Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan Horse Lop.as And W?wexec.exe


  • This topic is locked This topic is locked
16 replies to this topic

#1 rsd79

rsd79

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oilers Country
  • Local time:03:49 AM

Posted 29 December 2006 - 12:07 AM

I have ran AVG Anti-virus, Spybot, Adaware, Vundo tools, and Smithfraud fix tool in both normal and safe modes with temporary success. I regularly get popups from AVG stating that Trojan horse Lop.AS is a threat. Secondly, I also get popups from ZoneAlarm warning me that w?wexec.exe is trying to gain access to the internet. I am running Windows XP Home with SP2. I am using Spybot Search and Destroy Teatimer, AVG Anti-virus, and ZoneAlarm Firewall for protection. I forgot to add that I previously had problems with trojan horse dialer.COH but the Vundo tool seems to have fixed that. Recently, I have not received any virus alerts regarding trojan horse dialer.COH.

------------------------------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 8:47:29 PM, on 12/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\{183D03E4-0643-1033-0622-060622060001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {D15A01BD-C50A-9CFA-7247-ECECDDE415ED} - C:\WINDOWS\system32\zovpcpa.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {09577D23-AD7A-49FC-ACBF-B785BD3342A7} - C:\WINDOWS\system32\awvtu.dll (file missing)
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\jqudeiig.dll
O2 - BHO: (no name) - {598F4775-6FB6-477B-9842-E0426824E077} - C:\DOCUME~1\Owner\LOCALS~1\Temp\~DP89.dll (file missing)
O2 - BHO: (no name) - {7411F8BA-29A3-3216-9DE7-024AC0AAB9F6} - C:\WINDOWS\system32\viyjhai.dll (file missing)
O2 - BHO: (no name) - {9B0C7A02-A17A-4C81-BD7D-30A622701C36} - C:\WINDOWS\system32\khffcya.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{383D0~1\Bar888.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: (no name) - {D15A01BD-C50A-9CFA-7247-ECECDDE415ED} - C:\WINDOWS\system32\zovpcpa.dll
O2 - BHO: (no name) - {f4d74aaa-a178-4463-846b-b4bc87a024e0} - C:\WINDOWS\system32\ixt0.dll (file missing)
O3 - Toolbar: Safety Bar - {18668683-731c-48fa-b1b9-ad013748fb00} - C:\Program Files\Safety Bar\SafetyBar.dll (file missing)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{383D0~1\Bar888.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\cxoarbgk.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6539A68-4617-45AD-98A0-61BAA65250D2}: NameServer = 192.168.0.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: khffcya - C:\WINDOWS\SYSTEM32\khffcya.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by rsd79, 29 December 2006 - 03:39 AM.

Dustin Penner is the new Jaromir Jagr.

BC AdBot (Login to Remove)

 


#2 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:49 PM

Posted 29 December 2006 - 07:44 AM

Hi and welcome. My name is Kairis and I will be helping you.
You have still some crap there! But don't worry; we'll get you cleaned up!
Please follow my steps in the right order...
We'll start with this:
Disable Spybot S&D Teatimer
Please disable Spybot S&D TeaTimer, as it may hinder the removal of the infection.
You can enable it after you're clean. To disable SpybotSD TeaTimer:
Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.
**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**
Let's run some cleaning and diagnostic scans:

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a fresh HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button."
when VundoFix appears at reboot.
**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**
Please download Combofix to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**
== Remove program ==
Click on start, settings, control panel and double-click on Add or Remove Programs.
From within Add or Remove Programs uninstall the following if they exist:
Bar888
Safety Bar

Then reboot your computer - IMPORTANT

**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**
== Delete folders/files ==
1. Reboot Your System in Safe Mode
Reboot in "Safe Mode".
How to: Visual presentation at Symantec. How to.
2. Using Windows Explorer (Windows Key + E), locate the following files/folders, and DELETE them (if still present):
C:\Program Files\Safety Bar<==Folder
C:\PROGRAM FILES\COMMON FILES\{383D0...<==Folder
3. Exit Explorer.

**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**
== Run HJT Scan ==
  • Run HijackThis
  • Click on the "Do a System Scan Only" button
  • Put a check beside all of the items listed below (if present):
    O2 - BHO: (no name) - {09577D23-AD7A-49FC-ACBF-B785BD3342A7} - C:\WINDOWS\system32\awvtu.dll (file missing)
    O2 - BHO: (no name) - {598F4775-6FB6-477B-9842-E0426824E077} - C:\DOCUME~1\Owner\LOCALS~1\Temp\~DP89.dll (file missing)
    O2 - BHO: (no name) - {7411F8BA-29A3-3216-9DE7-024AC0AAB9F6} - C:\WINDOWS\system32\viyjhai.dll (file missing)
    O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{383D0~1\Bar888.dll
    O3 - Toolbar: Safety Bar - {18668683-731c-48fa-b1b9-ad013748fb00} - C:\Program Files\Safety Bar\SafetyBar.dll (file missing)
    O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{383D0~1\Bar888.dll
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.
**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**
== Check on status ==
After you have completed the above, please provide:
* the Vundofix log
* the Combofix log
* a new HijackThis log
* and a description of any problems you are having with your PC
**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**
~Kairis~

#3 rsd79

rsd79
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oilers Country
  • Local time:03:49 AM

Posted 29 December 2006 - 11:27 PM

Description:

The w?wexec.exe threat seems to be gone. The AVG virus alerts are still happening for Trojan horse Lop.AS. When I used the Vundo tool it said that there were no infected files. When I went to Add/Remove programs the safetybar and bar888 icons were their. When I tried to remove both files, a dialog box came up saying that the file was either missing or already uninstalled. When I tried to delete them manually the folders were not their.

