Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ishost Etc. Popups And The Like


  • This topic is locked This topic is locked
20 replies to this topic

#1 Simooooo

Simooooo

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 07 October 2006 - 07:36 AM

I've seen other threads about this infection but much of the help seemed to be specific to the individual which is why I thought I should make a new topic.

------
Logfile of HijackThis v1.99.1
Scan saved at 13:37:45, on 07/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\avgamsvr.exe
C:\PROGRA~1\AVG\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\avgcc.exe
C:\Program Files\Common Files\{C87C0E6F-05BB-2057-1107-02020711002c}\Update.exe
C:\WINDOWS\System32\ishost.exe
C:\WINDOWS\System32\ismini.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\NOTEPAD.EXE
D:\Fish\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [Logon Loader Random] "C:\Program Files\Logon Loader\LogonLoader.exe" -random
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG\avgcc.exe /STARTUP
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124492657781
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgupsvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
-------

SmitFraudFix v2.105

Scan done at 13:32:08.20, 07/10/2006
Run from C:\Documents and Settings\Simooooo\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismini.exe FOUND !
C:\WINDOWS\system32\isnotify.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

C:\Documents and Settings\Simooooo


C:\Documents and Settings\Simooooo\Application Data


Start Menu


C:\DOCUME~1\Simooooo\FAVORI~1

C:\DOCUME~1\Simooooo\FAVORI~1\Antivirus Test Online.url FOUND !

Desktop


C:\Program Files

C:\Program Files\Safety Bar\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End

-----

I did a scan in Smitfraudfix as well as it seemed to be recommended in every thread but it says not to preceed with any fixing without expert help...

Thanks in advance!

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:06 AM

Posted 07 October 2006 - 08:15 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

Let's continue...

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Once in Safe Mode, open the SmitfraudFix folder again.
Double-click smitfraudfix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.

It is strange that there are no 02's or 020's in the log.
A new infection is hiding these entries from a Hijackthis scan.
This means certain infections cannot be seen and are therefore hidden to the helper.
Go to this folder where Hijackthis is kept and rename the hijackthis application to "showme".
This can be done by right clicking on the program and clicking "rename".
Press enter, then open "showme.exe" by double clicking.
Post a new Hijackthis log from the newly named application.

David

#3 Simooooo

Simooooo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 07 October 2006 - 09:26 AM

SmitFraudFix v2.105

Scan done at 15:15:23.56, 07/10/2006
Run from C:\Documents and Settings\Simooooo\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismini.exe Deleted
C:\WINDOWS\system32\isnotify.exe Deleted
C:\WINDOWS\system32\ixt?.dll Deleted
C:\DOCUME~1\Simooooo\FAVORI~1\Antivirus Test Online.url Deleted
C:\Program Files\Safety Bar\ Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

------------

I renamed HijackThis to showme.exe as you said. When I load it up I click do scan and save log file. I'm guessing that's the right option. Anyway, here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 15:23:56, on 07/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\avgamsvr.exe
C:\PROGRA~1\AVG\avgupsvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\PROGRA~1\AVG\avgcc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\{C87C0E6F-05BB-2057-1107-02020711002c}\Update.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\BOINC\projects\www.climateprediction.net\hadcm3trans_5.08_windows_intelx86.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BOINC\projects\www.climateprediction.net\hadcm3transum_5.08_windows_intelx86.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Fish\showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {188E2248-C883-44CC-8D61-BCD70474977B} - C:\WINDOWS\System32\awvts.dll
O2 - BHO: (no name) - {4472E2B2-FB44-FBD4-2A58-0101EBECF47E} - C:\WINDOWS\System32\ksrpmje.dll
O2 - BHO: (no name) - {44FB2CA0-353C-6704-BAB5-0B6317D38C17} - C:\WINDOWS\System32\kmmsgph.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\System32\wmxoaaib.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\System32\ixt0.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [Logon Loader Random] "C:\Program Files\Logon Loader\LogonLoader.exe" -random
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124492657781
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awvts - C:\WINDOWS\System32\awvts.dll
O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\SYSTEM32\winjyg32.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgupsvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

--------------

Am I fixed?

One other thing, I installed the Kerio firewall after reading about it on this site. It seems to be working fine but every couple of minutes a screen flashes up saying that winlogon.exe has been blocked by the firewall. Why is this?

