Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infeced With Trojan Horse Dialer


  • This topic is locked This topic is locked
13 replies to this topic

#1 wise_rob

wise_rob

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 01 October 2006 - 06:43 AM

Hi

Have followed the guide here and cut and pasted the log.

can anyone help me get rid of this annoying problem?

also seems to be creating lots of unwanted pop ups!!

i followed this help http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

thanks all




Logfile of HijackThis v1.99.1
Scan saved at 12:34:37, on 01/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Arcade\PCMService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\ProShow Gold\ScsiAccess.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Rob\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/sport/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [muwniyi.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\muwniyi.dll,angxnhf
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [zlbcvon.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zlbcvon.dll,rgwxhjb
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4E8A3661-FB5B-4AEF-BF60-B0E9712FAE49} (Silverwire Image Uploader 3.0 Control) - http://www.fotowire.com/download/client/up...geUploader3.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151584936078
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} (Bonusprint Image Uploader Version 3.5) - http://webalbum.bonusprint.com/ukipc01/dow...geUploader3.cab
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - D:\ProShow Gold\ScsiAccess.exe

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:57 PM

Posted 02 October 2006 - 08:52 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 wise_rob

wise_rob
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 03 October 2006 - 06:46 AM

Hi

Thank for all your help. Here is the report.

Rob - 06-10-03 12:41:25.57 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Rob\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{156813FD-0640-1033-1026-04080904002c}


((((((((((((((((((((((((((((((( Files Created from 2006-09-03 to 2006-10-03 ))))))))))))))))))))))))))))))))))


