Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Deluxecommunication, Smitfraud, Bcyef193 & Others.


  • This topic is locked This topic is locked
17 replies to this topic

#1 Ricanna

Ricanna

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 14 December 2006 - 10:08 AM

Hi, I came across this website whilst looking up some of the names of the viruses I have coming up, and this site was the best I have looked at in terms of assistance.

I've just about exhausted the preparation guide you have on the tutorials, but was not able to completely get rid of everything. I don't know how bad it really is, but the computer runs pretty slow, always need to restart, and I get this annoying pop-up wanting to connect to the internet called "w08fb42.dll". Could not find info on this anywhere. Desparately need help. HijackThis log below.

Cheers,

Richard

Logfile of HijackThis v1.99.1
Scan saved at 2:01:00 AM, on 12/15/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\system32\msasvc.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\dmrproc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\S3tray.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\djjnakmA.exe
C:\WINNT\system32\salvage.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.optusnet.com.au/dsl/favorites/homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.optusnet.com.au/dsl/favorites/homepage
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [SetupType] Portable
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [bycef193] RUNDLL32.EXE w08f42ba.dll,n 006ef18d0000000a08f42ba
O4 - HKLM\..\Run: [djjnakmA] C:\WINNT\djjnakmA.exe
O4 - HKLM\..\Run: [msvcc25] salvage.exe
O4 - HKLM\..\Run: [mysvcig38] recsl.exe
O4 - HKLM\..\Run: [_zlu_zlope04] c:\winnt\system32\_zsk_zlu_zlope04xiei[iayhujyhy]j.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [_mzu_stonedrv3] c:\winnt\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\RunServices: [_zlu_zlope04] c:\winnt\system32\_zsk_zlu_zlope04xiei[iayhujyhy]j.exe
O4 - HKLM\..\RunServices: [msvcc25] salvage.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\winnt\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\RunServices: [mysvcig38] recsl.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_315726] C:\Program Files\Panda Software\Panda Antivirus 2007\pavdr.exe 315726
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Ricanna\LOCALS~1\Temp\33584.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [_zlu_zlope04] c:\winnt\system32\_zsk_zlu_zlope04xiei[iayhujyhy]j.exe
O4 - HKCU\..\Run: [_mzu_stonedrv3] c:\winnt\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://desktop.optusnet.com.au/dsl/favorites/homepage
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153906012348
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159169940384
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://imagery.maps.nsw.gov.au/ecwplugins/NCS.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: dxclib303562752.dll
O21 - SSODL: PIcnFbOFqChUQ - {7CF38380-D659-292A-F3C8-DF00880FC492} - C:\WINNT\system32\zzo.dll (file missing)
O23 - Service: 82210 - Unknown owner - \\58.106.154.241\Admin$\eraseme_82706.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINNT\system32\msasvc.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Pr0tected St0rage (Pr0tectedSt0rage) - Unknown owner - C:\WINNT\system\lsass.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Microsoft Windows DMR Service (Windows DMR Service) - Unknown owner - C:\WINNT\dmrproc.exe
O23 - Service: wlmsngr - Unknown owner - C:\WINNT\wlmsngr.exe (file missing)

BC AdBot (Login to Remove)

 


m

#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 14 December 2006 - 04:40 PM

Hello Ricanna, and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Please take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Open HijackThis
Click the Config... button, then go to the Misc Tools section.
Press Open Uninstall Manager. You'll see a list of programs.
Select Save List... - save it to your Desktop.
The file "uninstall_list.txt" will be created. Copy and paste the contents of this file to your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Ricanna

Ricanna
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 15 December 2006 - 04:21 AM

It won't let me save it. HijackThis just shuts without warning. Tried it in safe mode and the same thing. Can't find the name of the uninstall_list file anywhere so it hasn't saved it on shutting.

Richard

#4 Ricanna

Ricanna
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 15 December 2006 - 06:27 AM

I didn't mention it in my last post, but thanks alot for your help. I appreciate the help you're giving.
I'll try and be as quick to respond as I can. It'll be good to see this through.

Cheers,

Richard

#5 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 15 December 2006 - 02:45 PM

Hello Ricanna,
Using My Computer/Windows Explorer, navigate to where you have HJT saved.
Right click on the hijackthis.exefile.
Select "Rename", call it fluffybunny and press enter.
Use fluffybunny.exe from now on.

Visit this site:
http://billsway.com/vbspage/
Scroll down to the section that says "List Installed Programs" and download it, by using this icon: Posted Image
Save it to your Desktop, then right-click and select Extract all.
A folder should open, double click on the file inside called InstalledPrograms.vbs.
Press OK at the prompt, then Yes to view the results.
A text file will open, copy and paste this in your next reply along with a new Hijackthis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#6 Ricanna

Ricanna
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 15 December 2006 - 05:32 PM

Here are the 2 logs. I've attached the "fluffybunny" log just in case you still want it.