Also, my AVG virus scan just flashed up that it foudn another virus while I was typing this reply. It was located here:
C:\Program Files\InetGet\wni2.exe
I'm not sure if this is related to the isnotify thing but it seems to be detecting quite a few trojans since yesterday when I contracted the isnotify one.

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:06 AM

Posted 07 October 2006 - 09:28 AM

Hey Simooooo,

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, copy and paste next in the field:

C:\Program Files\InetGet\wni2.exe

Then click the Send File button below.
Please let me know when you have submitted the file.

Please download VundoFix.exe to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

David

#5 Simooooo

Simooooo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 07 October 2006 - 10:15 AM

VundoFix V6.2.0

Checking Java version...

Java version is 1.4.2.2

Java version is 1.5.0.9

Scan started at 15:59:38 07/10/2006

Listing files found while scanning....

C:\WINDOWS\system32\gleuiout.exe
C:\WINDOWS\System32\awvts.dll
C:\WINDOWS\System32\stvwa.ini
C:\WINDOWS\System32\stvwa.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gleuiout.exe
C:\WINDOWS\system32\gleuiout.exe Has been deleted!

Attempting to delete C:\WINDOWS\System32\awvts.dll
C:\WINDOWS\System32\awvts.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\stvwa.ini
C:\WINDOWS\System32\stvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\stvwa.bak1
C:\WINDOWS\System32\stvwa.bak1 Has been deleted!

Performing Repairs to the registry.
Done!


------------------

I uploaded that file. There's quite a few trojans in my AVG Virus Vault and most of them seem to be located in C:\Documents and Settings\Simooooo\Local Settings\Temporary Internet Files\Content.IE5\ and then some random file in there. However, when I try to go to that folder it doesn't seem to be there even though I've got it set to display hidden folders. What's stranger is that the first thing I did when I got this malware thing was delete all my temporary internet files in IE and Firefox.

Oh, that winlogon.exe thing is still appearing.

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:06 AM

Posted 07 October 2006 - 11:00 AM

Can you temporarily disable the Kerio firewall and try and upload that file again please.

#7 Simooooo

Simooooo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 07 October 2006 - 11:08 AM

Done.

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:06 AM

Posted 07 October 2006 - 11:26 AM

Hey Simooooo,

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Are you able to find this file:
C:\Program Files\InetGet\wni2.exe

If so, when you right click on it and select properties,
How large size-wise does it say the file is?
Can you send it to: blyghtondj (at) aol.com please.

The reason I ask to see this file is because it looks like a new variant.
We need to get our tools updated so we can remove this infection.
Please let me know what you find...

#9 Simooooo

Simooooo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 07 October 2006 - 11:38 AM

I can't email it to you because it's an executable and winrar won't let my archive it. It's 278kb. To be honest, I don't think it can be a new variable if my AVG scanner is picking it up and defining it as a trojan.

AVG is still finding viruses in C:\Documents and Settings\Simooooo\Local Settings\Temporary Internet Files\Content.IE5\. I've had the folder options set to view all hidden folders and show extensions since I installed Windows so that isn't the problem. However, I can't see that folder and so can't delete the stuff there.

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:06 AM

Posted 07 October 2006 - 11:54 AM

The reason AVG is finding it is probably due to its heuristic detection techniques.

Ok, please find and delete this folder now:
C:\Program Files\InetGet\

We've got a lot more things to do, but I want to see a new Hijackthis log first.
David

#11 Simooooo

Simooooo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 07 October 2006 - 11:57 AM

Ok I deleted that folder. Here's a new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 17:59:49, on 07/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\avgamsvr.exe
C:\PROGRA~1\AVG\avgupsvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\PROGRA~1\AVG\avgcc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\{C87C0E6F-05BB-2057-1107-02020711002c}\Update.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Fish\showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {188E2248-C883-44CC-8D61-BCD70474977B} - C:\WINDOWS\System32\awvts.dll (file missing)
O2 - BHO: (no name) - {4472E2B2-FB44-FBD4-2A58-0101EBECF47E} - C:\WINDOWS\System32\ksrpmje.dll
O2 - BHO: (no name) - {44FB2CA0-353C-6704-BAB5-0B6317D38C17} - C:\WINDOWS\System32\kmmsgph.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\System32\wmxoaaib.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\System32\ixt0.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [Logon Loader Random] "C:\Program Files\Logon Loader\LogonLoader.exe" -random
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG\avgcc.exe /STARTUP
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124492657781
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\SYSTEM32\winjyg32.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgupsvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:06 AM

