWS\System32\E_S7.tmp"
O4 - HKCU\..\Run: [Network Update] C:\WINDOWS\System32\rpcs_863.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\AIM95_c0\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138413282997
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl...indows-i586.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8341DF89-236A-4CC0-BE1B-8FEF52A23EAF}: NameServer = 85.255.116.51,85.255.112.96
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA4556BB-846A-4599-AE8A-41E6E10B4078}: NameServer = 85.255.116.51,85.255.112.96
O20 - Winlogon Notify: agimbppn - agimbppn.dll (file missing)
O20 - Winlogon Notify: bnjpvkeu - C:\WINDOWS\SYSTEM32\bnjpvkeu.dll
O20 - Winlogon Notify: dpghewcc - C:\WINDOWS\SYSTEM32\dpghewcc.dll
O20 - Winlogon Notify: dyjdwobo - C:\WINDOWS\SYSTEM32\dyjdwobo.dll
O20 - Winlogon Notify: emekqkqc - C:\WINDOWS\SYSTEM32\emekqkqc.dll
O20 - Winlogon Notify: epkainpu - C:\WINDOWS\SYSTEM32\epkainpu.dll
O20 - Winlogon Notify: euyytycp - C:\WINDOWS\SYSTEM32\euyytycp.dll
O20 - Winlogon Notify: fikrttiq - fikrttiq.dll (file missing)
O20 - Winlogon Notify: gutqtshu - C:\WINDOWS\SYSTEM32\gutqtshu.dll
O20 - Winlogon Notify: lbjteoqa - C:\WINDOWS\SYSTEM32\lbjteoqa.dll
O20 - Winlogon Notify: mdjjbacp - C:\WINDOWS\SYSTEM32\mdjjbacp.dll
O20 - Winlogon Notify: mqlslwta - C:\WINDOWS\SYSTEM32\mqlslwta.dll
O20 - Winlogon Notify: oefhkxxv - C:\WINDOWS\SYSTEM32\oefhkxxv.dll
O20 - Winlogon Notify: ohrretql - C:\WINDOWS\SYSTEM32\ohrretql.dll
O20 - Winlogon Notify: pxxaqxiu - C:\WINDOWS\SYSTEM32\pxxaqxiu.dll
O20 - Winlogon Notify: setdrv32 - C:\WINDOWS\SYSTEM32\setdrv32.dll
O20 - Winlogon Notify: sikdnqyq - C:\WINDOWS\SYSTEM32\sikdnqyq.dll
O20 - Winlogon Notify: socfhfic - C:\WINDOWS\SYSTEM32\socfhfic.dll
O20 - Winlogon Notify: susrhets - C:\WINDOWS\SYSTEM32\susrhets.dll
O20 - Winlogon Notify: twpR32 - twpR32.dll (file missing)
O20 - Winlogon Notify: unxolixu - C:\WINDOWS\SYSTEM32\unxolixu.dll
O20 - Winlogon Notify: uuqwhdoh - C:\WINDOWS\SYSTEM32\uuqwhdoh.dll
O20 - Winlogon Notify: ydlleclb - C:\WINDOWS\SYSTEM32\ydlleclb.dll
O20 - Winlogon Notify: yjciugiy - C:\WINDOWS\SYSTEM32\yjciugiy.dll
O20 - Winlogon Notify: ypvyreuk - C:\WINDOWS\SYSTEM32\ypvyreuk.dll
O21 - SSODL: BRvqbghlQ - {74577083-DEFD-DA29-665D-517683C1BB13} - C:\WINDOWS\System32\zce.dll
O21 - SSODL: IEFilter - {C2174BB2-2744-44BA-A475-55F069B53300} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O21 - SSODL: SysTray.Exgr - {5368D1FC-4F5C-4f1b-B134-E67214FC78E9} - C:\WINDOWS\System32\phijiikk.dll (file missing)
O21 - SSODL: Remote Connection - {B89DD3DB-8CF4-4716-9FF6-BDFDBB70B2BF} - C:\WINDOWS\System32\cmdlrans.dll (file missing)
O23 - Service: .NET Runtime Optimization Service v1.000.3.1434 - Unknown owner - C:\WINDOWS\System32\yvcaaaaa.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

BC AdBot (Login to Remove)

 


#2 Glaswegian

Glaswegian

    Defender of the Haggis


  • Malware Response Team
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow
  • Local time:02:38 AM

Posted 03 May 2006 - 04:10 PM

Hi goldeelocks and welcome to Bleeping Computer.

You may wish to Subscribe to this thread (Options) so that you are notified when you receive a reply.

Let’s do this first.

Vundo Fix
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log.

Iain
Win XP Pro / Win 7 Pro
Posted Image

#3 goldeelocks

goldeelocks
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 03 May 2006 - 08:11 PM

Hi There ....

Thank you so much for taking the time to help me!! I have downloaded and run vundo fix, and am now posting my logs:


VundoFix V4.2.73

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Scan started at 9:01:23 PM 5/3/2006

Listing files found while scanning....

C:\WINDOWS\System32\setdrv32.dll

Attempting to delete C:\WINDOWS\System32\setdrv32.dll
C:\WINDOWS\System32\setdrv32.dll Has been deleted!

Performing Repairs to the registry.
Done!