--------------------------------------------------------------------------

VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.2

Scan started at 1:29:44 AM 12/27/2006

Listing files found while scanning....

C:\WINDOWS\system32\winrnt32.dll
C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\utvwa.ini
C:\WINDOWS\system32\utvwa.bak1
C:\WINDOWS\system32\utvwa.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\winrnt32.dll
C:\WINDOWS\system32\winrnt32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\awvtu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\utvwa.ini
C:\WINDOWS\system32\utvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\utvwa.bak1
C:\WINDOWS\system32\utvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\utvwa.bak2
C:\WINDOWS\system32\utvwa.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.2

Scan started at 6:45:23 PM 12/29/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

-------------------------------------------------------------------------------

Owner - 06-12-29 18:54:57.98 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Program Files\Mozilla Firefox"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Inetget2
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{383D03E4-0643-1033-0622-060622060001}
C:\Program Files\Common Files\{183D03E4-0643-1033-0622-060622060001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Owner\Application Data\SSEMBL~1
C:\QooBox\Purity\Documents and Settings\Owner\Application Data\SSEMBL~1\javaw.exe
C:\QooBox\Purity\Documents and Settings\Owner\Application Data\SSEMBL~1\SSEMBL~1
C:\QooBox\Purity\Program Files\MBOLS~1
C:\QooBox\Purity\Program Files\MBOLS~1\w?wexec.exe


((((((((((((((((((((((((((((((( Files Created from 2006-11-29 to 2006-12-29 ))))))))))))))))))))))))))))))))))


2006-12-29 18:45 <DIR> d-------- C:\VundoFix Backups
2006-12-29 14:35 277,044 --a------ C:\WINDOWS\system32\geebc.dll
2006-12-29 10:56 277,044 --a------ C:\WINDOWS\system32\mljgf.dll
2006-12-28 20:17 <DIR> d-------- C:\Program Files\HijackThis
2006-12-27 03:24 <DIR> d-------- C:\avenger
2006-12-27 02:55 <DIR> dr-h----- C:\Documents and Settings\Owner\Recent
2006-12-26 08:19 88,340 --a------ C:\WINDOWS\system32\bjkocgqe.exe
2006-12-26 08:19 81,684 --a------ C:\WINDOWS\system32\nbsvopbt.dll
2006-12-26 08:18 44,052 --a------ C:\WINDOWS\system32\jqudeiig.dll
2006-12-25 00:05 88,340 --a------ C:\WINDOWS\system32\vyglkadx.exe
2006-12-25 00:05 44,052 --a------ C:\WINDOWS\system32\fvqeipjy.dll
2006-12-24 00:05 81,684 --a------ C:\WINDOWS\system32\lyfiquva.dll
2006-12-24 00:04 88,340 --a------ C:\WINDOWS\system32\ambvwpie.exe
2006-12-24 00:04 44,052 --a------ C:\WINDOWS\system32\ptxbykod.dll
2006-12-23 00:04 88,340 --a------ C:\WINDOWS\system32\daaprfce.exe
2006-12-23 00:04 44,052 --a------ C:\WINDOWS\system32\asuwuula.dll
2006-12-22 00:04 81,684 --a------ C:\WINDOWS\system32\vauvsomm.dll
2006-12-22 00:04 44,052 --a------ C:\WINDOWS\system32\layobfjp.dll
2006-12-22 00:03 88,340 --a------ C:\WINDOWS\system32\ypmdtqpq.exe
2006-12-21 00:03 88,340 --a------ C:\WINDOWS\system32\buqrxmud.exe
2006-12-21 00:03 44,052 --a------ C:\WINDOWS\system32\chvqgblt.dll
2006-12-20 00:03 88,340 --a------ C:\WINDOWS\system32\jsfplxdu.exe
2006-12-20 00:03 44,052 --a------ C:\WINDOWS\system32\kvdoctlr.dll
2006-12-18 23:53 88,340 --a------ C:\WINDOWS\system32\jupogbec.exe
2006-12-18 23:53 44,052 --a------ C:\WINDOWS\system32\sitgttxe.dll
2006-12-18 14:05 <DIR> d-------- C:\Program Files\Photodex Presenter
2006-12-18 14:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Netscape
2006-12-18 03:57 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2006-12-17 23:53 88,340 --a------ C:\WINDOWS\system32\anbvnoia.exe
2006-12-17 23:53 44,052 --a------ C:\WINDOWS\system32\wgrgvyce.dll
2006-12-17 01:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Help
2006-12-16 23:52 88,340 --a------ C:\WINDOWS\system32\mutxcwmd.exe
2006-12-16 23:52 44,052 --a------ C:\WINDOWS\system32\dctphdyf.dll
2006-12-15 23:51 88,340 --a------ C:\WINDOWS\system32\hwsrsbnw.exe
2006-12-15 23:51 44,052 --a------ C:\WINDOWS\system32\ejkcuetf.dll
2006-12-14 23:51 88,340 --a------ C:\WINDOWS\system32\mngmjjxn.exe
2006-12-14 23:51 118,804 --a------ C:\WINDOWS\system32\cxoarbgk.dll
2006-12-13 23:50 88,340 --a------ C:\WINDOWS\system32\adlvvdei.exe
2006-12-13 00:35 <DIR> d-------- C:\Program Files\Common Files\NSV
2006-12-13 00:26 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2006-12-12 23:50 88,340 --a------ C:\WINDOWS\system32\knglbrfm.exe
2006-12-12 12:48 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2006-12-11 23:40 88,340 --a------ C:\WINDOWS\system32\egjbmtfg.exe
2006-12-11 11:52 <DIR> dr-h----- C:\$VAULT$.AVG
2006-12-11 03:25 40,973 ---hs---- C:\WINDOWS\system32\khffcya.dll
2006-12-11 03:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2006-12-11 03:16 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-11 03:16 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-12-11 03:16 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-11 03:16 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-12-11 03:16 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-11 03:16 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-12-11 03:16 <DIR> d-------- C:\Program Files\Grisoft
2006-12-11 03:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-12-11 03:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2006-12-11 02:36 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-12-11 02:36 <DIR> d-------- C:\Program Files\Zone Labs
2006-12-11 02:35 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-12-11 00:18 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-11 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-10 22:45 178,408 --a------ C:\WINDOWS\system32\muweb.dll
2006-12-10 22:45 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-12-10 22:20 <DIR> d-------- C:\WINDOWS\SHELLNEW
2006-12-10 21:37 <DIR> d-------- C:\Program Files\Common Files\DESIGNER
2006-12-10 21:36 <DIR> d-------- C:\Program Files\Microsoft.NET
2006-12-10 21:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2006-12-10 21:29 <DIR> dr-h----- C:\MSOCache
2006-12-10 21:21 88,340 --a------ C:\WINDOWS\system32\yeqyacae.exe
2006-12-10 19:41 <DIR> d-------- C:\Program Files\DAEMON Tools
2006-12-10 19:30 88,340 --a------ C:\WINDOWS\system32\itrsgdip.exe
2006-12-10 19:05 <DIR> d-------- C:\Program Files\PowerISO
2006-12-09 19:30 88,340 --a------ C:\WINDOWS\system32\suurtkgk.exe
2006-12-08 19:29 88,340 --a------ C:\WINDOWS\system32\labiijcw.exe
2006-12-07 20:09 88,340 --a------ C:\WINDOWS\system32\uigrjmeh.exe
2006-12-07 18:43 <DIR> d-------- C:\WINDOWS\Minidump
2006-12-07 01:42 912 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-07 01:42 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2006-12-07 01:42 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-12-07 01:42 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2006-12-07 01:42 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-12-07 01:42 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-12-07 01:42 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-12-07 00:39 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-07 00:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-12-07 00:10 56,832 --a------ C:\WINDOWS\system32\zovpcpa.dll
2006-12-07 00:10 2 --a------ C:\WINDOWS\system32\wnsintsu.exe
2006-12-05 22:28 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-12-05 22:28 635,486 --a------ C:\WINDOWS\system32\divx.dll
2006-12-05 22:28 5,120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2006-12-05 22:28 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-12-05 22:28 217,088 --a------ C:\WINDOWS\system32\xvidvfw.dll
2006-12-05 22:28 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-12-05 22:28 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-12-05 22:28 1,138,688 --a------ C:\WINDOWS\system32\xvidcore.dll
2006-12-05 22:28 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-12-05 22:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Real
2006-12-05 22:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Real
2006-11-30 00:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2006-11-29 16:39 774,144 --a------ C:\WINDOWS\system32\vsfilter.dll
2006-11-29 16:39 157,696 --a------ C:\WINDOWS\system32\unrar.dll
2006-11-29 16:39 1,415,680 --a------ C:\WINDOWS\system32\WMV9VCM.dll
2006-11-29 16:22 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2006-11-29 16:22 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2006-11-29 16:18 <DIR> d-------- C:\Program Files\The Playa
2006-11-29 16:18 <DIR> d-------- C:\Program Files\DivXCodec