Posted 07 October 2006 - 12:03 PM

Hello there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {188E2248-C883-44CC-8D61-BCD70474977B} - C:\WINDOWS\System32\awvts.dll (file missing)
O2 - BHO: (no name) - {4472E2B2-FB44-FBD4-2A58-0101EBECF47E} - C:\WINDOWS\System32\ksrpmje.dll
O2 - BHO: (no name) - {44FB2CA0-353C-6704-BAB5-0B6317D38C17} - C:\WINDOWS\System32\kmmsgph.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\System32\wmxoaaib.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\System32\ixt0.dll (file missing)
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\SYSTEM32\winjyg32.dll


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\WINDOWS\SYSTEM32\winjyg32.dll

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:06 AM

Posted 07 October 2006 - 12:05 PM

Also, please do a search on your PC for winlogon.exe.
Let me know where the files are found, and their exact pathnames.
You should have a legitimate on in your system32 folder, anywhere else tends to be bad.
When Kerio alerts you does it give you any more details?
Can you be exact as possible please...

#14 Simooooo

Simooooo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 07 October 2006 - 12:27 PM

Simooooo - 06-10-07 18:20:29.26 Service Pack 1
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Simooooo\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\components
C:\Program Files\Common Files\{387C0E6F-05BB-2057-1107-02020711002c}
C:\Program Files\Common Files\{C87C0E6F-05BB-2057-1107-02020711002c}


((((((((((((((((((((((((((((((( Files Created from 2006-09-07 to 2006-10-07 ))))))))))))))))))))))))))))))))))


2006-10-07 13:31 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-10-07 13:31 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-10-07 13:31 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-10-07 13:31 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-10-07 01:37 94,208 --a------ C:\WINDOWS\system32\ikrfind.dll
2006-10-07 01:37 72,704 --a------ C:\WINDOWS\system32\ksrpmje.dll
2006-10-06 18:32 86,036 --a------ C:\WINDOWS\system32\wmxoaaib.dll
2006-10-06 18:20 94,208 --a------ C:\WINDOWS\system32\epqazeh.dll
2006-10-06 18:20 72,704 --a------ C:\WINDOWS\system32\kmmsgph.dll
2006-10-06 18:20 40,973 ---hs---- C:\WINDOWS\system32\gebbabx.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-07 18:22 -------- d-------- C:\Program Files\Common Files
2006-10-07 18:18 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-07 18:18 -------- d-------- C:\Program Files\BOINC
2006-10-07 17:46 -------- d-------- C:\Program Files\Ad-Aware SE Personal
2006-10-07 17:46 -------- d-------- C:\Documents and Settings\Simooooo\Application Data\Lavasoft
2006-10-07 14:02 -------- d-------- C:\Program Files\Java
2006-10-07 14:01 -------- d-------- C:\Program Files\Common Files\Java
2006-10-07 13:55 -------- d-------- C:\Program Files\Sunbelt Software
2006-10-07 13:25 -------- d-------- C:\Program Files\Outlook Express
2006-10-07 13:25 -------- d-------- C:\Program Files\Common Files\System
2006-10-07 01:57 -------- d-------- C:\Program Files\VSToolbar
2006-10-06 18:34 -------- d-------- C:\Program Files\AVG
2006-10-06 18:32 -------- d-------- C:\Documents and Settings\Simooooo\Application Data\SearchToolbarCorp
2006-10-06 13:49 -------- d-------- C:\Program Files\Freewire Television
2006-10-05 17:03 -------- d-------- C:\Program Files\ladbrokesMPP
2006-10-05 14:54 -------- d-------- C:\Documents and Settings\Simooooo\Application Data\Microgaming
2006-10-03 20:54 -------- d-------- C:\Documents and Settings\Simooooo\Application Data\U3
2006-10-01 17:02 -------- d-------- C:\Program Files\Samsung PC Studio 3
2006-10-01 14:21 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-13 23:53 -------- d-------- C:\Program Files\Winamp
2006-09-13 22:38 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-09-06 17:51 -------- d-------- C:\Program Files\Kali95
2006-08-26 16:35 11973 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-08-14 15:47 -------- d---s---- C:\Documents and Settings\Simooooo\Application Data\Microsoft
2006-08-11 18:55 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-11 18:55 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-07-21 09:30 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-13 09:50 595968 --a------ C:\WINDOWS\system32\xpsp2res.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logon Loader Random"="\"C:\\Program Files\\Logon Loader\\LogonLoader.exe\" -random"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"DAEMON Tools-1033"="\"C:\\Program Files\\Daemon Tools\\daemon.exe\" -lang 1033"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\AVG\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\AVG\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\AVG\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoRecentDocsMenu"=hex:01,00,00,00
"NoRecentDocsHistory"=hex:01,00,00,00
"NoRecentDocsNetHood"=hex:01,00,00,00
"NoSMMyDocs"=hex:01,00,00,00
"NoSMMyPictures"=hex:01,00,00,00
"NoDriveAutoRun"=hex:10,00,00,00
"NoNetworkConnections"=hex:01,00,00,00
"NoDriveTypeAutoRun"=dword:000000b5
"NoCDBurning"=dword:00000001
"NoSharedDocuments"=dword:00000001
"NoDesktopCleanupWizard"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"wuauserv"=dword:00000002
"ERSvc"=dword:00000002
"RSVP"=dword:00000003
"Messenger"=dword:00000002
"PolicyAgent"=dword:00000002
"TrkWks"=dword:00000002
"W32Time"=dword:00000002
"Schedule"=dword:00000002
"seclogon"=dword:00000002
"FastUserSwitchingCompatibility"=dword:00000003