Logfile of HijackThis v1.99.1
Scan saved at 9:09:32 PM, on 5/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\Service.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\WINDOWS\MemAlloc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1136481700\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1136481700\ee\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F3 - REG:win.ini: run=C:\WINDOWS\inet20091\services.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\rpcs_863.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6F9B43D7-E0D3-4965-A51B-7CB7B66AA4D0} - C:\WINDOWS\System32\ffboveww.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {8ABA59B9-8851-42AF-AB62-7F2B0F1F91C2} - C:\WINDOWS\System32\ffboveww.dll
O2 - BHO: (no name) - {C33C8573-91DA-4B8F-9367-30869932CB67} - C:\WINDOWS\System32\ffboveww.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MemAlloc] C:\WINDOWS\MemAlloc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136481700\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /A "C:\WINDOWS\System32\E_S7.tmp"
O4 - HKCU\..\Run: [Network Update] C:\WINDOWS\System32\rpcs_863.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\AIM95_c0\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138413282997
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl...indows-i586.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8341DF89-236A-4CC0-BE1B-8FEF52A23EAF}: NameServer = 85.255.116.51,85.255.112.96
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA4556BB-846A-4599-AE8A-41E6E10B4078}: NameServer = 85.255.116.51,85.255.112.96
O20 - Winlogon Notify: agimbppn - agimbppn.dll (file missing)
O20 - Winlogon Notify: ampwqhaw - C:\WINDOWS\SYSTEM32\ampwqhaw.dll
O20 - Winlogon Notify: bhnjqdon - C:\WINDOWS\SYSTEM32\bhnjqdon.dll
O20 - Winlogon Notify: bnjpvkeu - C:\WINDOWS\SYSTEM32\bnjpvkeu.dll
O20 - Winlogon Notify: dpghewcc - C:\WINDOWS\SYSTEM32\dpghewcc.dll
O20 - Winlogon Notify: dyjdwobo - C:\WINDOWS\SYSTEM32\dyjdwobo.dll
O20 - Winlogon Notify: emekqkqc - C:\WINDOWS\SYSTEM32\emekqkqc.dll
O20 - Winlogon Notify: epkainpu - C:\WINDOWS\SYSTEM32\epkainpu.dll
O20 - Winlogon Notify: euyytycp - C:\WINDOWS\SYSTEM32\euyytycp.dll
O20 - Winlogon Notify: fikrttiq - fikrttiq.dll (file missing)
O20 - Winlogon Notify: gqjkcraw - C:\WINDOWS\SYSTEM32\gqjkcraw.dll
O20 - Winlogon Notify: gutqtshu - C:\WINDOWS\SYSTEM32\gutqtshu.dll
O20 - Winlogon Notify: ibodhimf - C:\WINDOWS\SYSTEM32\ibodhimf.dll
O20 - Winlogon Notify: lbjteoqa - C:\WINDOWS\SYSTEM32\lbjteoqa.dll
O20 - Winlogon Notify: lktxkdde - C:\WINDOWS\SYSTEM32\lktxkdde.dll
O20 - Winlogon Notify: lurpubda - C:\WINDOWS\SYSTEM32\lurpubda.dll
O20 - Winlogon Notify: mdjjbacp - C:\WINDOWS\SYSTEM32\mdjjbacp.dll
O20 - Winlogon Notify: mqlslwta - C:\WINDOWS\SYSTEM32\mqlslwta.dll
O20 - Winlogon Notify: oefhkxxv - C:\WINDOWS\SYSTEM32\oefhkxxv.dll
O20 - Winlogon Notify: ohrretql - C:\WINDOWS\SYSTEM32\ohrretql.dll
O20 - Winlogon Notify: pxxaqxiu - C:\WINDOWS\SYSTEM32\pxxaqxiu.dll
O20 - Winlogon Notify: sikdnqyq - C:\WINDOWS\SYSTEM32\sikdnqyq.dll
O20 - Winlogon Notify: sleiggjt - C:\WINDOWS\SYSTEM32\sleiggjt.dll
O20 - Winlogon Notify: socfhfic - C:\WINDOWS\SYSTEM32\socfhfic.dll
O20 - Winlogon Notify: susrhets - C:\WINDOWS\SYSTEM32\susrhets.dll
O20 - Winlogon Notify: thcqdemb - C:\WINDOWS\SYSTEM32\thcqdemb.dll
O20 - Winlogon Notify: trbcgibb - C:\WINDOWS\SYSTEM32\trbcgibb.dll
O20 - Winlogon Notify: twpR32 - twpR32.dll (file missing)
O20 - Winlogon Notify: unxolixu - C:\WINDOWS\SYSTEM32\unxolixu.dll
O20 - Winlogon Notify: uuqwhdoh - C:\WINDOWS\SYSTEM32\uuqwhdoh.dll
O20 - Winlogon Notify: xbxwlqxe - C:\WINDOWS\SYSTEM32\xbxwlqxe.dll
O20 - Winlogon Notify: ydlleclb - C:\WINDOWS\SYSTEM32\ydlleclb.dll
O20 - Winlogon Notify: yjciugiy - C:\WINDOWS\SYSTEM32\yjciugiy.dll
O20 - Winlogon Notify: ypvyreuk - C:\WINDOWS\SYSTEM32\ypvyreuk.dll
O21 - SSODL: BRvqbghlQ - {74577083-DEFD-DA29-665D-517683C1BB13} - C:\WINDOWS\System32\zce.dll
O21 - SSODL: IEFilter - {C2174BB2-2744-44BA-A475-55F069B53300} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O21 - SSODL: SysTray.Exgr - {5368D1FC-4F5C-4f1b-B134-E67214FC78E9} - C:\WINDOWS\System32\phijiikk.dll (file missing)
O21 - SSODL: Remote Connection - {B89DD3DB-8CF4-4716-9FF6-BDFDBB70B2BF} - C:\WINDOWS\System32\cmdlrans.dll (file missing)
O23 - Service: .NET Runtime Optimization Service v1.000.3.1434 - Unknown owner - C:\WINDOWS\System32\yvcaaaaa.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

#4 Glaswegian

Glaswegian

    Defender of the Haggis


  • Malware Response Team
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow
  • Local time:02:38 AM

Posted 04 May 2006 - 04:50 PM

Hi again

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout or use this alternate location.


Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new HijackThis log.


Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O17 - HKLM\System\CCS\Services\Tcpip\..\{8341DF89-236A-4CC0-BE1B-8FEF52A23EAF}: NameServer = 85.255.116.51,85.255.112.96
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA4556BB-846A-4599-AE8A-41E6E10B4078}: NameServer = 85.255.116.51,85.255.112.96


Please remember to close all other windows, including browsers then click Fix checked.


In your next post I need

report.txt
HijackThis Log

Iain
Win XP Pro / Win 7 Pro
Posted Image

#5 goldeelocks

goldeelocks
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 05 May 2006 - 09:41 PM

Hi There ....