Cheers,

Richard

"fluffybunny" unistall_list.txt log below

ACDSee Classic
ACDSee Classic
Ad-Aware SE Personal
Adobe Photoshop 7.0.1
Adobe Photoshop Elements
Adobe Reader 6.0.1
Adobe SVG Viewer
Canon Utilities PhotoStitch 3.1
ccCommon
CCleaner (remove only)
DeluxeCommunications
DirectX 9 Hotfix - KB839643
e-tax 2004
e-tax 2004 - Documents
e-tax 2005
e-tax 2006
e-tax 2006 - FTB Module
FinePixViewer Ver.4.1
FUJIFILM USB Driver
HijackThis 1.99.1
Hotfix for MDAC 2.53 (KB911562)
hp instant support
HP Photo and Imaging 1.0 - PSC 2000 Series
HP Photo and Imaging 1.0 - PSC 2000 Series
HP Photo and Imaging 1.0 - PSC 2000 Series Drivers
hp psc 2100 series
Image Web Server 7.0 IE Plugins (Build:3,1,0,230)
ImageMixer VCD2 for FinePix
Iomega DVD wizard
Iomega HotBurn Pro
ipac Smart Money Guide 1.0
LiveUpdate 2.5 (Symantec Corporation)
Macromedia Flash Player 8
Microsoft Data Access Components KB870669
Microsoft Office XP Professional
MSXML4 Parser
NETGEAR Print Server Utility
Norton Internet Security
OptusNet DSL
Panda Antivirus 2007
PowerDVD
RAW FILE CONVERTER LE
Readiris 7.5
S3 Gamma Utility
S3DuoView+ Utility
Security Update for Windows 2000 (KB904706)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB917734)
Siemens Subscriber Networks SpeedStream DSL
Spybot - Search & Destroy 1.4
Windows 2000 Hotfix - KB820888
Windows 2000 Hotfix - KB822831
Windows 2000 Hotfix - KB823182
Windows 2000 Hotfix - KB823559
Windows 2000 Hotfix - KB824105
Windows 2000 Hotfix - KB824141
Windows 2000 Hotfix - KB824146
Windows 2000 Hotfix - KB825119
Windows 2000 Hotfix - KB826232
Windows 2000 Hotfix - KB828035
Windows 2000 Hotfix - KB828749
Windows 2000 Hotfix - KB829558
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB911567
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB917159
Windows 2000 Hotfix - KB917422
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix - KB918899
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB920685
Windows 2000 Hotfix - KB920958
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB921883
Windows 2000 Hotfix - KB922616
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923414
Windows 2000 Hotfix - KB924191
Windows 2000 Hotfix - KB925486
Windows 2000 Hotfix (SP5) Q818043
Windows Installer 3.1 (KB893803)
Windows Media Player Hotfix [See Q828026 for more information]
Windows Media Player system update (9 Series)
WinZip


VBS List Installed Programs log below:

INSTALLED SOFTWARE (110) - LAPTOP - 12/16/2006 9:19:37 AM

ACDSee Classic
ACDSee Classic Ver: 2.0.44 Installed: 2/14/2004
Ad-Aware SE Personal Ver: 1.06
Adobe Photoshop 7.0.1 Ver: 7.0.1
Adobe Photoshop Elements Ver: 1.0
Adobe Reader 6.0.1 Ver: 006.000.001 Installed: 3/22/2004
Adobe SVG Viewer Ver: 1.0
Canon Utilities PhotoStitch 3.1 Ver: 3.1.10 Installed: 6/25/2004
ccCommon Ver: 103.0.2.10 Installed: 10/16/2006
CCleaner (remove only)
DeluxeCommunications
DirectX 9 Hotfix - KB839643
e-tax 2004
e-tax 2004 - Documents
e-tax 2005
e-tax 2006
e-tax 2006 - FTB Module
FinePixViewer Ver.4.1
FUJIFILM USB Driver
HijackThis 1.99.1 Ver: 1.99.1
Hotfix for MDAC 2.53 (KB911562) Ver: 1 Installed: 10/6/2006
hp instant support Ver: 4.03.03
HP Photo and Imaging 1.0 - PSC 2000 Series
HP Photo and Imaging 1.0 - PSC 2000 Series Ver: 1.00.0000 Installed: 3/25/2006
HP Photo and Imaging 1.0 - PSC 2000 Series Drivers Ver: 1.00.0000 Installed: 3/25/2006
hp psc 2100 series
Image Web Server 7.0 IE Plugins (Build:3,1,0,230)
ImageMixer VCD2 for FinePix
Internet Explorer Exception pack
Iomega DVD wizard
Iomega HotBurn Pro
ipac Smart Money Guide 1.0 Ver: 1.0
LiveUpdate 2.5 (Symantec Corporation) Ver: 2.5.55.0
Macromedia Flash Player 8 Ver: 8
Microsoft Data Access Components KB870669
Microsoft Office XP Professional Ver: 10.0.4330.0 Installed: 1/24/2004
MSXML4 Parser Ver: 1.0.0 Installed: 12/10/2006
NETGEAR Print Server Utility
Norton Internet Security Ver: 8.0.0.64 Installed: 10/16/2006
OptusNet DSL
Panda Antivirus 2007 Ver: 2.00.03 Installed: 12/14/2006
PhotoStitch Ver: 3.1.10 Installed: 6/25/2004
PowerDVD
RAW FILE CONVERTER LE
Readiris 7.5
S3 Gamma Utility
S3DuoView+ Utility
Security Update for Windows 2000 (KB904706)
Security Update for Windows Media Player (KB911564) Installed: 10/6/2006
Security Update for Windows Media Player 9 (KB917734) Installed: 10/6/2006
Siemens Subscriber Networks SpeedStream DSL
Spybot - Search & Destroy 1.4 Ver: 1.4
WebFldrs Ver: 9.00.3907 Installed: 1/23/2004
Windows 2000 Hotfix (SP5) Q818043 Ver: 20030501.174006
Windows 2000 Hotfix - KB820888 Ver: 20030604.152521
Windows 2000 Hotfix - KB822831 Ver: 20030611.114034
Windows 2000 Hotfix - KB823182 Ver: 20030618.121409
Windows 2000 Hotfix - KB823559 Ver: 20030627.135515
Windows 2000 Hotfix - KB824105 Ver: 20030716.151320
Windows 2000 Hotfix - KB824141 Ver: 20030805.151423
Windows 2000 Hotfix - KB824146 Ver: 20030823.144456
Windows 2000 Hotfix - KB825119 Ver: 20030827.151123
Windows 2000 Hotfix - KB826232 Ver: 20031007.160553
Windows 2000 Hotfix - KB828035 Ver: 20031023.142138
Windows 2000 Hotfix - KB828749 Ver: 20031023.124056
Windows 2000 Hotfix - KB829558 Ver: 20030929.142857
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB890046 Ver: 20050517.235025
Windows 2000 Hotfix - KB893756 Ver: 20050702.42421
Windows 2000 Hotfix - KB896358 Ver: 20050421.70926
Windows 2000 Hotfix - KB896422 Ver: 20050503.23608
Windows 2000 Hotfix - KB896423 Ver: 20050713.01536
Windows 2000 Hotfix - KB896424 Ver: 20051007.114600
Windows 2000 Hotfix - KB899587 Ver: 20050614.212757
Windows 2000 Hotfix - KB899589 Ver: 20050822.21016
Windows 2000 Hotfix - KB900725 Ver: 20050923.34708
Windows 2000 Hotfix - KB901017 Ver: 20050830.22150
Windows 2000 Hotfix - KB901214 Ver: 20050629.02152
Windows 2000 Hotfix - KB905414 Ver: 20050816.13004
Windows 2000 Hotfix - KB905495 Ver: 20050805.184113
Windows 2000 Hotfix - KB905749 Ver: 20050902.21643
Windows 2000 Hotfix - KB908519 Ver: 20051124.165020 Installed: 10/6/2006
Windows 2000 Hotfix - KB908531 Ver: 20060421.150136 Installed: 10/6/2006
Windows 2000 Hotfix - KB911280 Ver: 20060621.174320 Installed: 10/6/2006
Windows 2000 Hotfix - KB911567 Ver: 20060316.165634 Installed: 10/6/2006
Windows 2000 Hotfix - KB912919 Ver: 20060103.111025 Installed: 10/6/2006
Windows 2000 Hotfix - KB913580 Ver: 20060423.131341 Installed: 10/6/2006
Windows 2000 Hotfix - KB914388 Ver: 20060519.144359 Installed: 10/6/2006
Windows 2000 Hotfix - KB914389 Ver: 20060531.135859 Installed: 10/6/2006
Windows 2000 Hotfix - KB917008 Ver: 20060725.103752 Installed: 10/6/2006
Windows 2000 Hotfix - KB917159 Ver: 20060420.232509 Installed: 10/6/2006
Windows 2000 Hotfix - KB917422 Ver: 20060621.121747 Installed: 10/6/2006
Windows 2000 Hotfix - KB917736 Ver: 20060413.104300 Installed: 10/6/2006
Windows 2000 Hotfix - KB917953 Ver: 20060425.201939 Installed: 10/6/2006
Windows 2000 Hotfix - KB918899 Ver: 20060725.123917 Installed: 10/6/2006
Windows 2000 Hotfix - KB920670 Ver: 20060721.203510 Installed: 10/6/2006
Windows 2000 Hotfix - KB920683 Ver: 20060706.171055 Installed: 10/6/2006
Windows 2000 Hotfix - KB920685 Ver: 20060627.135709 Installed: 10/6/2006
Windows 2000 Hotfix - KB920958 Ver: 20060913.131703 Installed: 10/6/2006
Windows 2000 Hotfix - KB921398 Ver: 20060713.123515 Installed: 10/6/2006
Windows 2000 Hotfix - KB921883 Ver: 20060714.192118 Installed: 10/6/2006
Windows 2000 Hotfix - KB922616 Ver: 20060717.115159 Installed: 10/6/2006
Windows 2000 Hotfix - KB923191 Ver: 20060828.162944 Installed: 10/15/2006
Windows 2000 Hotfix - KB923414 Ver: 20060811.202216 Installed: 10/15/2006
Windows 2000 Hotfix - KB924191 Ver: 20060915.123522 Installed: 10/15/2006
Windows 2000 Hotfix - KB925486 Ver: 20060918.120000 Installed: 10/6/2006
Windows Installer 3.1 (KB893803) Ver: 3.1
Windows Media Player Hotfix [See Q828026 for more information]
Windows Media Player system update (9 Series)
WinZip Ver: 9.0 BETA (6007)

#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 16 December 2006 - 06:34 AM

Can I have a HijackThis log too, please?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#8 Ricanna

Ricanna
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 16 December 2006 - 05:55 PM