2006-10-01 20:16 661,008 ---hs---- C:\WINDOWS\system32\ihkmp.bak2
2006-10-01 12:27 93,696 --a------ C:\WINDOWS\system32\zlbcvon.dll
2006-10-01 12:27 72,704 --a------ C:\WINDOWS\system32\yamgzxe.dll
2006-10-01 06:48 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-30 21:32 0 -rahs---- C:\MSDOS.SYS
2006-09-30 21:32 0 -rahs---- C:\IO.SYS
2006-09-30 20:15 86,068 --a------ C:\WINDOWS\system32\yrvbivsq.dll
2006-09-30 20:15 668,517 ---hs---- C:\WINDOWS\system32\ihkmp.bak1
2006-09-30 20:15 143,380 --a------ C:\WINDOWS\system32\egmmftbi.exe
2006-09-30 20:14 577,588 ---hs---- C:\WINDOWS\system32\pmkhi.dll
2006-09-30 20:09 94,208 --a------ C:\WINDOWS\system32\muwniyi.dll
2006-09-30 20:09 72,704 --a------ C:\WINDOWS\system32\qfnckpm.dll
2006-09-30 20:09 40,973 ---hs---- C:\WINDOWS\system32\byxxutq.dll
2006-09-29 13:59 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll
2006-09-29 13:59 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2006-09-29 13:59 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll
2006-09-29 13:59 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2006-09-29 13:59 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2006-09-29 13:59 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2006-09-29 13:58 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll
2006-09-29 13:58 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2006-09-29 13:58 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-09-29 13:58 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-09-29 13:58 76,288 --a------ C:\WINDOWS\system32\uniime.dll
2006-09-29 13:58 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll
2006-09-29 13:58 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll
2006-09-29 13:58 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll
2006-09-29 13:58 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll
2006-09-29 13:58 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll
2006-09-29 13:58 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2006-09-29 13:58 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-09-23 20:23 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2006-09-23 14:37 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2006-09-23 14:35 163,840 --a------ C:\WINDOWS\BJPSUNST.EXE
2006-09-23 14:34 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2006-09-23 14:33 90,112 -ra------ C:\WINDOWS\system32\CNMCP79.exe
2006-09-23 14:33 8,704 --a------ C:\WINDOWS\system32\CNMVS79.DLL
2006-09-23 14:33 140,288 --------- C:\WINDOWS\system32\CNMLM79.DLL
2006-09-23 12:09 3 --a------ C:\config.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-01 12:01 -------- d-------- C:\Program Files\HijackThis
2006-10-01 07:39 -------- d-------- C:\Program Files\Windows Defender
2006-10-01 01:35 -------- d-------- C:\Documents and Settings\Rob\Application Data\Windows Live Safety Center
2006-09-30 22:00 -------- d-------- C:\Program Files\Windows Live Safety Center
2006-09-30 20:16 -------- d-------- C:\Documents and Settings\Rob\Application Data\Ahead
2006-09-30 07:29 120 --a------ C:\Documents and Settings\Rob\Application Data\FixVTS.ini
2006-09-30 07:23 -------- d-------- C:\Program Files\DVD Shrink
2006-09-30 07:23 -------- d-------- C:\Program Files\DVD Decrypter
2006-09-30 07:17 -------- d-------- C:\Documents and Settings\Rob\Application Data\RipIt4Me
2006-09-30 07:16 -------- d-------- C:\Program Files\Bonusprint Pix
2006-09-30 07:16 -------- d-------- C:\Documents and Settings\Rob\Application Data\FotoWire
2006-09-26 21:27 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-23 14:40 -------- d-------- C:\Documents and Settings\Rob\Application Data\CD-LabelPrint
2006-09-23 14:32 -------- d-------- C:\Program Files\Canon
2006-09-18 21:07 -------- d-------- C:\Documents and Settings\Rob\Application Data\CyberLink
2006-09-18 11:55 -------- d-------- C:\Program Files\Photodex Presenter
2006-09-18 11:55 -------- d-------- C:\Documents and Settings\Rob\Application Data\Netscape
2006-09-18 11:55 -------- d-------- C:\Documents and Settings\Rob\Application Data\Mozilla