What a difference!!! My computer has regained alot of lost speed!!! Thank you ... Thank you ... Thank you!!! I am posting my new logs .... Please let me know what else I can do


Logfile of HijackThis v1.99.1
Scan saved at 10:34:27 PM, on 5/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\Service.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\WINDOWS\MemAlloc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1136481700\ee\AOLHostManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1136481700\ee\AOLServiceHost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F3 - REG:win.ini: run=C:\WINDOWS\inet20091\services.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\rpcs_863.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6F9B43D7-E0D3-4965-A51B-7CB7B66AA4D0} - C:\WINDOWS\System32\ffboveww.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {8ABA59B9-8851-42AF-AB62-7F2B0F1F91C2} - C:\WINDOWS\System32\ffboveww.dll
O2 - BHO: (no name) - {C33C8573-91DA-4B8F-9367-30869932CB67} - C:\WINDOWS\System32\ffboveww.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MemAlloc] C:\WINDOWS\MemAlloc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136481700\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /A "C:\WINDOWS\System32\E_S7.tmp"
O4 - HKCU\..\Run: [Network Update] C:\WINDOWS\System32\rpcs_863.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\AIM95_c0\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138413282997
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl...indows-i586.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: agimbppn - agimbppn.dll (file missing)
O20 - Winlogon Notify: ampwqhaw - C:\WINDOWS\SYSTEM32\ampwqhaw.dll
O20 - Winlogon Notify: bhnjqdon - C:\WINDOWS\SYSTEM32\bhnjqdon.dll
O20 - Winlogon Notify: bnjpvkeu - C:\WINDOWS\SYSTEM32\bnjpvkeu.dll
O20 - Winlogon Notify: dpghewcc - C:\WINDOWS\SYSTEM32\dpghewcc.dll
O20 - Winlogon Notify: dyjdwobo - C:\WINDOWS\SYSTEM32\dyjdwobo.dll
O20 - Winlogon Notify: emekqkqc - C:\WINDOWS\SYSTEM32\emekqkqc.dll
O20 - Winlogon Notify: epkainpu - C:\WINDOWS\SYSTEM32\epkainpu.dll
O20 - Winlogon Notify: euyytycp - C:\WINDOWS\SYSTEM32\euyytycp.dll
O20 - Winlogon Notify: fikrttiq - fikrttiq.dll (file missing)
O20 - Winlogon Notify: gqjkcraw - C:\WINDOWS\SYSTEM32\gqjkcraw.dll
O20 - Winlogon Notify: gutqtshu - C:\WINDOWS\SYSTEM32\gutqtshu.dll
O20 - Winlogon Notify: ibodhimf - C:\WINDOWS\SYSTEM32\ibodhimf.dll
O20 - Winlogon Notify: lbjteoqa - C:\WINDOWS\SYSTEM32\lbjteoqa.dll
O20 - Winlogon Notify: lktxkdde - C:\WINDOWS\SYSTEM32\lktxkdde.dll
O20 - Winlogon Notify: lurpubda - C:\WINDOWS\SYSTEM32\lurpubda.dll
O20 - Winlogon Notify: mdjjbacp - C:\WINDOWS\SYSTEM32\mdjjbacp.dll
O20 - Winlogon Notify: mqlslwta - C:\WINDOWS\SYSTEM32\mqlslwta.dll
O20 - Winlogon Notify: oefhkxxv - C:\WINDOWS\SYSTEM32\oefhkxxv.dll
O20 - Winlogon Notify: ohrretql - C:\WINDOWS\SYSTEM32\ohrretql.dll
O20 - Winlogon Notify: pxxaqxiu - C:\WINDOWS\SYSTEM32\pxxaqxiu.dll
O20 - Winlogon Notify: sikdnqyq - C:\WINDOWS\SYSTEM32\sikdnqyq.dll
O20 - Winlogon Notify: sleiggjt - C:\WINDOWS\SYSTEM32\sleiggjt.dll
O20 - Winlogon Notify: socfhfic - C:\WINDOWS\SYSTEM32\socfhfic.dll
O20 - Winlogon Notify: susrhets - C:\WINDOWS\SYSTEM32\susrhets.dll
O20 - Winlogon Notify: thcqdemb - C:\WINDOWS\SYSTEM32\thcqdemb.dll
O20 - Winlogon Notify: trbcgibb - C:\WINDOWS\SYSTEM32\trbcgibb.dll
O20 - Winlogon Notify: twpR32 - twpR32.dll (file missing)
O20 - Winlogon Notify: unxolixu - C:\WINDOWS\SYSTEM32\unxolixu.dll
O20 - Winlogon Notify: uuqwhdoh - C:\WINDOWS\SYSTEM32\uuqwhdoh.dll
O20 - Winlogon Notify: xbxwlqxe - C:\WINDOWS\SYSTEM32\xbxwlqxe.dll
O20 - Winlogon Notify: ydlleclb - C:\WINDOWS\SYSTEM32\ydlleclb.dll
O20 - Winlogon Notify: yjciugiy - C:\WINDOWS\SYSTEM32\yjciugiy.dll
O20 - Winlogon Notify: ypvyreuk - C:\WINDOWS\SYSTEM32\ypvyreuk.dll
O21 - SSODL: BRvqbghlQ - {74577083-DEFD-DA29-665D-517683C1BB13} - C:\WINDOWS\System32\zce.dll
O21 - SSODL: IEFilter - {C2174BB2-2744-44BA-A475-55F069B53300} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O21 - SSODL: SysTray.Exgr - {5368D1FC-4F5C-4f1b-B134-E67214FC78E9} - C:\WINDOWS\System32\phijiikk.dll (file missing)
O21 - SSODL: Remote Connection - {B89DD3DB-8CF4-4716-9FF6-BDFDBB70B2BF} - C:\WINDOWS\System32\cmdlrans.dll (file missing)
O23 - Service: .NET Runtime Optimization Service v1.000.3.1434 - Unknown owner - C:\WINDOWS\System32\yvcaaaaa.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe



Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\ftdmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool
C:\WINDOWS\System32\service.exe

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMGSU.EXE 44,073 2002-08-29

#6 Glaswegian

Glaswegian

    Defender of the Haggis


  • Malware Response Team
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow
  • Local time:02:38 AM

Posted 06 May 2006 - 12:04 PM

Hi again

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers when you are following the procedures below.


Show Hidden Files
Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the Hide protected operating system files option.



Downloads
Please download Cleanup! or use this Alternate Link if the main link does not work and install it. You will use this later.


I see you already have Ewido. Please update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
When you have finished updating, EXIT Ewido.