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-29 18:58 -------- d-------- C:\Program Files\Common Files
2006-12-29 18:54 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-25 21:47 -------- d-------- C:\Program Files\MSN
2006-12-18 14:05 -------- d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2006-12-13 14:47 -------- d-------- C:\Program Files\Outlook Express
2006-12-13 14:47 -------- d-------- C:\Program Files\Common Files\System
2006-12-13 00:27 -------- d-------- C:\Program Files\Winamp
2006-12-12 12:42 -------- d-------- C:\Program Files\Microsoft Money 2006
2006-12-12 12:39 -------- d-------- C:\Program Files\Acez Mp3 Wav Converter
2006-12-11 12:01 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-12-10 21:37 -------- d-------- C:\Program Files\Microsoft Works
2006-12-10 21:37 -------- d-------- C:\Program Files\Microsoft Office
2006-12-10 21:37 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-12-10 19:36 639224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-12-09 19:14 -------- d-------- C:\Documents and Settings\Owner\Application Data\CyberLink
2006-12-09 00:07 -------- d-------- C:\Program Files\BitComet
2006-12-08 00:38 -------- d-------- C:\Program Files\Ares
2006-12-07 00:56 -------- d-------- C:\Program Files\Azureus
2006-12-06 23:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-05 22:28 -------- d-------- C:\Program Files\K-Lite Codec Pack
2006-12-05 22:28 -------- d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2006-12-05 22:27 -------- d-------- C:\Program Files\QuickTime
2006-12-01 03:09 -------- d-------- C:\Program Files\WM Recorder 10.2
2006-11-29 16:39 -------- d-------- C:\Program Files\Common Files\Real
2006-11-29 16:37 -------- d-------- C:\Program Files\DivX
2006-11-29 02:24 -------- d-------- C:\Program Files\iWin.com
2006-11-29 02:24 -------- d-------- C:\Program Files\iWin
2006-11-29 02:23 -------- d-------- C:\Program Files\7-Zip
2006-11-28 16:01 -------- d-------- C:\Program Files\PFConfig
2006-11-24 01:37 -------- d-------- C:\Program Files\Xilisoft
2006-11-21 02:58 -------- d-------- C:\Program Files\Ultra iPod Movie Converter
2006-11-21 00:07 -------- d-------- C:\Program Files\iTunes
2006-11-21 00:07 -------- d-------- C:\Program Files\iPod
2006-11-21 00:04 -------- d-------- C:\Program Files\Apple Software Update
2006-11-07 22:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 12:09 -------- d-------- C:\Program Files\Shareaza Turbo Accelerator
2006-11-07 12:08 -------- d-------- C:\Program Files\Electronic Arts
2006-11-07 00:18 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-07 00:13 -------- d-------- C:\Program Files\EA SPORTS
2006-11-06 01:28 30988 --a------ C:\WINDOWS\system32\drivers\scdemu.sys
2006-11-05 00:32 -------- d-------- C:\Program Files\Shareaza
2006-11-05 00:09 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2006-11-04 19:32 -------- d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 00:40 -------- d-------- C:\Program Files\Google
2006-10-30 19:00 -------- d-------- C:\Program Files\LimeWire
2006-10-30 18:59 359112 --a------ C:\Program Files\LimeWire.exe
2006-10-26 14:10 33088 --a------ C:\WINDOWS\system32\FM20ENU.DLL
2006-10-26 14:10 1190688 --a------ C:\WINDOWS\system32\FM20.DLL
2006-10-26 13:45 293376 --a------ C:\WINDOWS\system32\WISPTIS.EXE
2006-10-26 13:45 207360 --a------ C:\WINDOWS\system32\INKED.DLL
2006-10-19 06:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-17 12:33 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-17 12:33 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-17 12:33 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-17 12:33 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-17 12:33 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-17 12:33 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-17 12:33 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 12:01 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-17 12:01 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-17 12:01 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-17 12:01 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-17 12:01 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-17 12:01 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-17 12:00 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-17 12:00 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-17 12:00 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-17 11:23 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-13 05:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BitComet"="\"C:\\Program Files\\BitComet\\BitComet.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"DllRunning"="rundll32.exe \"C:\\WINDOWS\\system32\\cxoarbgk.dll\",setvm"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{9B0C7A02-A17A-4C81-BD7D-30A622701C36}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Ghp`amfUbrhLds"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"Mn@iboddPubswLfov"=dword:00000000
"Mn@mlrf"=dword:00000000
"MnOndNeg"=dword:00000000
"MnQtm"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"UpdateManager"="C:\\Program Files\\Common Files\\Microsoft Shared\\Translat\\LicenseManager.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khffcya

