Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Friend's Computer Seriously Infected.


  • This topic is locked This topic is locked
17 replies to this topic

#1 Professional

Professional

  • Members
  • 280 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 19 November 2006 - 01:59 AM

Hello,
My friend says that his computer is seriously infected and wanted to me post his HiJackThis Log and get it analyzed. Thank You un advance :thumbsup:

HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:49:19 PM, on 11/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\isnotify.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Patrick\LOCALS~1\Temp\Rar$EX00.140\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\SafetyBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e33.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e33.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmff_e33.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcop.dll,startup
O4 - HKLM\..\Run: [gexemlc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\gexemlc.dll,qlaklye
O4 - HKLM\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\App.exe" hide
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\DOCUME~1\Patrick\LOCALS~1\Temp\Rar$EX00.781\eMule0.47c\emule.exe -AutoStart
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160113875531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160113839140
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: cussers - {ff170564-36c8-43f7-9100-559e166405cf} - C:\WINDOWS\system32\cfltygd.dll (file missing)
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Thanks In Advance !! :flowers:
Posted Image

BC AdBot (Login to Remove)

 


m

#2 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:09 PM

Posted 19 November 2006 - 07:02 AM

Hi Professional

Rename HijackThis.exe to HJT.exe

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

Send:

- smitfraudfix report
- a fresh HijackThis log
Microsoft MVP Consumer Security
Posted Image

Posted Image

#3 Professional

Professional
  • Topic Starter

  • Members
  • 280 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 22 November 2006 - 01:43 AM

Thanks Shaba,

Here's the new stuff:

Smitfraud:

SmitFraudFix v2.123

Scan done at 17:38:39.15, Wed 11/22/2006
Run from C:\Documents and Settings\Patrick\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

C:\


C:\WINDOWS

C:\WINDOWS\drsmartload2.dat FOUND !
C:\WINDOWS\newname.dat FOUND !

C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Patrick


C:\Documents and Settings\Patrick\Application Data


Start Menu


C:\DOCUME~1\Patrick\FAVORI~1

C:\DOCUME~1\Patrick\FAVORI~1\Antivirus Test Online.url FOUND !

Desktop


C:\Program Files

C:\Program Files\Safety Bar\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{ff170564-36c8-43f7-9100-559e166405cf}"="cussers"

[HKEY_CLASSES_ROOT\CLSID\{ff170564-36c8-43f7-9100-559e166405cf}\InProcServer32]
@="C:\WINDOWS\system32\cfltygd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ff170564-36c8-43f7-9100-559e166405cf}\InProcServer32]
@="C:\WINDOWS\system32\cfltygd.dll"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End





HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 5:39:11 PM, on 11/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\DOCUME~1\Patrick\LOCALS~1\Temp\Rar$EX00.828\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt7.dll
O2 - BHO: (no name) - {51EAAB85-9D2E-D6B1-56C1-0B60E314D8A8} - C:\WINDOWS\system32\qdscwab.dll
O2 - BHO: (no name) - {CFBD8C78-882A-482D-BD92-90A62C51D324} - C:\WINDOWS\system32\pmkhi.dll
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\mljkjkk.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\tqqpplhu.dll (file missing)
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\SafetyBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e33.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e33.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmff_e33.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcop.dll,startup
O4 - HKLM\..\Run: [gexemlc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\gexemlc.dll,qlaklye
O4 - HKLM\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\App.exe" hide
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\DOCUME~1\Patrick\LOCALS~1\Temp\Rar$EX00.781\eMule0.47c\emule.exe -AutoStart
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160113875531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160113839140
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: mljkjkk - C:\WINDOWS\SYSTEM32\mljkjkk.dll
O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll
O20 - Winlogon Notify: winzlo32 - winzlo32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: cussers - {ff170564-36c8-43f7-9100-559e166405cf} - C:\WINDOWS\system32\cfltygd.dll (file missing)
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Posted Image

#4 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:09 PM

Posted 22 November 2006 - 03:40 AM

Hi

Uninstall via add/remove programs if present:

Ultimate Cleaner

Open HijackThis, click do a system scan only and checkmark these:

R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O2 - BHO: (no name) - {51EAAB85-9D2E-D6B1-56C1-0B60E314D8A8} - C:\WINDOWS\system32\qdscwab.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\tqqpplhu.dll (file missing)
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcop.dll,startup
O4 - HKLM\..\Run: [gexemlc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\gexemlc.dll,qlaklye
O4 - HKLM\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\App.exe" hide
O20 - Winlogon Notify: winzlo32 - winzlo32.dll (file missing)


Close all windows including browser and press fix checked.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Delete if present:

C:\WINDOWS\system32\qdscwab.dll
C:\WINDOWS\system32\drvcop.dll
C:\WINDOWS\system32\gexemlc.dll
C:\Program Files\Ultimate Cleaner

Empty Recycle Bin

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

Please post:
  • c:\rapport.txt
  • c:\vundofix.txt
  • Ewido log
  • A new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off.
Microsoft MVP Consumer Security
Posted Image

Posted Image

#5 Professional

Professional
  • Topic Starter

  • Members
  • 280 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 28 November 2006 - 06:12 AM

VundoFix V6.2.11

Checking Java version...

Java version is 1.5.0.3

Scan started at 8:14:36 PM 11/24/2006

Listing files found while scanning....

C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.ini2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\pmkhi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\ihkmp.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.11

Checking Java version...

Java version is 1.5.0.3

Scan started at 8:17:49 PM 11/24/2006

Listing files found while scanning....

No infected files were found.

---------------------------------------------------------------------------------------------------------------------------

SmitFraudFix v2.123

Scan done at 20:43:11.68, Fri 11/24/2006
Run from C:\Documents and Settings\Patrick\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{ff170564-36c8-43f7-9100-559e166405cf}"="cussers"

[HKEY_CLASSES_ROOT\CLSID\{ff170564-36c8-43f7-9100-559e166405cf}\InProcServer32]
@="C:\WINDOWS\system32\cfltygd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ff170564-36c8-43f7-9100-559e166405cf}\InProcServer32]
@="C:\WINDOWS\system32\cfltygd.dll"


Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\drsmartload2.dat Deleted
C:\WINDOWS\newname.dat Deleted
C:\WINDOWS\system32\issearch.exe Deleted
C:\WINDOWS\system32\ixt?.dll Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\DOCUME~1\Patrick\FAVORI~1\Antivirus Test Online.url Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

---------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:03:14 AM, on 11/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Softwin\BitDefender8\bdoesrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
c:\program files\softwin\bitdefender8\bdmcon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Patrick\LOCALS~1\Temp\Rar$EX42.703\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\tmbtnbok.dll
O2 - BHO: (no name) - {4026440F-0E47-43AB-AF0E-4EB9E572695E} - C:\WINDOWS\system32\geedd.dll
O2 - BHO: (no name) - {6FA944A4-1A92-4232-B500-8F422665AE3E} - C:\WINDOWS\system32\pmkhi.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\App.exe" hide
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender8\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "c:\program files\softwin\bitdefender8\bdnagent.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BDSwitchAgent] c:\program files\softwin\bitdefender8\bdswitch.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160113875531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160113839140
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe (file missing)
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - Unknown owner - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe (file missing)
O23 - Service: F-Secure Management Agent (FSMA) - Unknown owner - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender8\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

---------------------------------------------------------------------------------------------------------------------------

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:49:38 AM 11/25/2006

+ Scan result:



C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP163\A0014718.dll -> Adware.FunWeb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP163\A0014726.DLL -> Adware.FunWeb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP163\A0014733.DLL -> Adware.FunWeb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP163\A0014734.EXE -> Adware.FunWeb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP163\A0014737.DLL -> Adware.FunWeb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP164\A0014777.dll -> Adware.FunWeb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP164\A0014783.DLL -> Adware.FunWeb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP164\A0014789.DLL -> Adware.FunWeb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP164\A0014790.EXE -> Adware.FunWeb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP164\A0014793.DLL -> Adware.FunWeb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP170\A0015036.DLL -> Adware.FunWeb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP170\A0015043.DLL -> Adware.FunWeb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP170\A0015044.EXE -> Adware.FunWeb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP170\A0015047.DLL -> Adware.FunWeb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP163\A0014740.DLL -> Adware.IWon : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP164\A0014796.DLL -> Adware.IWon : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP170\A0015050.DLL -> Adware.IWon : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP274\A0037590.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP276\A0037710.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP164\A0014804.EXE -> Adware.MyWebSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP170\A0015030.EXE -> Adware.MyWebSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP170\A0015058.EXE -> Adware.MyWebSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP174\A0015180.exe/VVSN.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP166\A0014856.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP166\A0014858.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP166\A0014859.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP166\A0014860.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP167\A0014872.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP167\A0014892.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP167\A0014895.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP167\A0014897.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP168\A0014901.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP168\A0014903.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP168\A0014908.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP168\A0014909.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP169\A0014995.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP170\A0015008.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP170\A0015014.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP170\A0015021.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP173\A0015144.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP218\A0027296.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP255\A0030616.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP259\A0033055.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP269\A0035502.exe -> Adware.VirusBurst.c : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP260\A0033082.exe -> Adware.VirusBursters : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP163\A0014728.DLL -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP164\A0014785.DLL -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP170\A0015038.DLL -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP259\A0033058.dll -> Downloader.Zlob.akg : Cleaned with backup (quarantined).


::Report end



Thanks, :thumbsup:
Posted Image

#6 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:09 PM

Posted 28 November 2006 - 10:40 AM

Hi

Use this link to get HijackThis.
Save it to your desktop and then double-click to run it.
It will install the program in c:\program files\HijackThis.
Rename HijackThis.exe to HJT.exe

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\tmbtnbok.dll
O2 - BHO: (no name) - {6FA944A4-1A92-4232-B500-8F422665AE3E} - C:\WINDOWS\system32\pmkhi.dll (file missing)
O4 - HKLM\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\App.exe" hide


Close all windows including browser and press fix checked.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once the scan is complete, Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the 2 entries below into the top 2 boxes

    o C:\WINDOWS\system32\geedd.dll
    o C:\WINDOWS\system32\ddeeg.*
  • Click Add Files and Click Close Window
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.[/list]
Send:

- a fresh HijackThis log
- c:\vundofix.txt

Edited by Shaba, 28 November 2006 - 10:40 AM.

Microsoft MVP Consumer Security
Posted Image

Posted Image

#7 Professional

Professional
  • Topic Starter

  • Members
  • 280 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 29 November 2006 - 04:38 AM

Thanks;

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 7:28:57 PM, on 11/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Patrick\LOCALS~1\Temp\Rar$EX00.625\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\tmbtnbok.dll
O2 - BHO: (no name) - {6FA944A4-1A92-4232-B500-8F422665AE3E} - C:\WINDOWS\system32\pmkhi.dll (file missing)
O2 - BHO: (no name) - {975F87A0-0723-4225-A652-FC97FFBD81DB} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\mljkjkk.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160113875531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160113839140
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll (file missing)
O20 - Winlogon Notify: mljkjkk - mljkjkk.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe (file missing)
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - Unknown owner - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe (file missing)
O23 - Service: F-Secure Management Agent (FSMA) - Unknown owner - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



VundoFix:


VundoFix V6.2.11

Checking Java version...

Java version is 1.5.0.3

Scan started at 8:14:36 PM 11/24/2006

Listing files found while scanning....

C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.ini2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\pmkhi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\ihkmp.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.11

Checking Java version...

Java version is 1.5.0.3

Scan started at 8:17:49 PM 11/24/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.2.11

Checking Java version...

Java version is 1.5.0.3

Scan started at 5:48:07 PM 11/29/2006

Listing files found while scanning....

C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak1 Has been deleted!

Performing Repairs to the registry.
Done!
Posted Image

#8 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:09 PM

Posted 29 November 2006 - 10:42 AM

Hi

Sorry to repeat myself, but...