Run CleanUp!
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW!

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!
Check the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
  • Click on the “Temporary Files” tab and uncheck the box for “Scan drives for file matching” if it’s checked.
Click OK, Press the CleanUp! button to start the program and reboot when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.




Reboot
Reboot your system in Safe Mode.
  • Restart the computer. The computer begins processing a set of instructions known as BIOS.
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
  • Instead of Windows loading as normal, a menu should appear
  • Use the arrow key to highlight Safe Mode and press Enter.
Services
Click Start->Run - type SERVICES.MSC & then click on the OK button
  • Locate the service - .NET Runtime Optimization Service v1.000.3.1434
  • Double-click on it to open the Properties dialog.
    • Under the General tab, note down the name of "Service name". We shall need it later.
  • Stop the service by using the Stop button.
  • Change the Startup type to Disabled & then click on the OK button
  • Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
  • In the popup box that appears, type in "Service name", i.e the name of the service you just noted as above, & then click on the OK button
.



HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F3 - REG:win.ini: run=C:\WINDOWS\inet20091\services.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\rpcs_863.exe
O2 - BHO: (no name) - {6F9B43D7-E0D3-4965-A51B-7CB7B66AA4D0} - C:\WINDOWS\System32\ffboveww.dll
O2 - BHO: (no name) - {8ABA59B9-8851-42AF-AB62-7F2B0F1F91C2} - C:\WINDOWS\System32\ffboveww.dll
O2 - BHO: (no name) - {C33C8573-91DA-4B8F-9367-30869932CB67} - C:\WINDOWS\System32\ffboveww.dll
O4 - HKCU\..\Run: [Network Update] C:\WINDOWS\System32\rpcs_863.exe
O20 - Winlogon Notify: agimbppn - agimbppn.dll (file missing)
O20 - Winlogon Notify: ampwqhaw - C:\WINDOWS\SYSTEM32\ampwqhaw.dll
O20 - Winlogon Notify: bhnjqdon - C:\WINDOWS\SYSTEM32\bhnjqdon.dll
O20 - Winlogon Notify: bnjpvkeu - C:\WINDOWS\SYSTEM32\bnjpvkeu.dll
O20 - Winlogon Notify: dpghewcc - C:\WINDOWS\SYSTEM32\dpghewcc.dll
O20 - Winlogon Notify: dyjdwobo - C:\WINDOWS\SYSTEM32\dyjdwobo.dll
O20 - Winlogon Notify: emekqkqc - C:\WINDOWS\SYSTEM32\emekqkqc.dll
O20 - Winlogon Notify: epkainpu - C:\WINDOWS\SYSTEM32\epkainpu.dll
O20 - Winlogon Notify: euyytycp - C:\WINDOWS\SYSTEM32\euyytycp.dll
O20 - Winlogon Notify: fikrttiq - fikrttiq.dll (file missing)
O20 - Winlogon Notify: gqjkcraw - C:\WINDOWS\SYSTEM32\gqjkcraw.dll
O20 - Winlogon Notify: gutqtshu - C:\WINDOWS\SYSTEM32\gutqtshu.dll
O20 - Winlogon Notify: ibodhimf - C:\WINDOWS\SYSTEM32\ibodhimf.dll
O20 - Winlogon Notify: lbjteoqa - C:\WINDOWS\SYSTEM32\lbjteoqa.dll
O20 - Winlogon Notify: lktxkdde - C:\WINDOWS\SYSTEM32\lktxkdde.dll
O20 - Winlogon Notify: lurpubda - C:\WINDOWS\SYSTEM32\lurpubda.dll
O20 - Winlogon Notify: mdjjbacp - C:\WINDOWS\SYSTEM32\mdjjbacp.dll
O20 - Winlogon Notify: mqlslwta - C:\WINDOWS\SYSTEM32\mqlslwta.dll
O20 - Winlogon Notify: oefhkxxv - C:\WINDOWS\SYSTEM32\oefhkxxv.dll
O20 - Winlogon Notify: ohrretql - C:\WINDOWS\SYSTEM32\ohrretql.dll
O20 - Winlogon Notify: pxxaqxiu - C:\WINDOWS\SYSTEM32\pxxaqxiu.dll
O20 - Winlogon Notify: sikdnqyq - C:\WINDOWS\SYSTEM32\sikdnqyq.dll
O20 - Winlogon Notify: sleiggjt - C:\WINDOWS\SYSTEM32\sleiggjt.dll
O20 - Winlogon Notify: socfhfic - C:\WINDOWS\SYSTEM32\socfhfic.dll
O20 - Winlogon Notify: susrhets - C:\WINDOWS\SYSTEM32\susrhets.dll
O20 - Winlogon Notify: thcqdemb - C:\WINDOWS\SYSTEM32\thcqdemb.dll
O20 - Winlogon Notify: trbcgibb - C:\WINDOWS\SYSTEM32\trbcgibb.dll
O20 - Winlogon Notify: twpR32 - twpR32.dll (file missing)
O20 - Winlogon Notify: unxolixu - C:\WINDOWS\SYSTEM32\unxolixu.dll
O20 - Winlogon Notify: uuqwhdoh - C:\WINDOWS\SYSTEM32\uuqwhdoh.dll
O20 - Winlogon Notify: xbxwlqxe - C:\WINDOWS\SYSTEM32\xbxwlqxe.dll
O20 - Winlogon Notify: ydlleclb - C:\WINDOWS\SYSTEM32\ydlleclb.dll
O20 - Winlogon Notify: yjciugiy - C:\WINDOWS\SYSTEM32\yjciugiy.dll
O20 - Winlogon Notify: ypvyreuk - C:\WINDOWS\SYSTEM32\ypvyreuk.dll
O21 - SSODL: BRvqbghlQ - {74577083-DEFD-DA29-665D-517683C1BB13} - C:\WINDOWS\System32\zce.dll
O21 - SSODL: IEFilter - {C2174BB2-2744-44BA-A475-55F069B53300} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O21 - SSODL: SysTray.Exgr - {5368D1FC-4F5C-4f1b-B134-E67214FC78E9} - C:\WINDOWS\System32\phijiikk.dll (file missing)
O21 - SSODL: Remote Connection - {B89DD3DB-8CF4-4716-9FF6-BDFDBB70B2BF} - C:\WINDOWS\System32\cmdlrans.dll (file missing)
O23 - Service: .NET Runtime Optimization Service v1.000.3.1434 - Unknown owner - C:\WINDOWS\System32\yvcaaaaa.exe (file missing)


Please remember to close all other windows, including browsers then click Fix checked.



File Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\System32\Service.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\WINDOWS\inet20091
C:\WINDOWS\System32\rpcs_863.exe
C:\WINDOWS\System32\ffboveww.dll
C:\WINDOWS\System32\zce.dll


And delete all of these – remember – the files only

C:\WINDOWS\SYSTEM32\ampwqhaw.dll
C:\WINDOWS\SYSTEM32\bhnjqdon.dll
C:\WINDOWS\SYSTEM32\bnjpvkeu.dll
C:\WINDOWS\SYSTEM32\dpghewcc.dll
C:\WINDOWS\SYSTEM32\dyjdwobo.dll
C:\WINDOWS\SYSTEM32\emekqkqc.dll
C:\WINDOWS\SYSTEM32\epkainpu.dll
C:\WINDOWS\SYSTEM32\euyytycp.dll
C:\WINDOWS\SYSTEM32\gqjkcraw.dll
C:\WINDOWS\SYSTEM32\gutqtshu.dll
C:\WINDOWS\SYSTEM32\ibodhimf.dll
C:\WINDOWS\SYSTEM32\lbjteoqa.dll
C:\WINDOWS\SYSTEM32\lktxkdde.dll
C:\WINDOWS\SYSTEM32\lurpubda.dll
C:\WINDOWS\SYSTEM32\mdjjbacp.dll
C:\WINDOWS\SYSTEM32\mqlslwta.dll
C:\WINDOWS\SYSTEM32\oefhkxxv.dll
C:\WINDOWS\SYSTEM32\ohrretql.dll
C:\WINDOWS\SYSTEM32\pxxaqxiu.dll
C:\WINDOWS\SYSTEM32\sikdnqyq.dll
C:\WINDOWS\SYSTEM32\sleiggjt.dll
C:\WINDOWS\SYSTEM32\socfhfic.dll
C:\WINDOWS\SYSTEM32\susrhets.dll
C:\WINDOWS\SYSTEM32\thcqdemb.dll
C:\WINDOWS\SYSTEM32\trbcgibb.dll
C:\WINDOWS\SYSTEM32\unxolixu.dll
C:\WINDOWS\SYSTEM32\uuqwhdoh.dll
C:\WINDOWS\SYSTEM32\xbxwlqxe.dll
C:\WINDOWS\SYSTEM32\ydlleclb.dll
C:\WINDOWS\SYSTEM32\yjciugiy.dll
C:\WINDOWS\SYSTEM32\ypvyreuk.dll



Run Ewido
Run Ewido with it's updated definitions (...it's important that all windows must be closed)
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with Ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If Ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save Report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

NOTE: Ewido scan will require at least an hour.



Reboot
Reboot your system in Normal Mode.



Online Scan

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner.

1. Click Check Now and a "pop up" window will appear. *Please ensure that your pop up blocker doesn't block it *
2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on See report then click Save report
*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan




Logs required
Ewido Log
Panda Log
HijackThis Log


Please also let me know how your system is performing now and if you have any specific problems.

Edited by Glaswegian, 06 May 2006 - 12:06 PM.

Iain
Win XP Pro / Win 7 Pro
Posted Image

#7 goldeelocks

goldeelocks
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 06 May 2006 - 03:28 PM

Hi Again ....

I did everything on the last post, but I notice that the files I deleted from HJT are still there .... have I done something wrong? Heres my new logs ...


Logfile of HijackThis v1.99.1
Scan saved at 4:23:44 PM, on 5/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\MemAlloc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\Program Files\Common Files\AOL\1136481700\ee\AOLHostManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1136481700\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

F3 - REG:win.ini: run=C:\WINDOWS\inet20091\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MemAlloc] C:\WINDOWS\MemAlloc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136481700\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /A "C:\WINDOWS\System32\E_S7.tmp"
O4 - HKCU\..\Run: [Network Update] C:\WINDOWS\System32\rpcs_863.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\AIM95_c0\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138413282997
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl...indows-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: ampwqhaw - ampwqhaw.dll (file missing)
O20 - Winlogon Notify: bhnjqdon - bhnjqdon.dll (file missing)
O20 - Winlogon Notify: bnjpvkeu - bnjpvkeu.dll (file missing)
O20 - Winlogon Notify: dpghewcc - dpghewcc.dll (file missing)
O20 - Winlogon Notify: dyjdwobo - dyjdwobo.dll (file missing)
O20 - Winlogon Notify: emekqkqc - emekqkqc.dll (file missing)
O20 - Winlogon Notify: epkainpu - epkainpu.dll (file missing)
O20 - Winlogon Notify: euyytycp - euyytycp.dll (file missing)
O20 - Winlogon Notify: gqjkcraw - gqjkcraw.dll (file missing)
O20 - Winlogon Notify: gutqtshu - gutqtshu.dll (file missing)
O20 - Winlogon Notify: ibodhimf - ibodhimf.dll (file missing)
O20 - Winlogon Notify: lbjteoqa - lbjteoqa.dll (file missing)
O20 - Winlogon Notify: lktxkdde - lktxkdde.dll (file missing)
O20 - Winlogon Notify: lurpubda - lurpubda.dll (file missing)
O20 - Winlogon Notify: mdjjbacp - mdjjbacp.dll (file missing)
O20 - Winlogon Notify: mqlslwta - mqlslwta.dll (file missing)
O20 - Winlogon Notify: oefhkxxv - oefhkxxv.dll (file missing)
O20 - Winlogon Notify: ohrretql - ohrretql.dll (file missing)
O20 - Winlogon Notify: pxxaqxiu - pxxaqxiu.dll (file missing)
O20 - Winlogon Notify: sikdnqyq - sikdnqyq.dll (file missing)
O20 - Winlogon Notify: sleiggjt - sleiggjt.dll (file missing)
O20 - Winlogon Notify: socfhfic - socfhfic.dll (file missing)
O20 - Winlogon Notify: susrhets - susrhets.dll (file missing)
O20 - Winlogon Notify: thcqdemb - thcqdemb.dll (file missing)
O20 - Winlogon Notify: trbcgibb - trbcgibb.dll (file missing)
O20 - Winlogon Notify: unxolixu - unxolixu.dll (file missing)
O20 - Winlogon Notify: uuqwhdoh - uuqwhdoh.dll (file missing)
O20 - Winlogon Notify: xbxwlqxe - xbxwlqxe.dll (file missing)
O20 - Winlogon Notify: ydlleclb - ydlleclb.dll (file missing)
O20 - Winlogon Notify: yjciugiy - yjciugiy.dll (file missing)
O20 - Winlogon Notify: ypvyreuk - ypvyreuk.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\System32\Service.exe (file missing)