HijackThis log

Cheers,

Richard

Logfile of HijackThis v1.99.1
Scan saved at 9:50:05 AM, on 12/17/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\system32\msasvc.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\dmrproc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\S3tray.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\djjnakmA.exe
C:\WINNT\system32\salvage.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\HijackThis\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.optusnet.com.au/dsl/favorites/homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.optusnet.com.au/dsl/favorites/homepage
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll (file missing)
O2 - BHO: (no name) - {02447900-91BB-498A-8CC5-3A7559485A97} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22FD0654-A9EE-4E71-BDB1-9849E53F3E0D} - (no file)
O2 - BHO: (no name) - {27E61C9A-315C-47ED-9DD7-7174AC74C2F0} - (no file)
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - (no file)
O2 - BHO: (no name) - {426FDF01-80ED-C85E-2B1E-091B9DF39978} - C:\WINNT\system32\pxfwuxh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {599E9ACA-4188-49FA-A710-F082E633BB22} - (no file)
O2 - BHO: (no name) - {625964A7-AEAD-7468-9988-04F8A44A57A0} - C:\WINNT\system32\jaxbtjh.dll
O2 - BHO: (no name) - {717B0F8B-321D-4733-A675-F30552C03592} - (no file)
O2 - BHO: (no name) - {89C76EA9-A24B-4492-89BD-FE7D8E948453} - C:\WINNT\system32\xxwuu.dll
O2 - BHO: (no name) - {9BA50FCB-1C40-4841-9693-8965B59382FE} - (no file)
O2 - BHO: (no name) - {DF6C3B6E-E149-4362-BA8A-CF4C76F69714} - (no file)
O2 - BHO: (no name) - {E372382C-1D40-4C92-915A-1FE60945723A} - (no file)
O2 - BHO: (no name) - {EC1DCE56-A82B-48EE-83AC-B3AED916E988} - (no file)
O2 - BHO: (no name) - {F22656E2-02AA-43A9-BED5-0331CDFD72D0} - C:\WINNT\system32\vturqon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [SetupType] Portable
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [bycef193] RUNDLL32.EXE w08f42ba.dll,n 006ef18d0000000a08f42ba
O4 - HKLM\..\Run: [djjnakmA] C:\WINNT\djjnakmA.exe
O4 - HKLM\..\Run: [msvcc25] salvage.exe
O4 - HKLM\..\Run: [mysvcig38] recsl.exe
O4 - HKLM\..\Run: [_zlu_zlope04] c:\winnt\system32\_zsk_zlu_zlope04xiei[iayhujyhy]j.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [_mzu_stonedrv3] c:\winnt\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\RunServices: [_zlu_zlope04] c:\winnt\system32\_zsk_zlu_zlope04xiei[iayhujyhy]j.exe
O4 - HKLM\..\RunServices: [msvcc25] salvage.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\winnt\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\RunServices: [mysvcig38] recsl.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_315726] C:\Program Files\Panda Software\Panda Antivirus 2007\pavdr.exe 315726
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Ricanna\LOCALS~1\Temp\33584.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [_zlu_zlope04] c:\winnt\system32\_zsk_zlu_zlope04xiei[iayhujyhy]j.exe
O4 - HKCU\..\Run: [_mzu_stonedrv3] c:\winnt\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://desktop.optusnet.com.au/dsl/favorites/homepage
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153906012348
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159169940384
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://imagery.maps.nsw.gov.au/ecwplugins/NCS.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: rpcc - C:\WINNT\
O20 - Winlogon Notify: vturqon - C:\WINNT\SYSTEM32\vturqon.dll
O20 - Winlogon Notify: winsys2freg - C:\WINNT\
O20 - Winlogon Notify: xxwuu - C:\WINNT\system32\xxwuu.dll
O21 - SSODL: PIcnFbOFqChUQ - {7CF38380-D659-292A-F3C8-DF00880FC492} - C:\WINNT\system32\zzo.dll (file missing)
O23 - Service: 82210 - Unknown owner - \\58.106.154.241\Admin$\eraseme_82706.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINNT\system32\msasvc.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Pr0tected St0rage (Pr0tectedSt0rage) - Unknown owner - C:\WINNT\system\lsass.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Microsoft Windows DMR Service (Windows DMR Service) - Unknown owner - C:\WINNT\dmrproc.exe
O23 - Service: wlmsngr - Unknown owner - C:\WINNT\wlmsngr.exe (file missing)

#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 17 December 2006 - 12:50 PM

Hey Ricanna,
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.

I'm afraid I have some bad news concerning your computer: one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both software products attempting to access the same file at the same time.
Therefore please go to Add/Remove in the Control Panel and remove either Panda or Norton.

Please disable Spybot S&D TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
To disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check Yes to next window.
Click on Tools in bottom left hand corner.
Press on System Startup icon.
Uncheck Teatimer box.
Click Allow Change box.

======

Go to Start | Control Panel | Add/Remove Programs and remove the following (if they exist):

DeluxeCommunications

Download Combofix to your desktop.
Double click combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.

Please download VundoFix.exe to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please post me back the VundoFix report, ComboFix log, along with a new HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#10 Ricanna

Ricanna
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 18 December 2006 - 09:23 AM

Hi Charles,

Logs are provided below.

I may not respond for a few days as I'm driving south to Tasmania for a holiday. But once there (I'm visiting my sister) I'll get back on it. Hopefully by Friday EAST.

Thanks for the info on the seriousness of the trojan. I suspected as much and have not used the internet on the infected computer since it happened (I sort of realised as it occurred all of a sudden). I'm actually sending all this via my desktop.

Cheers,

Richard




Combofix Log

Ricanna - Tue 12/19/2006 0:23:07.98 Service Pack 4
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Ricanna\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\dxclib303562752.dll
C:\Documents and Settings\Ricanna\Application Data\Dxcuknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


C:\WINNT\system32\dxclib303562752.dll
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\deskbar_e55.exe
C:\Documents and Settings\All Users\Documents\Settings


((((((((((((((((((((((((((((((( Files Created from 2006-11-19 to 2006-12-19 ))))))))))))))))))))))))))))))))))