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-12-29 19:01:30.03
C:\ComboFix.txt ... 06-12-29 19:01

--------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:13:59 PM, on 12/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {D15A01BD-C50A-9CFA-7247-ECECDDE415ED} - C:\WINDOWS\system32\zovpcpa.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\jqudeiig.dll
O2 - BHO: (no name) - {9B0C7A02-A17A-4C81-BD7D-30A622701C36} - C:\WINDOWS\system32\khffcya.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: (no name) - {D15A01BD-C50A-9CFA-7247-ECECDDE415ED} - C:\WINDOWS\system32\zovpcpa.dll
O2 - BHO: (no name) - {f4d74aaa-a178-4463-846b-b4bc87a024e0} - C:\WINDOWS\system32\ixt0.dll (file missing)
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\cxoarbgk.dll",setvm
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6539A68-4617-45AD-98A0-61BAA65250D2}: NameServer = 192.168.0.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: khffcya - C:\WINDOWS\SYSTEM32\khffcya.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

-----------------------------------------------------------------------------

Thanks for helping me out, Kairis.

P.S. Good luck, in the game against Switzerland on Saturday, at the IIHF World Hockey Junior Tournament. Although, Switzerland sucks so that should be an easy game.
Dustin Penner is the new Jaromir Jagr.

#4 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:49 PM

Posted 30 December 2006 - 02:46 AM

Download KillBox
Unzip the folder to your desktop.
  • Start Killbox.exe
  • Select the Delete on Reboot option.
  • Click on the All Files button.
  • Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

    C:\WINDOWS\system32\geebc.dll
    C:\WINDOWS\system32\mljgf.dll
    C:\WINDOWS\system32\bjkocgqe.exe
    C:\WINDOWS\system32\nbsvopbt.dll
    C:\WINDOWS\system32\vyglkadx.exe
    C:\WINDOWS\system32\fvqeipjy.dll
    C:\WINDOWS\system32\lyfiquva.dll
    C:\WINDOWS\system32\ambvwpie.exe
    C:\WINDOWS\system32\ptxbykod.dll
    C:\WINDOWS\system32\daaprfce.exe
    C:\WINDOWS\system32\asuwuula.dll
    C:\WINDOWS\system32\vauvsomm.dll
    C:\WINDOWS\system32\layobfjp.dll
    C:\WINDOWS\system32\ypmdtqpq.exe
    C:\WINDOWS\system32\buqrxmud.exe
    C:\WINDOWS\system32\chvqgblt.dll
    C:\WINDOWS\system32\jsfplxdu.exe
    C:\WINDOWS\system32\kvdoctlr.dll
    C:\WINDOWS\system32\jupogbec.exe
    C:\WINDOWS\system32\sitgttxe.dll
    C:\WINDOWS\system32\anbvnoia.exe
    C:\WINDOWS\system32\wgrgvyce.dll
    C:\WINDOWS\system32\mutxcwmd.exe
    C:\WINDOWS\system32\dctphdyf.dll
    C:\WINDOWS\system32\hwsrsbnw.exe
    C:\WINDOWS\system32\ejkcuetf.dll
    C:\WINDOWS\system32\mngmjjxn.exe
    C:\WINDOWS\system32\cxoarbgk.dll
    C:\WINDOWS\system32\adlvvdei.exe
    C:\WINDOWS\system32\knglbrfm.exe
    C:\WINDOWS\system32\egjbmtfg.exe
    C:\WINDOWS\system32\yeqyacae.exe
    C:\WINDOWS\system32\itrsgdip.exe
    C:\WINDOWS\system32\suurtkgk.exe
    C:\WINDOWS\system32\labiijcw.exe
    C:\WINDOWS\system32\uigrjmeh.exe
    C:\WINDOWS\system32\zovpcpa.dll
    C:\WINDOWS\system32\wnsintsu.exe
    C:\WINDOWS\system32\cxoarbgk.dll