2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltMc.exe
2006-08-21 10:14 128896 --a------ C:\WINDOWS\system32\drivers\fltMgr.sys
2006-08-11 08:52 869 --a------ C:\Documents and Settings\Rob\Application Data\AdobeDLM.log
2006-08-11 08:52 0 --a------ C:\Documents and Settings\Rob\Application Data\dm.ini
2006-08-10 21:28 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-07-27 22:38 31304 --a------ C:\Documents and Settings\Rob\Application Data\GDIPFONTCACHEV1.DAT
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-14 17:29 966656 --a------ C:\WINDOWS\UNRecode.exe
2006-07-14 17:29 966656 --a------ C:\WINDOWS\UNNeroVision.exe
2006-07-14 17:29 966656 --a------ C:\WINDOWS\UNNeroShowTime.exe
2006-07-14 17:29 966656 --a------ C:\WINDOWS\UNNeroMediaHome.exe
2006-07-14 17:29 966656 --a------ C:\WINDOWS\UNNeroBackItUp.exe
2006-07-14 14:51 108144 --a------ C:\WINDOWS\system32\GEARAspi.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="C:\\Windows\\RUNXMLPL.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"LaunchAp"="C:\\Program Files\\Launch Manager\\LaunchAp.exe"
"PowerKey"="\"C:\\Program Files\\Launch Manager\\PowerKey.exe\""
"LManager"="C:\\Program Files\\Launch Manager\\HotkeyApp.exe"
"CtrlVol"="C:\\Program Files\\Launch Manager\\CtrlVol.exe"
"LMgrOSD"="C:\\Program Files\\Launch Manager\\OSDCtrl.exe"
"Wbutton"="\"C:\\Program Files\\Launch Manager\\Wbutton.exe\""
"VTTrayp"="VTtrayp.exe"
"VTTimer"="VTTimer.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"AGRSMMSG"="AGRSMMSG.exe"
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"PCMService"="\"C:\\Program Files\\Arcade\\PCMService.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Easy-PrintToolBox"="C:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"muwniyi.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\muwniyi.dll,angxnhf"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"zlbcvon.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\zlbcvon.dll,rgwxhjb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhi
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wintuh32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 03/10/2006 12:43:16.51
ComboFix.txt

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:57 PM

Posted 03 October 2006 - 08:54 AM

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt even if Vundofix found no infected files.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


Also post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 wise_rob

wise_rob
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 03 October 2006 - 03:02 PM

Hi there, I downloaded he vundofix and did the scan (two items found), however i can' work out how o fid the log you refer to - am i missing something

i have printed the hijack this report

thanks for all your help

Logfile of HijackThis v1.99.1
Scan saved at 20:58:59, on 03/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\ProShow Gold\ScsiAccess.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Arcade\PCMService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/sport/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [muwniyi.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\muwniyi.dll,angxnhf
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [zlbcvon.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zlbcvon.dll,rgwxhjb
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4E8A3661-FB5B-4AEF-BF60-B0E9712FAE49} (Silverwire Image Uploader 3.0 Control) - http://www.fotowire.com/download/client/up...geUploader3.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151584936078
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} (Bonusprint Image Uploader Version 3.5) - http://webalbum.bonusprint.com/ukipc01/dow...geUploader3.cab
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - D:\ProShow Gold\ScsiAccess.exe

#6 wise_rob

wise_rob
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 03 October 2006 - 03:22 PM

found it!!
thanks

VundoFix V6.1.6

Checking Java version...