2006-12-15 01:47 <DIR> d-------- C:\FOUND.002
2006-12-15 01:36 <DIR> d-------- C:\Program Files\HijackThis
2006-12-14 23:24 40,973 ---hs---- C:\WINNT\system32\opnkkjj.dll
2006-12-14 23:21 77,757 --a------ C:\WINNT\system32\salvage.exe
2006-12-14 23:11 40,973 ---hs---- C:\WINNT\system32\cbxyayv.dll
2006-12-14 23:10 0 --a------ C:\WINNT\system32\recsl.exe
2006-12-14 23:03 <DIR> d-------- C:\WINNT\system32\PAV
2006-12-14 23:02 70,656 --a------ C:\WINNT\system32\drivers\PAVDRV50.SYS
2006-12-14 23:02 45,056 --a------ C:\WINNT\system32\avldr.dll
2006-12-14 22:58 <DIR> d-------- C:\Program Files\Panda Software
2006-12-14 21:56 <DIR> d-------- C:\FOUND.001
2006-12-13 23:38 <DIR> d-------- C:\FOUND.000
2006-12-13 23:03 418 ---hs---- C:\WINNT\system32\uuwxx.ini2
2006-12-13 22:55 <DIR> d-------- C:\Documents and Settings\Ricanna\Application Data\Lavasoft
2006-12-13 22:54 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-13 22:39 <DIR> d-------- C:\Downloads
2006-12-13 22:15 <DIR> d-------- C:\Program Files\CCleaner
2006-12-13 21:59 <DIR> d--hs---- C:\Config.Msi
2006-12-07 22:08 40,973 ---hs---- C:\WINNT\system32\fccyxvs.dll
2006-12-07 22:07 41,520 --a------ C:\WINNT\system32\_zsk_zlu_zlope03IO[L[IBCWHXHZ]GX.exe
2006-12-07 21:53 1,941 --a------ C:\ciyjob.exe
2006-12-07 21:52 73,728 --a------ C:\WINNT\system32\install.exe
2006-12-07 21:51 40,973 ---hs---- C:\WINNT\system32\vturqon.dll
2006-12-07 21:48 41,520 --a------ C:\WINNT\system32\dxvwwzlr.exe
2006-12-07 20:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-07 20:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-06 21:57 <DIR> d-------- C:\Program Files\Norton Internet Security
2006-12-04 20:48 <DIR> d-------- C:\Documents and Settings\Ricanna\Application Data\Apple Computer
2006-12-04 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2006-11-22 19:37 41,520 --a------ C:\WINNT\system32\_zsk_zlu_zlope03P]`CGAQH]XNVXRX_.exe
2006-11-22 19:36 692,276 ---hs---- C:\WINNT\system32\xxwuu.dll
2006-11-22 18:48 75,776 --a------ C:\arwjwo.exe
2006-11-22 18:48 40,973 ---hs---- C:\WINNT\system32\gebxyww.dll
2006-11-22 18:47 94,720 -r-hs---- C:\WINNT\dmrproc.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-14 23:34 137662 --a------ C:\pro3_install.exe
2006-12-14 23:27 3584 --a------ C:\WINNT\system32\msasvc.exe
2006-12-07 22:07 41520 --a------ C:\WINNT\system32\_zsk_zlu_zlope03IO[L[IBCWHXHZ]GX.exe
2006-12-07 21:48 15927 --a------ C:\WINNT\system32\w.exe
2006-11-22 19:36 41520 --a------ C:\WINNT\system32\_zsk_zlu_zlope03P]`CGAQH]XNVXRX_.exe
2006-11-12 19:35 692276 ---hs---- C:\WINNT\system32\geefg.dll
2006-11-12 18:57 692276 ---hs---- C:\WINNT\system32\pmnkh.dll
2006-11-12 18:56 430080 --a------ C:\windows_e55.exe
2006-11-12 18:53 32768 --a------ C:\mc44a55.exe
2006-11-12 18:50 74240 --a------ C:\ckivc.exe
2006-11-12 18:49 40973 ---hs---- C:\WINNT\system32\gebcaya.dll
2006-11-12 16:49 41520 --a------ C:\WINNT\system32\dxvwquzp.exe
2006-11-11 14:31 94720 -r-hs---- C:\WINNT\winmgr.exe
2006-10-21 08:30 160768 --a------ C:\WINNT\system32\mtrq.dll
2006-10-16 18:41 95232 --a------ C:\WINNT\system32\jaxbtjh.dll
2006-10-16 18:41 72704 --a------ C:\WINNT\system32\pxfwuxh.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"_zlu_zlope04"="c:\\winnt\\system32\\_zsk_zlu_zlope04xiei[iayhujyhy]j.exe"
"_mzu_stonedrv3"="c:\\winnt\\system32\\_mzu_stonedrv3.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"S3TRAY"="S3tray.exe"
"Drag'n'Drop_Autolaunch"="\"C:\\Program Files\\Iomega HotBurn Pro\\Autolaunch.exe\""
"SetupType"="Portable"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"Desktop Service Centre"="C:\\Program Files\\OptusNet DSL Internet\\DSC.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"bycef193"="RUNDLL32.EXE w08f42ba.dll,n 006ef18d0000000a08f42ba"
"djjnakmA"="C:\\WINNT\\djjnakmA.exe"
"msvcc25"="salvage.exe"
"mysvcig38"="recsl.exe"
"_zlu_zlope04"="c:\\winnt\\system32\\_zsk_zlu_zlope04xiei[iayhujyhy]j.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"_mzu_stonedrv3"="c:\\winnt\\system32\\_mzu_stonedrv3.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Panda_cleaner_315726"="C:\\Program Files\\Panda Software\\Panda Antivirus 2007\\pavdr.exe 315726"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"_zlu_zlope04"="c:\\winnt\\system32\\_zsk_zlu_zlope04xiei[iayhujyhy]j.exe"
"msvcc25"="salvage.exe"
"_mzu_stonedrv3"="c:\\winnt\\system32\\_mzu_stonedrv3.exe"
"mysvcig38"="recsl.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{F22656E2-02AA-43A9-BED5-0331CDFD72D0}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"PIcnFbOFqChUQ"="{7CF38380-D659-292A-F3C8-DF00880FC492}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturqon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxwuu

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1143291570.job

Completion time: Tue 2006-12-19 0:32:53.69
C:\ComboFix.txt ... 06-12-19 00:32




Vundofix Log


VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 12:39:17 AM 12/19/2006

Listing files found while scanning....