---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:59:13 PM, 5/6/2006
+ Report-Checksum: 52F68B85

+ Scan result:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Logger.Small.dg : Cleaned with backup
C:\WINDOWS\SYSTEM32\ampwqhaw.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\bhnjqdon.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\bnjpvkeu.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\dpghewcc.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\dyjdwobo.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\emekqkqc.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\epkainpu.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\euyytycp.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\gqjkcraw.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\gutqtshu.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\ibodhimf.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\lbjteoqa.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\lktxkdde.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\lurpubda.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\mdjjbacp.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\mqlslwta.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\oefhkxxv.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\ohrretql.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\pxxaqxiu.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\Service.exe -> Proxy.800 : Cleaned with backup
C:\WINDOWS\SYSTEM32\sikdnqyq.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\sleiggjt.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\socfhfic.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\susrhets.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\thcqdemb.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\trbcgibb.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\unxolixu.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\uuqwhdoh.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\xbxwlqxe.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\ydlleclb.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\yjciugiy.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\ypvyreuk.dll -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\SYSTEM32\zce.dll -> Proxy.Agent.df : Cleaned with backup
C:\WINDOWS\TEMP\1.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\10.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\11.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\12.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\13.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\14.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\15.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\16.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\17.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\18.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\19.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\1A.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\1B.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\1C.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\1D.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\1E.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\1F.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\2.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\3.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\4.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\5.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\6.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\7.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\8.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\9.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\A.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\B.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\C.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\D.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\E.tmp -> Proxy.Agent.jz : Cleaned with backup
C:\WINDOWS\TEMP\F.tmp -> Proxy.Agent.jz : Cleaned with backup




Incident Status Location

Adware:adware/delfinmedia Not disinfected c:\program files\common files\remove_tools.html
Adware:adware/adsmart Not disinfected c:\windows\system32\vx.tll
Adware:adware/keenvalue Not disinfected c:\windows\system32\drivers\etc\hosts.bho
Adware:adware/cws Not disinfected c:\documents and settings\all users\favorites\Download Free Spyware Remover.url
Adware:adware/cws.yexe Not disinfected c:\messanger.ini
Adware:adware/ncase Not disinfected c:\windows\didduid.ini
Spyware:application/bestoffer Not disinfected c:\windows\smdat32a.sys
Adware:adware/cws.searchmeup Not disinfected c:\windows\uniq
Adware:adware/powerscan Not disinfected Windows Registry
Hacktool:rootkit/fu.a Not disinfected hkey_local_machine\system\currentcontrolset\services\msdirectx
Adware:adware/superbar Not disinfected Windows Registry
Potentially unwanted tool:application/altnet Not disinfected hkey_classes_root\clsid\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}
Adware:adware/ist.istbar Not disinfected Windows Registry
Spyware:spyware/rxtoolbar Not disinfected Windows Registry
Dialer:dialer.bqw Not disinfected hkey_current_user\software\microsoft\internet explorer\main\conc
Adware:adware/iedriver Not disinfected Windows Registry
Adware:adware/looksmart Not disinfected Windows Registry
Adware:adware/savenow Not disinfected Windows Registry
Virus:Trj/Downloader.IRS Disinfected C:\Documents and Settings\Chris\My Documents\Stuff\m00.exe

#8 goldeelocks

goldeelocks
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 06 May 2006 - 03:47 PM

Hi Again ....

I forgot to mention that my computer is running much better ..... a huge difference!!! When I start up the computer I get the following 2 messages:

Windows cannot find c\windows\inet20091\services.exe, make sure you typed the name correctly and then try again. To search for a file, click the start button, and then search.


Could not load or run c\windows\inet20091\services.exe specified in the registry. Make sure the file exists on your computer or remove the reference to it in the registry.


Thanks so Much for your help!!!

#9 Glaswegian

Glaswegian

    Defender of the Haggis


  • Malware Response Team
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow
  • Local time:02:38 AM

Posted 07 May 2006 - 02:23 PM

Hi

You’ve done everything right! Those entries are just leftover Registry entries.


Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers when you are following the procedures below.



Click on the zip file attached to this post to open and extract the file gold.reg to your desktop. Double click on the file gold.reg to run it. Answer yes to any prompts and allow it to merge into the Registry.




Downloads
Download CWShredder and run it. Click Check for Update. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.


Download MVPS Hosts file to your desktop. Do not use it yet.



Reboot
Reboot your system in Safe Mode.
  • Restart the computer. The computer begins processing a set of instructions known as BIOS.
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
  • Instead of Windows loading as normal, a menu should appear
  • Use the arrow key to highlight Safe Mode and press Enter.
HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

