Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rotten Malware Needs Treatment


  • This topic is locked This topic is locked
9 replies to this topic

#1 Coverpoint

Coverpoint

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 17 January 2007 - 03:35 AM

Hi, First post for me. On start up Trend Micro PC-illin 2007 gives me a popup "Computer virus found Infected file WIN32HOST.EXE, Virus BKDR Generic. I am not able to fix it with heir protocol or with Adware, Spybot etc. The popup come up every 7 secs and is driving me crazy.


Here is the Hijackthis file
Logfile of HijackThis v1.99.1
Scan saved at 4:39:59 PM, on 17/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\WINDOWS\win32host.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\STEPHE~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tsc.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILE...UJEHQlDQXqonxU=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.16.0.47:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: (no name) - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - (no file)
O3 - Toolbar: (no name) - {821F87FF-8245-4972-9E28-732E92EC2F51} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\scuevbad.dll",setvm
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe
O23 - Service: Windows PE Debugger - Unknown owner - C:\WINDOWS\system32\lviss.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Can you help?

BC AdBot (Login to Remove)

 


m

#2 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:03:04 PM

Posted 17 January 2007 - 05:23 AM

Please download and run http://www.thespykiller.co.uk/files/HJTsetup.exe

It will install hijackthis in C:\Program Files\Hijackthis
Navigate to that folder and rename hijackthis.exe into FixVundo.exe
Run it, do another log and post it in your next reply.

#3 Coverpoint

Coverpoint
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 17 January 2007 - 08:37 PM

Thank you for your help with this and for your clear instructions. I have done as you have suggested and I attach the repeat log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 9:57:18 AM, on 18/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\WINDOWS\win32host.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Hijackthis\FixVundo.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tsc.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILE...UJEHQlDQXqonxU=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.16.0.47:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {76D478C5-D4B2-46DD-9E22-F629E486D70B} - C:\WINDOWS\Microsoft.NET\rulrdv.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\xklyirad.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\scuevbad.dll",setvm
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: rulrdv - C:\WINDOWS\Microsoft.NET\rulrdv.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe
O23 - Service: Windows PE Debugger - Unknown owner - C:\WINDOWS\system32\lviss.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Still seems to have the infected file?

#4 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:03:04 PM

Posted 18 January 2007 - 03:07 AM

heya :thumbsup:

Please download
VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Right-click the list box (white box) in the main VundoFix window.
  • Select Add More Files? from the menu that comes up. This will open a new VundoFix window.
  • Paste in the first field : C:\WINDOWS\Microsoft.NET\rulrdv.dll
  • Paste in the second field : C:\WINDOWS\Microsoft.NET\vdrlur.*
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files,
    click YES
  • Once you click yes, your desktop will go blank as it starts removing
    Vundo.
  • When completed, it will prompt that it will shutdown your computer,
    click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new
    HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not
remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Download and scan with CCleaner
1. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
2. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.


In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

3. Click the "Run Cleaner" button.
4. A pop up box will appear advising this process will permanently delete files from your system.
5. Click "OK" and it will scan and clean your system.
6. Click "exit" when done.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

Be sure to post all logs

#5 Coverpoint

Coverpoint
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 18 January 2007 - 04:28 AM

Hi Youngun,
Done as you suggested. Here is the Vundofix.txt:


VundoFix V6.3.2

Checking Java version...

Java version is 1.5.0.6

Scan started at 7:29:11 PM 18/01/2007

Listing files found while scanning....

C:\WINDOWS\Microsoft.NET\rulrdv.dll
C:\WINDOWS\Microsoft.NET\vdrlur.bak1
C:\WINDOWS\Microsoft.NET\vdrlur.bak2
C:\WINDOWS\Microsoft.NET\vdrlur.ini
C:\WINDOWS\Microsoft.NET\vdrlur.ini2
C:\WINDOWS\Microsoft.NET\vdrlur.tmp
C:\WINDOWS\system32\avtyhvkj.dll
C:\WINDOWS\system32\cinnmryw.dll
C:\WINDOWS\system32\dabveucs.ini
C:\WINDOWS\system32\fjyrdhkt.dll
C:\WINDOWS\system32\grfvwnym.dll
C:\WINDOWS\system32\gubmfhto.dll
C:\WINDOWS\system32\gvnjpbhf.dll
C:\WINDOWS\system32\hescdqwa.dll
C:\WINDOWS\system32\mindepys.dll
C:\WINDOWS\system32\pillwmus.dll
C:\WINDOWS\system32\qwymkcex.dll
C:\WINDOWS\system32\rxyspkuy.dll
C:\WINDOWS\system32\scuevbad.dll
C:\WINDOWS\system32\sixagikn.dll
C:\WINDOWS\system32\upybaxav.dll
C:\WINDOWS\system32\vjaierni.dll
C:\WINDOWS\system32\xklyirad.dll
C:\WINDOWS\system32\ytvekddf.dll
C:\WINDOWS\system32\yxaydwmc.dll

Beginning removal...