C:\WINNT\system32\pxfwuxh.dll
C:\WINNT\system32\geefg.dll
C:\WINNT\system32\pmnkh.dll
C:\WINNT\system32\xxwuu.dll
C:\WINNT\system32\uuwxx.ini
C:\WINNT\system32\uuwxx.ini2
C:\WINNT\system32\xxwuu.dll
C:\WINNT\system32\uuwxx.ini
C:\WINNT\system32\uuwxx.ini2
C:\WINNT\system32\uuwxx.ini
C:\WINNT\system32\uuwxx.ini2

Beginning removal...

Attempting to delete C:\WINNT\system32\pxfwuxh.dll
C:\WINNT\system32\pxfwuxh.dll Has been deleted!

Attempting to delete C:\WINNT\system32\geefg.dll
C:\WINNT\system32\geefg.dll Has been deleted!

Attempting to delete C:\WINNT\system32\pmnkh.dll
C:\WINNT\system32\pmnkh.dll Has been deleted!

Attempting to delete C:\WINNT\system32\xxwuu.dll
C:\WINNT\system32\xxwuu.dll Has been deleted!

Attempting to delete C:\WINNT\system32\uuwxx.ini
C:\WINNT\system32\uuwxx.ini Has been deleted!

Attempting to delete C:\WINNT\system32\uuwxx.ini2
C:\WINNT\system32\uuwxx.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 1:00:07 AM 12/19/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...






Hijackthis Log

Logfile of HijackThis v1.99.1
Scan saved at 1:09:54 AM, on 12/19/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\system32\msasvc.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\dmrproc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\S3tray.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\djjnakmA.exe
C:\WINNT\system32\salvage.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\HijackThis\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.optusnet.com.au/dsl/favorites/homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.optusnet.com.au/dsl/favorites/homepage
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: (no name) - {02447900-91BB-498A-8CC5-3A7559485A97} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22FD0654-A9EE-4E71-BDB1-9849E53F3E0D} - (no file)
O2 - BHO: (no name) - {27E61C9A-315C-47ED-9DD7-7174AC74C2F0} - (no file)
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - (no file)
O2 - BHO: (no name) - {426FDF01-80ED-C85E-2B1E-091B9DF39978} - C:\WINNT\system32\pxfwuxh.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {599E9ACA-4188-49FA-A710-F082E633BB22} - (no file)
O2 - BHO: (no name) - {625964A7-AEAD-7468-9988-04F8A44A57A0} - C:\WINNT\system32\jaxbtjh.dll
O2 - BHO: (no name) - {717B0F8B-321D-4733-A675-F30552C03592} - (no file)
O2 - BHO: (no name) - {9BA50FCB-1C40-4841-9693-8965B59382FE} - (no file)
O2 - BHO: (no name) - {DF6C3B6E-E149-4362-BA8A-CF4C76F69714} - (no file)
O2 - BHO: (no name) - {E372382C-1D40-4C92-915A-1FE60945723A} - (no file)
O2 - BHO: (no name) - {EC1DCE56-A82B-48EE-83AC-B3AED916E988} - (no file)
O2 - BHO: (no name) - {F22656E2-02AA-43A9-BED5-0331CDFD72D0} - C:\WINNT\system32\vturqon.dll
O2 - BHO: (no name) - {FE872027-6DBD-460E-8F18-CB84D65F0A80} - C:\WINNT\system32\xxwuu.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [SetupType] Portable
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [bycef193] RUNDLL32.EXE w08f42ba.dll,n 006ef18d0000000a08f42ba
O4 - HKLM\..\Run: [djjnakmA] C:\WINNT\djjnakmA.exe
O4 - HKLM\..\Run: [msvcc25] salvage.exe
O4 - HKLM\..\Run: [mysvcig38] recsl.exe
O4 - HKLM\..\Run: [_zlu_zlope04] c:\winnt\system32\_zsk_zlu_zlope04xiei[iayhujyhy]j.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [_mzu_stonedrv3] c:\winnt\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\RunServices: [_zlu_zlope04] c:\winnt\system32\_zsk_zlu_zlope04xiei[iayhujyhy]j.exe
O4 - HKLM\..\RunServices: [msvcc25] salvage.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\winnt\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\RunServices: [mysvcig38] recsl.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_315726] C:\Program Files\Panda Software\Panda Antivirus 2007\pavdr.exe 315726
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [_zlu_zlope04] c:\winnt\system32\_zsk_zlu_zlope04xiei[iayhujyhy]j.exe
O4 - HKCU\..\Run: [_mzu_stonedrv3] c:\winnt\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Ricanna\LOCALS~1\Temp\33584.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://desktop.optusnet.com.au/dsl/favorites/homepage
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153906012348
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159169940384
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://imagery.maps.nsw.gov.au/ecwplugins/NCS.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: rpcc - C:\WINNT\
O20 - Winlogon Notify: vturqon - C:\WINNT\SYSTEM32\vturqon.dll
O20 - Winlogon Notify: winsys2freg - C:\WINNT\
O20 - Winlogon Notify: xxwuu - C:\WINNT\
O21 - SSODL: PIcnFbOFqChUQ - {7CF38380-D659-292A-F3C8-DF00880FC492} - C:\WINNT\system32\zzo.dll (file missing)
O23 - Service: 82210 - Unknown owner - \\58.106.154.241\Admin$\eraseme_82706.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINNT\system32\msasvc.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Pr0tected St0rage (Pr0tectedSt0rage) - Unknown owner - C:\WINNT\system\lsass.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Microsoft Windows DMR Service (Windows DMR Service) - Unknown owner - C:\WINNT\dmrproc.exe
O23 - Service: wlmsngr - Unknown owner - C:\WINNT\wlmsngr.exe (file missing)

#11 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 18 December 2006 - 01:01 PM

Hey Richard,
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

There is an entry in your Hijackthis log that I'd like to ask you about:

O23 - Service: 82210 - Unknown owner - \\58.106.154.241\Admin$\eraseme_82706.exe (file missing)

Do you know what this is? The IP looks like it's related to your Internet Service Provider. Or possibly it is to do with another PC in your network that you have access to? Can you let me know in your next post what you know about it.