F3 - REG:win.ini: run=C:\WINDOWS\inet20091\services.exe
O4 - HKCU\..\Run: [Network Update] C:\WINDOWS\System32\rpcs_863.exe
O20 - Winlogon Notify: ampwqhaw - ampwqhaw.dll (file missing)
O20 - Winlogon Notify: bhnjqdon - bhnjqdon.dll (file missing)
O20 - Winlogon Notify: bnjpvkeu - bnjpvkeu.dll (file missing)
O20 - Winlogon Notify: dpghewcc - dpghewcc.dll (file missing)
O20 - Winlogon Notify: dyjdwobo - dyjdwobo.dll (file missing)
O20 - Winlogon Notify: emekqkqc - emekqkqc.dll (file missing)
O20 - Winlogon Notify: epkainpu - epkainpu.dll (file missing)
O20 - Winlogon Notify: euyytycp - euyytycp.dll (file missing)
O20 - Winlogon Notify: gqjkcraw - gqjkcraw.dll (file missing)
O20 - Winlogon Notify: gutqtshu - gutqtshu.dll (file missing)
O20 - Winlogon Notify: ibodhimf - ibodhimf.dll (file missing)
O20 - Winlogon Notify: lbjteoqa - lbjteoqa.dll (file missing)
O20 - Winlogon Notify: lktxkdde - lktxkdde.dll (file missing)
O20 - Winlogon Notify: lurpubda - lurpubda.dll (file missing)
O20 - Winlogon Notify: mdjjbacp - mdjjbacp.dll (file missing)
O20 - Winlogon Notify: mqlslwta - mqlslwta.dll (file missing)
O20 - Winlogon Notify: oefhkxxv - oefhkxxv.dll (file missing)
O20 - Winlogon Notify: ohrretql - ohrretql.dll (file missing)
O20 - Winlogon Notify: pxxaqxiu - pxxaqxiu.dll (file missing)
O20 - Winlogon Notify: sikdnqyq - sikdnqyq.dll (file missing)
O20 - Winlogon Notify: sleiggjt - sleiggjt.dll (file missing)
O20 - Winlogon Notify: socfhfic - socfhfic.dll (file missing)
O20 - Winlogon Notify: susrhets - susrhets.dll (file missing)
O20 - Winlogon Notify: thcqdemb - thcqdemb.dll (file missing)
O20 - Winlogon Notify: trbcgibb - trbcgibb.dll (file missing)
O20 - Winlogon Notify: unxolixu - unxolixu.dll (file missing)
O20 - Winlogon Notify: uuqwhdoh - uuqwhdoh.dll (file missing)
O20 - Winlogon Notify: xbxwlqxe - xbxwlqxe.dll (file missing)
O20 - Winlogon Notify: ydlleclb - ydlleclb.dll (file missing)
O20 - Winlogon Notify: yjciugiy - yjciugiy.dll (file missing)
O20 - Winlogon Notify: ypvyreuk - ypvyreuk.dll (file missing)
O23 - Service: Service - Unknown owner - C:\WINDOWS\System32\Service.exe (file missing)


Please remember to close all other windows, including browsers then click Fix checked.



File Deletions
Delete the following Files indicated in RED if they still exist.

c:\program files\common files\remove_tools.html
c:\windows\system32\vx.tll
c:\windows\system32\drivers\etc\hosts.bho <- - Take care with file name here
c:\ messanger.ini <- - Go to Start > Search to find this file
c:\windows\didduid.ini
c:\windows\smdat32a.sys
c:\windows\uniq
c:\Documents and Settings\Chris\My Documents\Stuff\m00.exe


Reboot
Reboot your system in Normal Mode.



MVPS HOSTS File
From within Host.zip, double click on MVPS.bat and allow it to run.



Online Scan
Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
  • Extended
Scan Options:
  • Scan Archives
  • Scan Mail Bases
Click OK

Now under select a target to scan: Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note of the name(s) and location(s) of any file(s) it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan


Please post back with the Kaspersky Log and a fresh HijackThis Log.

Attached Files

  • Attached File  gold.zip   287bytes   4 downloads

Iain
Win XP Pro / Win 7 Pro
Posted Image

#10 goldeelocks

goldeelocks
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 07 May 2006 - 05:21 PM

Hi Again ....

Seems like alot of the junk on my computer is slowly disappearing .... Thank you so much!!! Both of the messages that I was receiving on start up are gone now, and my computer seems so much better now!!

I am posting the logs that you requested .... Please let me know what else to do!!

Thanks Again!!



Logfile of HijackThis v1.99.1
Scan saved at 6:14:11 PM, on 5/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\WINDOWS\MemAlloc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1136481700\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1136481700\ee\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MemAlloc] C:\WINDOWS\MemAlloc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136481700\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /A "C:\WINDOWS\System32\E_S7.tmp"
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\AIM95_c0\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138413282997
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl...indows-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe



Sunday, May 07, 2006 6:06:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 7/05/2006
Kaspersky Anti-Virus database records: 192311


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 32495
Number of viruses found 16
Number of infected objects 29
Number of suspicious objects 0
Duration of the scan process 00:48:47

Infected Object Name Virus Name Last Action
C:\!KillBox\ibm00001.exe Infected: Trojan-Spy.Win32.Small.dg skipped

C:\!KillBox\inet20091\killer.exe Infected: not-a-virus:RiskTool.Win32.PsKill.j skipped

C:\!KillBox\inet20091\killer.exe.bak Infected: not-a-virus:RiskTool.Win32.PsKill.j skipped

C:\bpc_bundleware.exe/data0002 Infected: not-a-virus:AdWare.Win32.Broadcap.c skipped

C:\bpc_bundleware.exe NSIS: infected - 1 skipped

C:\info6_s.cab/Information.exe Infected: Trojan.Win32.Dialer.t skipped

C:\info6_s.cab CAB: infected - 1 skipped

C:\Program Files\ccsetup127.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped

C:\Program Files\ccsetup127.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped

C:\Program Files\ccsetup127.exe NSIS: infected - 2 skipped

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll Infected: Trojan-PSW.Win32.Agent.fz skipped

C:\Program Files\FINDnFIX.exe/keys1/NirComLine.exe Infected: not-a-virus:RemoteAdmin.Win32.NirCmdLine.14 skipped

C:\Program Files\FINDnFIX.exe ZIP: infected - 1 skipped

C:\Program Files\Plus!\flowerpowerwp-63821.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\Program Files\Plus!\flowerpowerwp-63821.exe/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.EZula.a skipped

C:\Program Files\Plus!\flowerpowerwp-63821.exe/WISE0021.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped

C:\Program Files\Plus!\flowerpowerwp-63821.exe WiseSFX: infected - 3 skipped

C:\Program Files\Plus!\Themes\adeerone.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\Program Files\Plus!\Themes\adeerone.exe/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.EZula.a skipped

C:\Program Files\Plus!\Themes\adeerone.exe/WISE0021.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped

C:\Program Files\Plus!\Themes\adeerone.exe WiseSFX: infected - 3 skipped

C:\Program Files\Plus!\Themes\whitedeerwp.exe/WISE0013.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\Program Files\Plus!\Themes\whitedeerwp.exe/WISE0021.BIN Infected: Trojan-Downloader.Win32.Wren.d skipped

C:\Program Files\Plus!\Themes\whitedeerwp.exe WiseSFX: infected - 2 skipped

C:\skeet.exe Infected: Backdoor.Win32.SdBot.gen skipped

C:\unzipped\hijackthis\backups\backup-20060210-173641-305.dll Infected: Trojan-Downloader.Win32.IstBar.gen skipped

C:\WINDOWS\MemAlloc.exe Infected: Trojan.Win32.Dialer.bz skipped

C:\WINDOWS\SYSTEM32\dmgsu.exe Infected: Trojan.Win32.Small.fb skipped

C:\WINDOWS\SYSTEM32\unypcjjh.exe Infected: Trojan-Downloader.Win32.Murlo.dm skipped

Scan process completed.