Sun Java not detected
Scan started at 20:47:15 03/10/2006

Listing files found while scanning....

C:\WINDOWS\system32\byxxutq.dll
C:\WINDOWS\system32\yrvbivsq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\byxxutq.dll
C:\WINDOWS\system32\byxxutq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yrvbivsq.dll
C:\WINDOWS\system32\yrvbivsq.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.6

Checking Java version...

Sun Java not detected
Scan started at 20:55:11 03/10/2006

Listing files found while scanning....

No infected files were found.

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:57 PM

Posted 04 October 2006 - 05:34 AM

It doesn't look like Vundofix got them all.

Click Start -> Run
Copy the command below and paste it into the Run box and click Ok.

"%userprofile%\desktop\combofix.exe" /v pmkhi

When it's done running it will produce a log for you. Please post that log in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 wise_rob

wise_rob
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 04 October 2006 - 11:54 AM

hi here it is. thanks again

Rob - 06-10-04 17:46:42.60 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Rob\desktop"
Command switches used :: /v pmkhi

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\ihkmp.tmp
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.bak2


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((( Files Created from 2006-09-04 to 2006-10-04 ))))))))))))))))))))))))))))))))))


2006-10-03 20:39 86,036 --a------ C:\WINDOWS\system32\fhbygdfj.dll
2006-10-01 12:27 93,696 --a------ C:\WINDOWS\system32\zlbcvon.dll
2006-10-01 12:27 72,704 --a------ C:\WINDOWS\system32\yamgzxe.dll
2006-10-01 06:48 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-30 21:32 0 -rahs---- C:\MSDOS.SYS
2006-09-30 21:32 0 -rahs---- C:\IO.SYS
2006-09-30 20:15 143,380 --a------ C:\WINDOWS\system32\egmmftbi.exe
2006-09-30 20:09 94,208 --a------ C:\WINDOWS\system32\muwniyi.dll
2006-09-30 20:09 72,704 --a------ C:\WINDOWS\system32\qfnckpm.dll
2006-09-29 13:59 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll
2006-09-29 13:59 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2006-09-29 13:59 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll
2006-09-29 13:59 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2006-09-29 13:59 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2006-09-29 13:59 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2006-09-29 13:58 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll
2006-09-29 13:58 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2006-09-29 13:58 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-09-29 13:58 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-09-29 13:58 76,288 --a------ C:\WINDOWS\system32\uniime.dll
2006-09-29 13:58 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll
2006-09-29 13:58 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll
2006-09-29 13:58 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll
2006-09-29 13:58 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll
2006-09-29 13:58 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll
2006-09-29 13:58 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2006-09-29 13:58 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-09-23 20:23 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2006-09-23 14:37 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2006-09-23 14:35 163,840 --a------ C:\WINDOWS\BJPSUNST.EXE
2006-09-23 14:34 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2006-09-23 14:33 90,112 -ra------ C:\WINDOWS\system32\CNMCP79.exe
2006-09-23 14:33 8,704 --a------ C:\WINDOWS\system32\CNMVS79.DLL
2006-09-23 14:33 140,288 --------- C:\WINDOWS\system32\CNMLM79.DLL
2006-09-23 12:09 3 --a------ C:\config.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-01 12:01 -------- d-------- C:\Program Files\HijackThis
2006-10-01 07:39 -------- d-------- C:\Program Files\Windows Defender
2006-10-01 01:35 -------- d-------- C:\Documents and Settings\Rob\Application Data\Windows Live Safety Center
2006-09-30 22:00 -------- d-------- C:\Program Files\Windows Live Safety Center
2006-09-30 20:16 -------- d-------- C:\Documents and Settings\Rob\Application Data\Ahead
2006-09-30 07:29 120 --a------ C:\Documents and Settings\Rob\Application Data\FixVTS.ini
2006-09-30 07:23 -------- d-------- C:\Program Files\DVD Shrink
2006-09-30 07:23 -------- d-------- C:\Program Files\DVD Decrypter
2006-09-30 07:17 -------- d-------- C:\Documents and Settings\Rob\Application Data\RipIt4Me
2006-09-30 07:16 -------- d-------- C:\Program Files\Bonusprint Pix
2006-09-30 07:16 -------- d-------- C:\Documents and Settings\Rob\Application Data\FotoWire
2006-09-26 21:27 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-23 14:40 -------- d-------- C:\Documents and Settings\Rob\Application Data\CD-LabelPrint
2006-09-23 14:32 -------- d-------- C:\Program Files\Canon
2006-09-18 21:07 -------- d-------- C:\Documents and Settings\Rob\Application Data\CyberLink
2006-09-18 11:55 -------- d-------- C:\Program Files\Photodex Presenter
2006-09-18 11:55 -------- d-------- C:\Documents and Settings\Rob\Application Data\Netscape
2006-09-18 11:55 -------- d-------- C:\Documents and Settings\Rob\Application Data\Mozilla
2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltMc.exe
2006-08-21 10:14 128896 --a------ C:\WINDOWS\system32\drivers\fltMgr.sys
2006-08-11 08:52 869 --a------ C:\Documents and Settings\Rob\Application Data\AdobeDLM.log
2006-08-11 08:52 0 --a------ C:\Documents and Settings\Rob\Application Data\dm.ini
2006-08-10 21:28 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-07-27 22:38 31304 --a------ C:\Documents and Settings\Rob\Application Data\GDIPFONTCACHEV1.DAT
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-14 17:29 966656 --a------ C:\WINDOWS\UNRecode.exe
2006-07-14 17:29 966656 --a------ C:\WINDOWS\UNNeroVision.exe
2006-07-14 17:29 966656 --a------ C:\WINDOWS\UNNeroShowTime.exe
2006-07-14 17:29 966656 --a------ C:\WINDOWS\UNNeroMediaHome.exe
2006-07-14 17:29 966656 --a------ C:\WINDOWS\UNNeroBackItUp.exe
2006-07-14 14:51 108144 --a------ C:\WINDOWS\system32\GEARAspi.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="C:\\Windows\\RUNXMLPL.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"LaunchAp"="C:\\Program Files\\Launch Manager\\LaunchAp.exe"
"PowerKey"="\"C:\\Program Files\\Launch Manager\\PowerKey.exe\""
"LManager"="C:\\Program Files\\Launch Manager\\HotkeyApp.exe"
"CtrlVol"="C:\\Program Files\\Launch Manager\\CtrlVol.exe"
"LMgrOSD"="C:\\Program Files\\Launch Manager\\OSDCtrl.exe"
"Wbutton"="\"C:\\Program Files\\Launch Manager\\Wbutton.exe\""
"VTTrayp"="VTtrayp.exe"
"VTTimer"="VTTimer.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"AGRSMMSG"="AGRSMMSG.exe"
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"PCMService"="\"C:\\Program Files\\Arcade\\PCMService.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Easy-PrintToolBox"="C:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"muwniyi.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\muwniyi.dll,angxnhf"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"zlbcvon.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\zlbcvon.dll,rgwxhjb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wintuh32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 04/10/2006 17:51:28.78
ComboFix2.txt
ComboFix.txt

#9 wise_rob

wise_rob
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 04 October 2006 - 11:55 AM

hi here it is. thanks again

Rob - 06-10-04 17:46:42.60 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Rob\desktop"
Command switches used :: /v pmkhi

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\ihkmp.tmp
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.bak2


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((( Files Created from 2006-09-04 to 2006-10-04 ))))))))))))))))))))))))))))))))))