Please download AVG Anti-Spyware to your Desktop.
Start the set-up program by double clicking the installer.
Follow the on screen instructions to install the program, making sure that "Launch AVG Anti-Spyware" is checked.
Click the Update tab then select Start update; a progress bar will show the updates being installed.
Now press the Scanner icon, and click the Settings tab.
Click Recommended actions, then set it to Quarantine.
Close the program now, we will scan with it later on.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: (no name) - {02447900-91BB-498A-8CC5-3A7559485A97} - (no file)
O2 - BHO: (no name) - {22FD0654-A9EE-4E71-BDB1-9849E53F3E0D} - (no file)
O2 - BHO: (no name) - {27E61C9A-315C-47ED-9DD7-7174AC74C2F0} - (no file)
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - (no file)
O2 - BHO: (no name) - {426FDF01-80ED-C85E-2B1E-091B9DF39978} - C:\WINNT\system32\pxfwuxh.dll (file missing)
O2 - BHO: (no name) - {599E9ACA-4188-49FA-A710-F082E633BB22} - (no file)
O2 - BHO: (no name) - {625964A7-AEAD-7468-9988-04F8A44A57A0} - C:\WINNT\system32\jaxbtjh.dll
O2 - BHO: (no name) - {717B0F8B-321D-4733-A675-F30552C03592} - (no file)
O2 - BHO: (no name) - {9BA50FCB-1C40-4841-9693-8965B59382FE} - (no file)
O2 - BHO: (no name) - {DF6C3B6E-E149-4362-BA8A-CF4C76F69714} - (no file)
O2 - BHO: (no name) - {E372382C-1D40-4C92-915A-1FE60945723A} - (no file)
O2 - BHO: (no name) - {EC1DCE56-A82B-48EE-83AC-B3AED916E988} - (no file)
O2 - BHO: (no name) - {F22656E2-02AA-43A9-BED5-0331CDFD72D0} - C:\WINNT\system32\vturqon.dll
O2 - BHO: (no name) - {FE872027-6DBD-460E-8F18-CB84D65F0A80} - C:\WINNT\system32\xxwuu.dll (file missing)
O4 - HKLM\..\Run: [bycef193] RUNDLL32.EXE w08f42ba.dll,n 006ef18d0000000a08f42ba
O4 - HKLM\..\Run: [djjnakmA] C:\WINNT\djjnakmA.exe
O4 - HKLM\..\Run: [msvcc25] salvage.exe
O4 - HKLM\..\Run: [mysvcig38] recsl.exe
O4 - HKLM\..\Run: [_zlu_zlope04] c:\winnt\system32\_zsk_zlu_zlope04xiei[iayhujyhy]j.exe
O4 - HKLM\..\Run: [_mzu_stonedrv3] c:\winnt\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\RunServices: [_zlu_zlope04] c:\winnt\system32\_zsk_zlu_zlope04xiei[iayhujyhy]j.exe
O4 - HKLM\..\RunServices: [msvcc25] salvage.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\winnt\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\RunServices: [mysvcig38] recsl.exe
O4 - HKCU\..\Run: [_zlu_zlope04] c:\winnt\system32\_zsk_zlu_zlope04xiei[iayhujyhy]j.exe
O4 - HKCU\..\Run: [_mzu_stonedrv3] c:\winnt\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Ricanna\LOCALS~1\Temp\33584.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: rpcc - C:\WINNT\
O20 - Winlogon Notify: vturqon - C:\WINNT\SYSTEM32\vturqon.dll
O20 - Winlogon Notify: winsys2freg - C:\WINNT\
O20 - Winlogon Notify: xxwuu - C:\WINNT\
O21 - SSODL: PIcnFbOFqChUQ - {7CF38380-D659-292A-F3C8-DF00880FC492} - C:\WINNT\system32\zzo.dll (file missing)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINNT\system32\msasvc.exe
O23 - Service: Pr0tected St0rage (Pr0tectedSt0rage) - Unknown owner - C:\WINNT\system\lsass.exe
O23 - Service: Microsoft Windows DMR Service (Windows DMR Service) - Unknown owner - C:\WINNT\dmrproc.exe
O23 - Service: wlmsngr - Unknown owner - C:\WINNT\wlmsngr.exe (file missing)