Attempting to delete C:\WINDOWS\Microsoft.NET\rulrdv.dll
C:\WINDOWS\Microsoft.NET\rulrdv.dll Has been deleted!

Attempting to delete C:\WINDOWS\Microsoft.NET\vdrlur.bak1
C:\WINDOWS\Microsoft.NET\vdrlur.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\Microsoft.NET\vdrlur.bak2
C:\WINDOWS\Microsoft.NET\vdrlur.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\Microsoft.NET\vdrlur.ini
C:\WINDOWS\Microsoft.NET\vdrlur.ini Has been deleted!

Attempting to delete C:\WINDOWS\Microsoft.NET\vdrlur.ini2
C:\WINDOWS\Microsoft.NET\vdrlur.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\Microsoft.NET\vdrlur.tmp
C:\WINDOWS\Microsoft.NET\vdrlur.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\avtyhvkj.dll
C:\WINDOWS\system32\avtyhvkj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cinnmryw.dll
C:\WINDOWS\system32\cinnmryw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dabveucs.ini
C:\WINDOWS\system32\dabveucs.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\fjyrdhkt.dll
C:\WINDOWS\system32\fjyrdhkt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\grfvwnym.dll
C:\WINDOWS\system32\grfvwnym.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gubmfhto.dll
C:\WINDOWS\system32\gubmfhto.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gvnjpbhf.dll
C:\WINDOWS\system32\gvnjpbhf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hescdqwa.dll
C:\WINDOWS\system32\hescdqwa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mindepys.dll
C:\WINDOWS\system32\mindepys.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pillwmus.dll
C:\WINDOWS\system32\pillwmus.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qwymkcex.dll
C:\WINDOWS\system32\qwymkcex.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rxyspkuy.dll
C:\WINDOWS\system32\rxyspkuy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\scuevbad.dll
C:\WINDOWS\system32\scuevbad.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sixagikn.dll
C:\WINDOWS\system32\sixagikn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\upybaxav.dll
C:\WINDOWS\system32\upybaxav.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vjaierni.dll
C:\WINDOWS\system32\vjaierni.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xklyirad.dll
C:\WINDOWS\system32\xklyirad.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ytvekddf.dll
C:\WINDOWS\system32\ytvekddf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yxaydwmc.dll
C:\WINDOWS\system32\yxaydwmc.dll Has been deleted!

Performing Repairs to the registry.
Done!


Here is the Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 7:55:42 PM, on 18/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\WINDOWS\win32host.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Hijackthis\FixVundo.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tsc.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILE...UJEHQlDQXqonxU=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.16.0.47:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {76D478C5-D4B2-46DD-9E22-F629E486D70B} - C:\WINDOWS\Microsoft.NET\rulrdv.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\xklyirad.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe
O23 - Service: Windows PE Debugger - Unknown owner - C:\WINDOWS\system32\lviss.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


Cheers.

#6 Coverpoint

Coverpoint
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 18 January 2007 - 07:23 AM

Sorry didn't read all your post. Here is the report from SD Fix;


SDFix: Version 1.59

Thu 18/01/2007 - 20:49:30.70

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:

Checking Services:

Name:

Win32Kernel
Windows PE Debugger

Path:

"C:\WINDOWS\win32host.exe"
"C:\WINDOWS\system32\lviss.exe"

Win32Kernel Deleted
Windows PE Debugger Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting

Normal Mode:

Checking Files:


Files will be copied to Backups folder then removed:

C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\win32host.exe - Deleted



Alternate Stream Check:

C:\WINDOWS\system32
No streams found.
Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"c:\\qnvef.exe"="C:\\qnvef.exe:*:Enabled:Server"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"c:\\qnvef.exe"="C:\\qnvef.exe:*:Enabled:Server"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\ntdetect.com
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Program Files\Internet Explorer\iexplore.exe.local
C:\Program Files\Microsoft Office\Office10\winword.exe.local
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\hiberfil.sys
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\Stephen Judd\My Documents\Jo's English Tax\~WRL3923.tmp
C:\Documents and Settings\Stephen Judd\My Documents\Jo's English Tax\~WRL4045.tmp
C:\Documents and Settings\Stephen Judd\My Documents\RACP\CFE\Written Exams\~WRL0004.tmp
C:\Documents and Settings\Stephen Judd\My Documents\Tax Finance\Jo's English Tax\~WRL3923.tmp
C:\Documents and Settings\Stephen Judd\My Documents\Tax Finance\Whittaker Services Ltd\~WRL0001.tmp