2006-10-03 20:39 86,036 --a------ C:\WINDOWS\system32\fhbygdfj.dll
2006-10-01 12:27 93,696 --a------ C:\WINDOWS\system32\zlbcvon.dll
2006-10-01 12:27 72,704 --a------ C:\WINDOWS\system32\yamgzxe.dll
2006-10-01 06:48 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-30 21:32 0 -rahs---- C:\MSDOS.SYS
2006-09-30 21:32 0 -rahs---- C:\IO.SYS
2006-09-30 20:15 143,380 --a------ C:\WINDOWS\system32\egmmftbi.exe
2006-09-30 20:09 94,208 --a------ C:\WINDOWS\system32\muwniyi.dll
2006-09-30 20:09 72,704 --a------ C:\WINDOWS\system32\qfnckpm.dll
2006-09-29 13:59 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll
2006-09-29 13:59 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2006-09-29 13:59 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll
2006-09-29 13:59 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2006-09-29 13:59 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2006-09-29 13:59 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2006-09-29 13:58 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll
2006-09-29 13:58 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2006-09-29 13:58 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-09-29 13:58 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-09-29 13:58 76,288 --a------ C:\WINDOWS\system32\uniime.dll
2006-09-29 13:58 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll
2006-09-29 13:58 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll
2006-09-29 13:58 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll
2006-09-29 13:58 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll
2006-09-29 13:58 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll
2006-09-29 13:58 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-09-29 13:58 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2006-09-29 13:58 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-09-23 20:23 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2006-09-23 14:37 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2006-09-23 14:35 163,840 --a------ C:\WINDOWS\BJPSUNST.EXE
2006-09-23 14:34 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2006-09-23 14:33 90,112 -ra------ C:\WINDOWS\system32\CNMCP79.exe
2006-09-23 14:33 8,704 --a------ C:\WINDOWS\system32\CNMVS79.DLL
2006-09-23 14:33 140,288 --------- C:\WINDOWS\system32\CNMLM79.DLL
2006-09-23 12:09 3 --a------ C:\config.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-01 12:01 -------- d-------- C:\Program Files\HijackThis
2006-10-01 07:39 -------- d-------- C:\Program Files\Windows Defender
2006-10-01 01:35 -------- d-------- C:\Documents and Settings\Rob\Application Data\Windows Live Safety Center
2006-09-30 22:00 -------- d-------- C:\Program Files\Windows Live Safety Center
2006-09-30 20:16 -------- d-------- C:\Documents and Settings\Rob\Application Data\Ahead
2006-09-30 07:29 120 --a------ C:\Documents and Settings\Rob\Application Data\FixVTS.ini
2006-09-30 07:23 -------- d-------- C:\Program Files\DVD Shrink
2006-09-30 07:23 -------- d-------- C:\Program Files\DVD Decrypter
2006-09-30 07:17 -------- d-------- C:\Documents and Settings\Rob\Application Data\RipIt4Me
2006-09-30 07:16 -------- d-------- C:\Program Files\Bonusprint Pix
2006-09-30 07:16 -------- d-------- C:\Documents and Settings\Rob\Application Data\FotoWire
2006-09-26 21:27 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-23 14:40 -------- d-------- C:\Documents and Settings\Rob\Application Data\CD-LabelPrint
2006-09-23 14:32 -------- d-------- C:\Program Files\Canon
2006-09-18 21:07 -------- d-------- C:\Documents and Settings\Rob\Application Data\CyberLink
2006-09-18 11:55 -------- d-------- C:\Program Files\Photodex Presenter
2006-09-18 11:55 -------- d-------- C:\Documents and Settings\Rob\Application Data\Netscape
2006-09-18 11:55 -------- d-------- C:\Documents and Settings\Rob\Application Data\Mozilla
2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltMc.exe
2006-08-21 10:14 128896 --a------ C:\WINDOWS\system32\drivers\fltMgr.sys
2006-08-11 08:52 869 --a------ C:\Documents and Settings\Rob\Application Data\AdobeDLM.log
2006-08-11 08:52 0 --a------ C:\Documents and Settings\Rob\Application Data\dm.ini
2006-08-10 21:28 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-07-27 22:38 31304 --a------ C:\Documents and Settings\Rob\Application Data\GDIPFONTCACHEV1.DAT
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-14 17:29 966656 --a------ C:\WINDOWS\UNRecode.exe
2006-07-14 17:29 966656 --a------ C:\WINDOWS\UNNeroVision.exe
2006-07-14 17:29 966656 --a------ C:\WINDOWS\UNNeroShowTime.exe
2006-07-14 17:29 966656 --a------ C:\WINDOWS\UNNeroMediaHome.exe
2006-07-14 17:29 966656 --a------ C:\WINDOWS\UNNeroBackItUp.exe
2006-07-14 14:51 108144 --a------ C:\WINDOWS\system32\GEARAspi.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="C:\\Windows\\RUNXMLPL.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"LaunchAp"="C:\\Program Files\\Launch Manager\\LaunchAp.exe"
"PowerKey"="\"C:\\Program Files\\Launch Manager\\PowerKey.exe\""
"LManager"="C:\\Program Files\\Launch Manager\\HotkeyApp.exe"
"CtrlVol"="C:\\Program Files\\Launch Manager\\CtrlVol.exe"
"LMgrOSD"="C:\\Program Files\\Launch Manager\\OSDCtrl.exe"
"Wbutton"="\"C:\\Program Files\\Launch Manager\\Wbutton.exe\""
"VTTrayp"="VTtrayp.exe"
"VTTimer"="VTTimer.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"AGRSMMSG"="AGRSMMSG.exe"
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"PCMService"="\"C:\\Program Files\\Arcade\\PCMService.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Easy-PrintToolBox"="C:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"muwniyi.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\muwniyi.dll,angxnhf"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"zlbcvon.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\zlbcvon.dll,rgwxhjb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wintuh32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 04/10/2006 17:51:28.78
ComboFix2.txt
ComboFix.txt