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjyg32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061007-181426-660
O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\SYSTEM32\winjyg32.dll
backup-20061007-181426-247
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\System32\wmxoaaib.dll
backup-20061007-181426-461
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
backup-20061007-181426-194
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\System32\ixt0.dll (file missing)
backup-20061007-181426-839
O2 - BHO: (no name) - {44FB2CA0-353C-6704-BAB5-0B6317D38C17} - C:\WINDOWS\System32\kmmsgph.dll
backup-20061007-181426-851
O2 - BHO: (no name) - {4472E2B2-FB44-FBD4-2A58-0101EBECF47E} - C:\WINDOWS\System32\ksrpmje.dll
backup-20061007-181426-154
O2 - BHO: (no name) - {188E2248-C883-44CC-8D61-BCD70474977B} - C:\WINDOWS\System32\awvts.dll (file missing)

Completion time: 07/10/2006 18:23:03.76
ComboFix.txt

---------------------

Logfile of HijackThis v1.99.1
Scan saved at 18:25:12, on 07/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\avgamsvr.exe
C:\PROGRA~1\AVG\avgupsvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\AVG\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Fish\showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [Logon Loader Random] "C:\Program Files\Logon Loader\LogonLoader.exe" -random
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG\avgcc.exe /STARTUP
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124492657781
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winjyg32 - winjyg32.dll (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgupsvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

---------

I did a search for winlogon.exe and it only found the one in the system32 folder. However, I checked what my firewall was saying for some more detail and this is what it says:
Process \??\C:WINDOWS\system32\winlogon.exe injected a dangerous code into C:\Program Files\Mozilla Firefox\firefox.exe

The firewall hasn't come up with the winlogon.exe warning for probably an hour now but I've been doing a lot of reboots so that might be why.

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:06 AM

Posted 07 October 2006 - 01:03 PM

Hey there,

There are quite a few .dll's that I need to check out in your system32 folder.
I want to get the system cleaned up first, before addressing the firewall error,
It might be that some of the malware present that we have removed was causing it.

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

C:\WINDOWS\system32\ikrfind.dll
C:\WINDOWS\system32\ksrpmje.dll
C:\WINDOWS\system32\wmxoaaib.dll
C:\WINDOWS\system32\epqazeh.dll
C:\WINDOWS\system32\kmmsgph.dll
C:\WINDOWS\system32\gebbabx.dll


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O20 - Winlogon Notify: winjyg32 - winjyg32.dll (file missing)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users