#11 Glaswegian

Glaswegian

    Defender of the Haggis


  • Malware Response Team
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow
  • Local time:02:38 AM

Posted 08 May 2006 - 04:03 PM

Hi again

Kaspersky has confirmed that the MemAlloc file is a baddie – I wasn’t sure what to make of it earlier. You can delete Killbox. It looks like some of your themes may be infected – I would recommend removing them, especially the flowerpower one, but the decision is yours.


Reboot
Reboot your system in Safe Mode.
  • Restart the computer. The computer begins processing a set of instructions known as BIOS.
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
  • Instead of Windows loading as normal, a menu should appear
  • Use the arrow key to highlight Safe Mode and press Enter.
HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O4 - HKLM\..\Run: [MemAlloc] C:\WINDOWS\MemAlloc.exe

Please remember to close all other windows, including browsers then click Fix checked.



Delete the following Files indicated in RED if they still exist.

C:\ bpc_bundleware.exe <- - Go to Start > Search to find this file
C:\ info6_s.cab <- - Go to Start > Search to find this file
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\ skeet.exe
C:\WINDOWS\MemAlloc.exe
C:\WINDOWS\SYSTEM32\dmgsu.exe
C:\WINDOWS\SYSTEM32\unypcjjh.exe



Reboot
Reboot your system in Normal Mode.


Please do another online scan, choosing any one from this list

http://housecall.trendmicro.com/
http://www3.ca.com/virusinfo/virusscan.aspx
http://www.bitdefender.com/scan/license.php
http://us.mcafee.com/root/mfs/default.asp
http://security.symantec.com/sscv6/d...d=ie&venid=sym


Please post back with the scan results and a fresh HijackThis Log.
Iain
Win XP Pro / Win 7 Pro
Posted Image

#12 goldeelocks

goldeelocks
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 08 May 2006 - 06:39 PM

Hi There ...

Before I do any of this I should mention that the MemAlloc file is a file needed to run a program that I installed called Inet Disable, it is a program that I use to shut down internet access after a certain hour ... I use it to keep my teenagers off the internet while I'm sleeping. Once before I received a false postive from AVG on this file. If I remove it I will no longer be able to use the program.
So, until I hear from you I won't do anything ... I don't want to mess anything up!!

Thanks so much for your help!!

#13 goldeelocks

goldeelocks
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 08 May 2006 - 08:22 PM

Hi Again ....

Ok, I decided to go ahead with everything you said to do except I didn't do anything with the MemAlloc file since I know what that is.
Heres my new logs .... Thanks so much for your help!!


Logfile of HijackThis v1.99.1
Scan saved at 9:16:27 PM, on 5/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\WINDOWS\MemAlloc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1136481700\ee\AOLHostManager.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1136481700\ee\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MemAlloc] C:\WINDOWS\MemAlloc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136481700\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /A "C:\WINDOWS\System32\E_S7.tmp"
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\AIM95_c0\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138413282997
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl...indows-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe




BitDefender Online Scanner



Scan report generated at: Mon, May 08, 2006 - 21:11:10





Scan path: A:\;C:\;D:\;E:\;F:\;







Statistics

Time
00:44:50

Files
121419

Folders
3825

Boot Sectors
2

Archives
2045

Packed Files
3964




Results

Identified Viruses
1

Infected Files
1

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
1




Engines Info

Virus Definitions
373965

Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins
13

Archive plugins
39

Unpack plugins
4

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Program Files\AIM\AIM95_c0\Sysfiles\WxBug.EXE=>wise0008
Detected with: Adware.Wheaterbug.A

C:\Program Files\AIM\AIM95_c0\Sysfiles\WxBug.EXE=>wise0008
Disinfection failed

C:\Program Files\AIM\AIM95_c0\Sysfiles\WxBug.EXE=>wise0008
Deleted

C:\Program Files\AIM\AIM95_c0\Sysfiles\WxBug.EXE
Update failed

#14 Glaswegian

Glaswegian

    Defender of the Haggis


  • Malware Response Team
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow
  • Local time:02:38 AM

Posted 09 May 2006 - 04:34 PM

Thanks for the update on MemAlloc – I shall remember that!

WxBug is Weatherbug but I don’t see it installed on your system, so you can safely delete it. Any more problems? If not, you’re clean, so we’ll just tidy up and I’ll let you go.


Reset Hidden/System Files
To reset your hidden and system files:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.
System Restore
To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

This will create a new Restore Point.



IMPORTANT!!!
Please ensure that Windows is patched against the WMF exploit. This is a dangerous vulnerability that opens the door to multiple infections; and a possible reason you were infected. Visit Window's Update to get the KB912919 patch.



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here.


Ad-aware
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here.


IE-SPYAD
IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here.


SnoopFree
SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen.


MVPS Hosts File
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.


Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Firefox
Opera


Firewalls
A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use:
Sygate Personal Firewall
ZoneAlarm
Tiny Personal Firewall


Anti Virus Software
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners:
Anti-Spyware Tutorial

Here are two very good free Antivirus products which are available:
Avast!
AVG

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Other Protection
Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

How Did I Get Infected In The First Place?
The Anti-Spyware Tutorial.
Making Internet Explorer Safer.

Keep clean and safe and enjoy your computing!

Please respond to this thread one more time so we can mark this thread as resolved.
Iain
Win XP Pro / Win 7 Pro
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users