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:57 PM

Posted 04 October 2006 - 08:15 PM

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\system32\fhbygdfj.dll
    C:\WINDOWS\system32\zlbcvon.dll
    C:\WINDOWS\system32\yamgzxe.dll
    C:\WINDOWS\system32\egmmftbi.exe
    C:\WINDOWS\system32\muwniyi.dll
    C:\WINDOWS\system32\qfnckpm.dll



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
==============



Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 wise_rob

wise_rob
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 05 October 2006 - 05:06 AM

here are the logs

Pocket Killbox version 2.0.0.881
Running on Windows XP as Rob(Administrator)
was started @ Thursday, October 05, 2006, 10:33 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\fhbygdfj.dll


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\zlbcvon.dll


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\yamgzxe.dll


# 4 [Delete on Reboot]
Path = C:\WINDOWS\system32\egmmftbi.exe


# 5 [Delete on Reboot]
Path = C:\WINDOWS\system32\muwniyi.dll


# 6 [Delete on Reboot]
Path = C:\WINDOWS\system32\qfnckpm.dll


I Rebooted @ 10:35:30 AM
Killbox Closed(Exit) @ 10:35:36 AM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Rob(Administrator)
was started @ Thursday, October 05, 2006, 11:03 AM


Incident Status Location

Adware:adware/dollarrevenue Not disinfected Windows Registry
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Rob\Cookies\rob@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Rob\Cookies\rob@mediaplex[1].txt
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\byxxutq.dll.bad
Logfile of HijackThis v1.99.1
Scan saved at 11:04:45, on 05/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\ProShow Gold\ScsiAccess.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Arcade\PCMService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/sport/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: (no name) - {30D759B8-DC43-B17F-173C-011DF117A158} - C:\WINDOWS\system32\yamgzxe.dll (file missing)
O2 - BHO: (no name) - {5025E90D-BB4C-8ACE-9CC8-0898F33567FD} - C:\WINDOWS\system32\qfnckpm.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\fhbygdfj.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [muwniyi.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\muwniyi.dll,angxnhf
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [zlbcvon.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zlbcvon.dll,rgwxhjb
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4E8A3661-FB5B-4AEF-BF60-B0E9712FAE49} (Silverwire Image Uploader 3.0 Control) - http://www.fotowire.com/download/client/up...geUploader3.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151584936078
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} (Bonusprint Image Uploader Version 3.5) - http://webalbum.bonusprint.com/ukipc01/dow...geUploader3.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wintuh32 - wintuh32.dll (file missing)
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - D:\ProShow Gold\ScsiAccess.exe

#12 wise_rob

wise_rob
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 05 October 2006 - 01:32 PM

hi, i dont wish to tempt fate but all seems ok, apart from when i load windows it opens with two run time errors

c:\windows/sytsem32/zlbcvon.dll
and /muwniyi.dll

any ideas how i get rid of this?

thanks again

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:57 PM

Posted 05 October 2006 - 05:51 PM

Yeah, I can help you get rid of that. We just need to clean up your log a bit.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {30D759B8-DC43-B17F-173C-011DF117A158} - C:\WINDOWS\system32\yamgzxe.dll (file missing)
O2 - BHO: (no name) - {5025E90D-BB4C-8ACE-9CC8-0898F33567FD} - C:\WINDOWS\system32\qfnckpm.dll (file missing)
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\fhbygdfj.dll (file missing)
O4 - HKLM\..\Run: [muwniyi.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\muwniyi.dll,angxnhf
O4 - HKLM\..\Run: [zlbcvon.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zlbcvon.dll,rgwxhjb
O20 - Winlogon Notify: wintuh32 - wintuh32.dll (file missing)



Reboot and post one more hijackthis log.
Let me know how your computer is working now. Any problems or issues?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:57 PM

Posted 11 October 2006 - 07:13 AM

As there has been no response, and this thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users