    Go to the File menu of Killbox, and choose Paste from Clipboard.
    NOTE: You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
    Click the Delete File button that is a red-and-white X. Click Yes at the Delete on Reboot prompt.
    Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
    If your computer does not restart automatically, please restart it manually.
    After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
    Post this log in your next reply.
    **¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**
    Vundo is still there. It's just being difficult.
    IMPORTANT - Make sure the Combofix is saved to your desktop.
    Click Start -> Run
    Copy the command below and paste it into the Run box and click Ok.

    "%userprofile%\desktop\combofix.exe" /v khffcya jqudeiig

    When it's done running it will produce a log for you. Please post that log in your next reply.
    **¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**
    Remove bad HijackThis entries
  • Run HijackThis
  • Click on the "Do a System Scan Only" button
  • Put a check beside all of the items listed below (if present):

    R3 - URLSearchHook: (no name) - {D15A01BD-C50A-9CFA-7247-ECECDDE415ED} - C:\WINDOWS\system32\zovpcpa.dll
    O2 - BHO: (no name) - {D15A01BD-C50A-9CFA-7247-ECECDDE415ED} - C:\WINDOWS\system32\zovpcpa.dll
    O2 - BHO: (no name) - {f4d74aaa-a178-4463-846b-b4bc87a024e0} - C:\WINDOWS\system32\ixt0.dll (file missing)
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.
In your next reply, please include the following logs: Combofix log and a Fresh HijackThis, Thanks.

#5 rsd79

rsd79
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oilers Country
  • Local time:03:49 AM

Posted 30 December 2006 - 06:02 PM

Description: I do not seem to be getting prompts from AVG about the trojan horse lop.as anymore. There were no prompts from Combofix about the PendingFileRenameOperations. I have restarted my computer twice after doing the Killbox scan. Both times I received a Rundll error prompt telling me that cxoarbgk.dll could not run because the file was missing or corrupt.

------------------------------------------------------------

Pocket Killbox version 2.0.0.881
Running on Windows XP as Owner(Administrator)
was started @ Saturday, December 30, 2006, 3:03 PM

Killbox Closed(Exit) @ 3:03:21 PM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Owner(Administrator)
was started @ Saturday, December 30, 2006, 3:03 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\geebc.dll


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\bjkocgqe.exe


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\nbsvopbt.dll


# 4 [Delete on Reboot]
Path = C:\WINDOWS\system32\vyglkadx.exe


# 5 [Delete on Reboot]
Path = C:\WINDOWS\system32\fvqeipjy.dll


# 6 [Delete on Reboot]
Path = C:\WINDOWS\system32\lyfiquva.dll


# 7 [Delete on Reboot]
Path = C:\WINDOWS\system32\ambvwpie.exe


# 8 [Delete on Reboot]
Path = C:\WINDOWS\system32\ptxbykod.dll


# 9 [Delete on Reboot]
Path = C:\WINDOWS\system32\daaprfce.exe


# 10 [Delete on Reboot]
Path = C:\WINDOWS\system32\asuwuula.dll


# 11 [Delete on Reboot]
Path = C:\WINDOWS\system32\vauvsomm.dll


# 12 [Delete on Reboot]
Path = C:\WINDOWS\system32\layobfjp.dll


# 13 [Delete on Reboot]
Path = C:\WINDOWS\system32\ypmdtqpq.exe


# 14 [Delete on Reboot]
Path = C:\WINDOWS\system32\buqrxmud.exe


# 15 [Delete on Reboot]
Path = C:\WINDOWS\system32\chvqgblt.dll


# 16 [Delete on Reboot]
Path = C:\WINDOWS\system32\jsfplxdu.exe


# 17 [Delete on Reboot]
Path = C:\WINDOWS\system32\kvdoctlr.dll


# 18 [Delete on Reboot]
Path = C:\WINDOWS\system32\jupogbec.exe


# 19 [Delete on Reboot]
Path = C:\WINDOWS\system32\sitgttxe.dll


# 20 [Delete on Reboot]
Path = C:\WINDOWS\system32\anbvnoia.exe


# 21 [Delete on Reboot]
Path = C:\WINDOWS\system32\wgrgvyce.dll


# 22 [Delete on Reboot]
Path = C:\WINDOWS\system32\mutxcwmd.exe


# 23 [Delete on Reboot]
Path = C:\WINDOWS\system32\dctphdyf.dll


# 24 [Delete on Reboot]
Path = C:\WINDOWS\system32\hwsrsbnw.exe


# 25 [Delete on Reboot]
Path = C:\WINDOWS\system32\ejkcuetf.dll


# 26 [Delete on Reboot]
Path = C:\WINDOWS\system32\mngmjjxn.exe


# 27 [Delete on Reboot]
Path = C:\WINDOWS\system32\cxoarbgk.dll


# 28 [Delete on Reboot]
Path = C:\WINDOWS\system32\adlvvdei.exe


# 29 [Delete on Reboot]
Path = C:\WINDOWS\system32\knglbrfm.exe


# 30 [Delete on Reboot]
Path = C:\WINDOWS\system32\egjbmtfg.exe


# 31 [Delete on Reboot]
Path = C:\WINDOWS\system32\yeqyacae.exe


# 32 [Delete on Reboot]
Path = C:\WINDOWS\system32\itrsgdip.exe


# 33 [Delete on Reboot]
Path = C:\WINDOWS\system32\suurtkgk.exe


# 34 [Delete on Reboot]
Path = C:\WINDOWS\system32\labiijcw.exe


# 35 [Delete on Reboot]
Path = C:\WINDOWS\system32\uigrjmeh.exe


# 36 [Delete on Reboot]
Path = C:\WINDOWS\system32\zovpcpa.dll


# 37 [Delete on Reboot]
Path = C:\WINDOWS\system32\wnsintsu.exe


I Rebooted @ 3:09:11 PM
Killbox Closed(Exit) @ 3:09:20 PM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Owner(Administrator)
was started @ Saturday, December 30, 2006, 3:54 PM