Finished

and here is the text file from Kaspersky:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 18, 2007 10:50:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 18/01/2007
Kaspersky Anti-Virus database records: 259318
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 59514
Number of viruses found: 11
Number of infected objects: 61 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:33:04

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Stephen Judd\Application Data\Mozilla\Firefox\Profiles\i3mnycme.default\history.dat Object is locked skipped
C:\Documents and Settings\Stephen Judd\Application Data\Mozilla\Firefox\Profiles\i3mnycme.default\parent.lock Object is locked skipped
C:\Documents and Settings\Stephen Judd\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Stephen Judd\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Stephen Judd\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Stephen Judd\Local Settings\Application Data\Mozilla\Firefox\Profiles\i3mnycme.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Stephen Judd\Local Settings\Application Data\Mozilla\Firefox\Profiles\i3mnycme.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Stephen Judd\Local Settings\Application Data\Mozilla\Firefox\Profiles\i3mnycme.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Stephen Judd\Local Settings\Application Data\Mozilla\Firefox\Profiles\i3mnycme.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Stephen Judd\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Stephen Judd\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Stephen Judd\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Stephen Judd\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\3.tmp Infected: Backdoor.Win32.SdBot.xd skipped
C:\Program Files\True Sword 4\backuped\0\atsmwgqh.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\SDFix\backups\backups.zip/backups/i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP202\A0044714.exe Infected: Trojan-Proxy.Win32.Agent.hd skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP203\A0044773.exe Infected: Trojan-Proxy.Win32.Agent.hd skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP206\A0044956.exe Infected: Trojan-Proxy.Win32.Agent.hd skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP207\A0045004.dll Object is locked skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP208\A0045030.dll Object is locked skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP209\A0045055.dll Object is locked skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP209\A0045083.exe Infected: Trojan-Proxy.Win32.Agent.hd skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP211\A0045176.dll Object is locked skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP212\A0045245.dll Object is locked skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP213\A0045266.exe Infected: Trojan-Proxy.Win32.Agent.hd skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP213\A0045297.exe Infected: Trojan-Proxy.Win32.Agent.hd skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP213\A0045328.exe Infected: Trojan-Proxy.Win32.Agent.hd skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP214\A0045372.exe Infected: Trojan-Proxy.Win32.Agent.hd skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP214\A0045376.dll Object is locked skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP217\A0045496.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ek skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP217\A0045508.dll Object is locked skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP224\A0045980.dll Object is locked skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP227\A0047012.dll Object is locked skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP241\A0047426.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP256\A0049114.dll Object is locked skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP256\A0049115.exe Infected: Trojan-Proxy.Win32.Agent.hd skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP256\A0049152.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP256\A0049153.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP256\A0049154.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP256\A0049156.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP256\A0049157.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP256\A0049158.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP256\A0049159.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP256\A0049160.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP256\A0049161.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP256\A0049162.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP256\A0049163.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ft skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP256\A0049164.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP256\A0049165.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP256\A0049166.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP256\A0049167.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP256\A0049168.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP256\A0049169.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP257\change.log Object is locked skipped
C:\tdz.exe Infected: Trojan-Downloader.Win32.Adload.fu skipped
C:\VundoFix Backups\avtyhvkj.dll.bad Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\VundoFix Backups\cinnmryw.dll.bad Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\VundoFix Backups\fjyrdhkt.dll.bad Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\VundoFix Backups\gubmfhto.dll.bad Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\VundoFix Backups\gvnjpbhf.dll.bad Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\VundoFix Backups\hescdqwa.dll.bad Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\VundoFix Backups\mindepys.dll.bad Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\VundoFix Backups\pillwmus.dll.bad Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\VundoFix Backups\qwymkcex.dll.bad Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\VundoFix Backups\rxyspkuy.dll.bad Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\VundoFix Backups\scuevbad.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ft skipped
C:\VundoFix Backups\sixagikn.dll.bad Infected: Trojan.Win32.BHO.g skipped
C:\VundoFix Backups\upybaxav.dll.bad Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\VundoFix Backups\vjaierni.dll.bad Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\VundoFix Backups\xklyirad.dll.bad Infected: Trojan.Win32.BHO.g skipped
C:\VundoFix Backups\ytvekddf.dll.bad Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\VundoFix Backups\yxaydwmc.dll.bad Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\bltpcsyw.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\brpoyamp.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ecreaahw.exe Infected: not-a-virus:AdWare.Win32.Searchcolor.a skipped
C:\WINDOWS\system32\fhewydtl.dll Object is locked skipped
C:\WINDOWS\system32\ggpxwbaj.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\lhtfubjt.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\lnqyladk.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\oryaritb.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\qvhusibx.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\samhlrig.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\usudfxrd.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\ytelbipq.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Looking better. What do you think?