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your Desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button,which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\Documents and Settings\Ricanna\Local Settings\Temp\33584.exe
C:\arwjwo.exe
C:\ciyjob.exe
C:\ckivc.exe
C:\mc44a55.exe
C:\pro3_install.exe
C:\windows_e55.exe
C:\WINNT\djjnakmA.exe
C:\WINNT\dmrproc.exe
C:\WINNT\system\lsass.exe
C:\WINNT\system32\_mzu_stonedrv3.exe
C:\WINNT\system32\_zsk_zlu_zlope03IO[L[IBCWHXHZ]GX.exe
C:\WINNT\system32\_zsk_zlu_zlope03P]`CGAQH]XNVXRX_.exe
C:\WINNT\system32\cbxyayv.dll
C:\WINNT\system32\dxclib303562752.dll
C:\WINNT\system32\dxvwquzp.exe
C:\WINNT\system32\dxvwwzlr.exe
C:\WINNT\system32\fccyxvs.dll
C:\WINNT\system32\gebcaya.dll
C:\WINNT\system32\gebxyww.dll
C:\WINNT\system32\geefg.dll
C:\WINNT\system32\install.exe
C:\WINNT\system32\jaxbtjh.dll
C:\WINNT\system32\msasvc.exe
C:\WINNT\system32\msasvc.exe
C:\WINNT\system32\mtrq.dll
C:\WINNT\system32\opnkkjj.dll
C:\WINNT\system32\pmnkh.dll
C:\WINNT\system32\pxfwuxh.dll
C:\WINNT\system32\recsl.exe
C:\WINNT\system32\salvage.exe
C:\WINNT\system32\uuwxx.ini2
C:\WINNT\system32\vturqon.dll
C:\WINNT\system32\w.exe
C:\WINNT\system32\w08f42ba.dll
C:\WINNT\system32\xxwuu.dll
C:\WINNT\system32\zzo.dll
C:\WINNT\winmgr.exe
C:\WINNT\wlmsngr.exe
C:\Program Files\DeluxeCommunications


Open 'File' in the menu on top and choose Paste from clipboard
You must use the File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click Yes.
Click OK at any Pending File Rename Operations prompt, let me know if they appear.
If you don't get that message, reboot manually.
Your computer should reboot now, make sure you reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.

======

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Backup the Registry:

Navigate to Start | Run and paste the following:

regedit /e c:\registrybackup.reg

Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F22656E2-02AA-43A9-BED5-0331CDFD72D0}"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PIcnFbOFqChUQ"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturqon]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxwuu]

Save this as fix.reg Choose to save as *all files and place it on your Desktop.
It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

Launch AVG Anti-Spyware by double clicking the icon on your Desktop.
Press the Scanner icon.
Then click on the Complete System Scan button.
If any infections are found, you will be asked for an action; select Apply all actions.
Now press the Reports icon at the top.
Choose Save report as and save the text file to your Desktop.
Please post this log in your next reply.

Reboot into Normal Mode.

======

Click Start | Run | type: services.msc
Click OK.
In the services window find:
Pr0tected St0rage
Rightclick and choose "Properties". On the General tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled".
Repeat with the following:
Microsoft Windows DMR Service
wlmsngr


Click Apply then OK. File-Exit the Services utility.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select Delete an NT Service ... copy/paste the following into the box that opens, and press OK:
Pr0tectedSt0rage
"Windows DMR Service"
wlmsngr


Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

Please post me back a new HijackThis log, the AVG report and also let me know about the O23 entry.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#12 Ricanna

Ricanna
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 23 December 2006 - 11:12 PM

Hi Charles,

I've gone through and tried to do what you've asked, but when the computer re-started, I cannot run any applications. I says that there are no file associations associated with these. I've tried to add it for the exe files, but it still isn't working. Any ideas on how to get this back. I'm actually on holidays now (though I will still run through the course of fixing the problems) but I need the computer to download my photos.

Have a Merry Xmas.

Richard

#13 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 26 December 2006 - 05:30 AM

Hi Ricanna, I hope you had a good Christmas.
It appears to me that you have been infected with a relatively new type of malware that corrupts executable (.exe) files on your computer. Although there are ways to disinfected the files, the best method of solving the problem is to reformat the computer and start all over again. With an infection like this, you would never be able to trust this computer, and we won't be able to tell when we finally fixed it, as there will no doubt be more errors after we finish. If you do reformat then you can live with a PC you can trust and that will work properly. If you don't want to reformat we can try and disinfect the executable, but sometimes the scanners fail and end up corrupting the files, possibly meaning Windows won't work. My advice to start with is the backup all important data if you can onto CD's or a memory stick.
Please bare in mind you will need a valid XP re-installation CD for the reformat.
Here is some information on the infection you have, to help you make up your mind:
http://www.sophos.com/security/analyses/w32drefo.html

So I need a decision from you, reformat or try and fix this?
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#14 Ricanna

Ricanna
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 26 December 2006 - 08:06 AM

Hi Charles,

Christmas was good. Hopefully yours was as well. I'm doing alot of travelling. Unfortunately, as I am on holidays, I don't have any of the installation CD's for Windows or any of the software on my computer. Thus I really don't have much of a choice, as I need this computer to download my photos on to. If it is possible, I would like to go down the harder path of trying to fix this virus. Or if there is a way around it I can live with the viruses for a few weeks, as I will only be using this computer for photos and don't use it to connect (I use another computer to send these replies). Then when I come back from holidays, I'll reformat the hard drive.

Cheers,

Richard

#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 26 December 2006 - 05:54 PM

Hey Richard,

Or if there is a way around it I can live with the viruses for a few weeks, as I will only be using this computer for photos and don't use it to connect (I use another computer to send these replies). Then when I come back from holidays, I'll reformat the hard drive.

To be honest, I think this is the best idea. Since you say you aren't planning of using it for anything except photos, you can physically disconnect it from the internet, which should make it run a bit better; then the malware you have can't do any harm. But, like I said, the deicison is entirely up to you.
We can try our best to clean it up (which may or may not be successful), or you can format your computer. Basically, it depends on whether or not you have your XP disk at home.
Does that sound like a good idea to you- pull out the internet plug and use it for now, then reformat when you get home?
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users