--------------------------------------------------------------

Owner - 06-12-30 15:23:40.62 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Owner\desktop"
Command switches used :: /v khffcya jqudeiig

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\khffcya.dll
C:\WINDOWS\system32\jqudeiig.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Owner\Application Data\SSEMBL~1
C:\QooBox\Purity\Documents and Settings\Owner\Application Data\SSEMBL~1\SSEMBL~1
C:\QooBox\Purity\Program Files\MBOLS~1
C:\QooBox\Purity\Program Files\MBOLS~1\w?wexec.exe


((((((((((((((((((((((((((((((( Files Created from 2006-11-30 to 2006-12-30 ))))))))))))))))))))))))))))))))))


2006-12-30 15:03 <DIR> d-------- C:\!KillBox
2006-12-30 14:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\gtopala
2006-12-30 02:15 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\K-Meleon
2006-12-30 02:14 <DIR> d-------- C:\Program Files\K-Meleon
2006-12-29 18:45 <DIR> d-------- C:\VundoFix Backups
2006-12-28 20:17 <DIR> d-------- C:\Program Files\HijackThis
2006-12-27 03:24 <DIR> d-------- C:\avenger
2006-12-27 02:55 <DIR> dr-h----- C:\Documents and Settings\Owner\Recent
2006-12-18 14:05 <DIR> d-------- C:\Program Files\Photodex Presenter
2006-12-18 14:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Netscape
2006-12-18 03:57 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2006-12-17 01:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Help
2006-12-13 00:35 <DIR> d-------- C:\Program Files\Common Files\NSV
2006-12-13 00:26 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2006-12-12 12:48 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2006-12-11 11:52 <DIR> dr-h----- C:\$VAULT$.AVG
2006-12-11 03:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2006-12-11 03:16 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-11 03:16 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-12-11 03:16 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-11 03:16 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-12-11 03:16 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-11 03:16 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-12-11 03:16 <DIR> d-------- C:\Program Files\Grisoft
2006-12-11 03:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-12-11 03:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2006-12-11 02:36 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-12-11 02:36 <DIR> d-------- C:\Program Files\Zone Labs
2006-12-11 02:35 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-12-11 00:18 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-11 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-10 22:45 178,408 --a------ C:\WINDOWS\system32\muweb.dll
2006-12-10 22:45 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-12-10 22:20 <DIR> d-------- C:\WINDOWS\SHELLNEW
2006-12-10 21:37 <DIR> d-------- C:\Program Files\Common Files\DESIGNER
2006-12-10 21:36 <DIR> d-------- C:\Program Files\Microsoft.NET
2006-12-10 21:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2006-12-10 21:29 <DIR> dr-h----- C:\MSOCache
2006-12-10 19:41 <DIR> d-------- C:\Program Files\DAEMON Tools
2006-12-10 19:05 <DIR> d-------- C:\Program Files\PowerISO
2006-12-07 18:43 <DIR> d-------- C:\WINDOWS\Minidump
2006-12-07 01:42 912 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-07 01:42 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2006-12-07 01:42 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-12-07 01:42 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2006-12-07 01:42 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-12-07 01:42 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-12-07 01:42 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-12-07 00:39 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-07 00:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-12-05 22:28 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-12-05 22:28 635,486 --a------ C:\WINDOWS\system32\divx.dll
2006-12-05 22:28 5,120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2006-12-05 22:28 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-12-05 22:28 217,088 --a------ C:\WINDOWS\system32\xvidvfw.dll
2006-12-05 22:28 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-12-05 22:28 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-12-05 22:28 1,138,688 --a------ C:\WINDOWS\system32\xvidcore.dll
2006-12-05 22:28 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-12-05 22:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Real
2006-12-05 22:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Real
2006-11-30 00:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-30 15:17 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-29 18:58 -------- d-------- C:\Program Files\Common Files
2006-12-25 21:47 -------- d-------- C:\Program Files\MSN
2006-12-18 14:05 -------- d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2006-12-13 14:47 -------- d-------- C:\Program Files\Outlook Express
2006-12-13 14:47 -------- d-------- C:\Program Files\Common Files\System
2006-12-13 00:27 -------- d-------- C:\Program Files\Winamp
2006-12-12 12:42 -------- d-------- C:\Program Files\Microsoft Money 2006
2006-12-12 12:39 -------- d-------- C:\Program Files\Acez Mp3 Wav Converter
2006-12-11 12:01 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-12-10 21:37 -------- d-------- C:\Program Files\Microsoft Works
2006-12-10 21:37 -------- d-------- C:\Program Files\Microsoft Office
2006-12-10 21:37 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-12-10 19:36 639224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-12-09 19:14 -------- d-------- C:\Documents and Settings\Owner\Application Data\CyberLink
2006-12-09 00:07 -------- d-------- C:\Program Files\BitComet
2006-12-08 00:38 -------- d-------- C:\Program Files\Ares
2006-12-07 00:56 -------- d-------- C:\Program Files\Azureus
2006-12-06 23:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-05 22:28 -------- d-------- C:\Program Files\K-Lite Codec Pack
2006-12-05 22:28 -------- d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2006-12-05 22:27 -------- d-------- C:\Program Files\QuickTime
2006-12-01 03:09 -------- d-------- C:\Program Files\WM Recorder 10.2
2006-11-29 16:39 -------- d-------- C:\Program Files\Common Files\Real
2006-11-29 16:37 -------- d-------- C:\Program Files\DivX
2006-11-29 16:18 -------- d-------- C:\Program Files\The Playa
2006-11-29 16:18 -------- d-------- C:\Program Files\DivXCodec
2006-11-29 02:24 -------- d-------- C:\Program Files\iWin.com
2006-11-29 02:24 -------- d-------- C:\Program Files\iWin
2006-11-29 02:23 -------- d-------- C:\Program Files\7-Zip
2006-11-28 16:01 -------- d-------- C:\Program Files\PFConfig
2006-11-24 01:37 -------- d-------- C:\Program Files\Xilisoft
2006-11-21 02:58 -------- d-------- C:\Program Files\Ultra iPod Movie Converter
2006-11-21 00:07 -------- d-------- C:\Program Files\iTunes
2006-11-21 00:07 -------- d-------- C:\Program Files\iPod
2006-11-21 00:04 -------- d-------- C:\Program Files\Apple Software Update
2006-11-07 22:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 12:09 -------- d-------- C:\Program Files\Shareaza Turbo Accelerator
2006-11-07 12:08 -------- d-------- C:\Program Files\Electronic Arts
2006-11-07 00:18 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-07 00:13 -------- d-------- C:\Program Files\EA SPORTS
2006-11-06 01:28 30988 --a------ C:\WINDOWS\system32\drivers\scdemu.sys
2006-11-05 00:32 -------- d-------- C:\Program Files\Shareaza
2006-11-05 00:09 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2006-11-04 19:32 -------- d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 00:40 -------- d-------- C:\Program Files\Google
2006-10-30 19:00 -------- d-------- C:\Program Files\LimeWire
2006-10-30 18:59 359112 --a------ C:\Program Files\LimeWire.exe
2006-10-26 14:10 33088 --a------ C:\WINDOWS\system32\FM20ENU.DLL
2006-10-26 14:10 1190688 --a------ C:\WINDOWS\system32\FM20.DLL
2006-10-26 13:45 293376 --a------ C:\WINDOWS\system32\WISPTIS.EXE
2006-10-26 13:45 207360 --a------ C:\WINDOWS\system32\INKED.DLL
2006-10-19 06:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-17 12:33 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-17 12:33 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-17 12:33 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-17 12:33 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-17 12:33 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-17 12:33 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-17 12:33 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 12:01 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-17 12:01 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-17 12:01 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-17 12:01 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-17 12:01 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-17 12:01 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-17 12:00 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-17 12:00 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-17 12:00 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-17 11:23 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-13 05:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BitComet"="\"C:\\Program Files\\BitComet\\BitComet.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"DllRunning"="rundll32.exe \"C:\\WINDOWS\\system32\\cxoarbgk.dll\",setvm"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Ghp`amfUbrhLds"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"Mn@iboddPubswLfov"=dword:00000000
"Mn@mlrf"=dword:00000000
"MnOndNeg"=dword:00000000
"MnQtm"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"UpdateManager"="C:\\Program Files\\Common Files\\Microsoft Shared\\Translat\\LicenseManager.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-12-30 15:29:49.92
C:\ComboFix.txt ... 06-12-30 15:29
C:\ComboFix2.txt ... 06-12-29 19:01