You have HijackThis on temp folder and that's a very bad; there will be no backups if they're needed. That's why HijackThis must be on a permanent folder.

Use this link to get HijackThis.
Save it to your desktop and then double-click to run it.
It will install the program in c:\program files\HijackThis.
Rename HijackThis.exe to HJT.exe

After that, send a fresh HijackThis log.

Edited by Shaba, 29 November 2006 - 10:42 AM.

Microsoft MVP Consumer Security
Posted Image

Posted Image

#9 Professional

Professional
  • Topic Starter

  • Members
  • 280 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 01 December 2006 - 04:05 PM

I told him to install it on C:\Program Files\HJT but I don't think he did, Heres a new HJT:

Logfile of HijackThis v1.99.1
Scan saved at 3:22:01 PM, on 12/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Documents and Settings\Patrick\Desktop\Stuff\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\tmbtnbok.dll
O2 - BHO: (no name) - {6FA944A4-1A92-4232-B500-8F422665AE3E} - C:\WINDOWS\system32\pmkhi.dll (file missing)
O2 - BHO: (no name) - {975F87A0-0723-4225-A652-FC97FFBD81DB} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\mljkjkk.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160113875531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160113839140
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll (file missing)
O20 - Winlogon Notify: mljkjkk - mljkjkk.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe (file missing)
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - Unknown owner - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe (file missing)
O23 - Service: F-Secure Management Agent (FSMA) - Unknown owner - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll (file missing)
O20 - Winlogon Notify: mljkjkk - mljkjkk.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe (file missing)
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - Unknown owner - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe (file missing)
O23 - Service: F-Secure Management Agent (FSMA) - Unknown owner - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE (file missing)
Posted Image

#10 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:09 PM

Posted 02 December 2006 - 05:05 AM

Hi

Well, HijackThis is now on its own folder, that's good enough for me :thumbsup:

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\tmbtnbok.dll
O2 - BHO: (no name) - {6FA944A4-1A92-4232-B500-8F422665AE3E} - C:\WINDOWS\system32\pmkhi.dll (file missing)
O2 - BHO: (no name) - {975F87A0-0723-4225-A652-FC97FFBD81DB} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\mljkjkk.dll (file missing)
O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll (file missing)
O20 - Winlogon Notify: mljkjkk - mljkjkk.dll (file missing)


Close all windows including browser and press fix checked

Reboot

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases

  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Send:

- a fresh HijackThis log
- kaspersky report

BTW, has your friend uninstalled F-secure? I asked this because I see no active antivirus running.
Microsoft MVP Consumer Security
Posted Image

Posted Image

#11 Professional

Professional
  • Topic Starter

  • Members
  • 280 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 02 December 2006 - 04:41 PM

Hello Shaba,
I'll send him these latest instructions ASAP, about the F-Secure, I'll ask him, if he hasn't uninstalled it, would like me to ask him to uninstall and keep AVG? or keep using F-Secure? IF he has uninstalled it; I'll tell him to keep AVG Active and updated. :thubsup:
Posted Image

#12 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:09 PM

Posted 03 December 2006 - 04:55 AM

Hi

Definitely keep using F-secure if possbile; AVG anti-spyware is no antivirus. If he has uninstalled F-secure, he must get another antivirus. There are lots of freebies, too (avast!, AntiVir and AVG).
Microsoft MVP Consumer Security
Posted Image

Posted Image

#13 Professional

Professional
  • Topic Starter

  • Members
  • 280 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 04 December 2006 - 03:29 PM

Hello,
Okay unfortunately he uninstalled F-Secure so I asked him to download/install AVG Free Edition Antivirus and follow your steps, he'll reply soon.

Thanks Shaba :thumbsup:
Posted Image

#14 Professional

Professional
  • Topic Starter

  • Members
  • 280 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 11 December 2006 - 03:15 PM

Sorry for the delay, But I haven't had contact with him for a while, I have planned to meet him today, so I'll have the results back ASAP.

Thanks Shaba,
Posted Image

#15 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:09 PM

Posted 18 December 2006 - 12:49 PM

How's going Professional?
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users