----------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:48:41 PM, on 12/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\K-Meleon\loader.exe
C:\Program Files\K-Meleon\k-meleon.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\cxoarbgk.dll",setvm
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - Startup: K-Meleon Loader.lnk = C:\Program Files\K-Meleon\loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6539A68-4617-45AD-98A0-61BAA65250D2}: NameServer = 192.168.0.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




Thanks for providing these clear and concise instructions. There is almost too much detail lol.
Dustin Penner is the new Jaromir Jagr.

#6 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:49 PM

Posted 31 December 2006 - 03:39 AM

Hi thanks for the logs.
  • Now we'll need to remove a couple of registry entries.
  • Click Start » Run » type: Notepad » OK
  • Copy (Ctrl+C) and paste (Ctrl+V) the following text below (inside the box) to Notepad.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DllRunning"=-
  • Make sure there are no black spaces before REGEDIT4 and there should be one blank line at the end.
  • Click File at the top and then choose Save As.
  • Change Save As Type to All Files.
  • Name it FixME.reg and save it on your desktop.
  • Double click FixME.reg. It will ask you if you want to merge it to the registry, click Yes.
**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**
With all other windows closed, start your HijackThis and Click "Do a System Scan Only"
Click in the check-box to the left of each of the following entries, if found:
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\cxoarbgk.dll",setvm
Select Fix Checked.
**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**
"Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update to the latest version..."
  • Download the latest version of Java Runtime Environment (JRE) 6.0 from
    here
  • Scroll down to where it says "Windows Offline Installation"
  • Click the "Download" button to the right.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name:


    Java 1.5.0.5
    Java 1.5.0.6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on Java to install the newest version.
**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**¨''¨**
Please send a fresh HJT-log, thanks.

#7 rsd79

rsd79
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oilers Country
  • Local time:03:49 AM

Posted 02 January 2007 - 01:54 AM

Description: I don't seem to have the rundll startup error anymore. I took the risk of opening IE browser and received no virus alerts from both AVG and ZoneAlarm. Not really much else to say unless there something else I forgot check or try. I could not find the cxoarbgk.dll file on the HJT scan.

-------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:47:09 PM, on 1/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\K-Meleon\loader.exe
C:\Program Files\K-Meleon\k-meleon.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - Startup: K-Meleon Loader.lnk = C:\Program Files\K-Meleon\loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6539A68-4617-45AD-98A0-61BAA65250D2}: NameServer = 192.168.0.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by rsd79, 02 January 2007 - 02:05 AM.

Dustin Penner is the new Jaromir Jagr.

#8 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:49 PM

Posted 02 January 2007 - 02:34 AM

Howdy there, your log now appears to be free from malware.

Lets now hide your system files once again to prevent any accidental deletion or modification of them

Click the Start menu .
Select My Computer.
Select Tools menu
Click Folder Options.
Select the View Tab.
Uncheck Show hidden files and folders in the Hidden files and folders section.
Select Hide protected operating system files (recommended) option.
Place a check in Hide extensions for known file types
Click on apply.
Now click OK

Now lets reset you restore points

Right click my computer select the properties tab
Next select the restore tab
Place a check in Turn off system restore on all drives
Reboot our computer
Now go back to the restore tab once again
Take the check out of Turn off system restore on all drives
Finally reboot your computer once more

General words of advice....

Make your Internet Explorer more secure - This can be done by following these simple instructions:

Go to start -> run -> type in inetcpl.cpl
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Make sure your antivirus program is up to date with the latest definitions, if your definitions are running out and you do not wish to carry on your subscriptions for any reason then heres a couple of alternative virus checkers you may like to review and use for yourself, please note that this is not a complete list just a couple of suggestions (In no order of preference)

Free AntiVirus Checkers
Avast - AntiVIR - Active Virus Shield? - AVG Free

Licenced AntiVirus Checkers
Kaspersky - ESET Nod32 - Bit Defender

Make sure that you have a resident firewall. The default windows firewall only blocks traffic in one direction which leaves trojans able to phone home. More information about firewalls is availble here -> Understanding and Using Firewalls
Free Firewall Products
Zonealarm Free - Comodo Firewall - Sunblet Kerio Firewall - Jetico Firewall - Blink Firewall

Other Security Tools....
AVG Anti Spyware - Removes all signs of malware from your computer
Spyware Blaster by Javacool - Runs resident in the back ground protecting internet
Adaware SE Personal from lavasoft - Provides protection and removal of trojans, dialers, malware, browser hijackers, and tracking components
Spybot's Search & Destroy - Detects and removes spyware of different kinds from your computer

Keep your temp files clear by using automated software such as AFT Cleaner (make sure all windows are closed before running this tool)

You may also like to use a host file, information on Host files can be found here - The Hosts File and what it can do for you

#9 rsd79

rsd79
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oilers Country
  • Local time:03:49 AM

Posted 02 January 2007 - 02:55 AM

I am using ZoneAlarm Firewall. For viruses I am using Licensed copy of AVG that is up to date. For the registry changes I was using Spybot teatimer, which I will re-activate soon. I have heard that running multiple anti-virus programs at once can slow down your system. Do you think I should run any of the programs that you have listed, minus the ones I am already using? I also changed the System Restore and IE security settings just like you had instructed. I may be biased but I totally recommend you to anyone with virus problems.

Thank you Kairis, so much for helping me out and enlightening my knowledge of this pesky malware.

Edited by rsd79, 02 January 2007 - 02:56 AM.

Dustin Penner is the new Jaromir Jagr.

#10 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:49 PM

Posted 02 January 2007 - 12:46 PM

Hello. Your Welcome, I'm glad I could help.
My opinion is that SpywareBlaster is the best...
Spyware Blaster - Runs resident in the back ground protecting internet.

You can delete all of the tools that I had you download for us to use.

今年もよろしくお願いします

#11 rsd79

rsd79
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oilers Country
  • Local time:03:49 AM

Posted 04 January 2007 - 06:43 PM

I seem to have a new problem for my laptop. I regularly get popups from coolweb, which wants to connect to the internet through dial-up connection.
Dustin Penner is the new Jaromir Jagr.

#12 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:49 PM

Posted 05 January 2007 - 03:50 AM

Hi.
Please send a fresh HJT-log, thanks.

#13 rsd79

rsd79
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oilers Country
  • Local time:03:49 AM

Posted 06 January 2007 - 03:03 AM

Logfile of HijackThis v1.99.1
Scan saved at 11:48:27 PM, on 1/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\K-Meleon\loader.exe
C:\Program Files\K-Meleon\k-meleon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - Startup: K-Meleon Loader.lnk = C:\Program Files\K-Meleon\loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6539A68-4617-45AD-98A0-61BAA65250D2}: NameServer = 192.168.0.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Dustin Penner is the new Jaromir Jagr.

#14 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:49 PM

Posted 08 January 2007 - 06:30 AM

Please try this:
Download and Install CWShredder© by Trend Micro Inc.
Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder.
******************************************************************************
Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears.
    If you begin tapping the F8 key too soon, some computers display a "keyboard error" message.
    To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
******************************************************************************
Run CWShredder
Lets run the tool we downloaded in the first step and eliminate CWShredder.
Open CWShredder that you downloaded. Close all browser windows and click on the fix/next button.

#15 rsd79

rsd79
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oilers Country
  • Local time:03:49 AM

Posted 18 January 2007 - 03:06 AM

I ran the CWshredder tool but it had found nothing. Therefore, I manually deleted the "coolweb" file in the "Network Connections" folder. It has been two days since I have not encountered a coolweb popup, so I believe I am good to go.
Dustin Penner is the new Jaromir Jagr.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users