#7 Coverpoint

Coverpoint
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 19 January 2007 - 12:11 AM

Hi again Youngun,
I think your suggestions have fixed the problem. Here is the latest Hijackthis file for you to check. Thanks very much for your help with this.

Logfile of HijackThis v1.99.1
Scan saved at 3:35:46 PM, on 19/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\FixVundo.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILE...UJEHQlDQXqonxU=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.16.0.47:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {76D478C5-D4B2-46DD-9E22-F629E486D70B} - C:\WINDOWS\Microsoft.NET\rulrdv.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\xklyirad.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#8 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:03:04 PM

Posted 19 January 2007 - 02:38 AM

Looking better :thumbsup:

Just a few more things :

Open hijackthis and fix the following lines :



O2 - BHO: (no name) - {76D478C5-D4B2-46DD-9E22-F629E486D70B} - C:\WINDOWS\Microsoft.NET\rulrdv.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\xklyirad.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


Download KILLBOX, extract it to your desktop.

Open killbox.exe.

First

Click on Tools>Delete Temp Files

A box will open with a list of all user profiles.

Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.

Temporary Internet Files
Temp Files
XP Prefetch

If you want to clean your cookies, history, and list of recent files run you may check those boxes as well.

Then,,

Check on the Button titled "Delete Selected Temp Files"

Exit by clicking the Button titled "Exit(Save Settings)"

Once back into the main killbox program.

Check the following boxes:

Delete on Reboot

Highlight all the entries in the quote box below and then Copy them.

C:\WINDOWS\system32\ecreaahw.exe
C:\WINDOWS\system32\fhewydtl.dll
C:\WINDOWS\system32\ggpxwbaj.exe
C:\WINDOWS\system32\lhtfubjt.exe
C:\WINDOWS\system32\lnqyladk.exe
C:\WINDOWS\system32\oryaritb.exe
C:\WINDOWS\system32\qvhusibx.exe
C:\WINDOWS\system32\samhlrig.exe
C:\WINDOWS\system32\usudfxrd.exe
C:\WINDOWS\system32\ytelbipq.exe


Then in killbox click File>>Paste from Clipboard

At this point the "All Files" button should be enabled so you can click it.

Click the "All Files" button.

Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes

A second message will ask to Reboot now? you will need to click Yes to allow the reboot.

Note: Killbox will let you know if a file does not exist.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot

Re-post a last hijackthis log with a description of how things are going.

#9 Coverpoint

Coverpoint
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 19 January 2007 - 04:05 AM

All done as suggested. Here is the latest HJT file:

Logfile of HijackThis v1.99.1
Scan saved at 7:30:28 PM, on 19/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\FixVundo.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILE...UJEHQlDQXqonxU=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.16.0.47:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#10 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:03:04 PM

Posted 19 January 2007 - 11:51 AM

Great, everything looks :thumbsup:

One more thing though :

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

And you are all set!

I'm locking this topic since the issue has been resolved.
If you ever should need this topic re-opened, please private message a moderator. (this applies to the original topic starter)
Everybody else please start a new thread with your issue.

Now that your system is clean you should PURGE your old System Restore points and start with a fresh restore point. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside.

Disable System Restore and then Enable System Restore to purge the old restore points. When you enable the System Restore feature again, System Restore will create a new restore point and then resume monitoring your computer. To do this:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Check "Turn off System Restore on all drives" and select "Apply". Now uncheck "Turn off System Restore on all drives", select "OK", and restart your system.

Instructions for XP: http://www.theeldergeek.com/system_restore.htm

To reduce the re-infection potential for malware and protect yourself against spyware, here are a few helpful suggestions:

1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer.

2. Prevent spyware, homepage hijacking and increase your browser security by using the following free programs:

SpywareGuard
SpywareBlaster
IE-SPYAD

3. Prevention and Protection Tips:

"Help Preventing Spyware" by Pieter Arntz [aka: Metallica] for detailed instructions on how to install and use the above preventive tools.
"How to Protect yourself from malware!" and download a FREE anti-spyware, Firewalls and security tools from ONE LOCATION.
"How did I get infected in the first place?" by Tony Klein.
"THE PARASITE FIGHT: Finding, Removing & Protecting Yourself From Scumware"
"Basic understanding of security" by me, Victor C. aka YounGun for an introduction into the security world.

4. Safer Internet Explorer Settings:

"Safer Settings for Internet Explorer for SP1 & SP2" by Larry Stevenson [aka: Prince_Serendip]
"How to Configure Enhanced Security Features for Internet Explorer in XP SP2".

5. Increase Your Computer Stability and Overall Security

"COMPUTER HEALTH: Getting greater stability from Windows".
"Secure Your Home Computer" by TomCat for a comprehensive overview on how to keep your computer safe.

6. Confused about which apps are good or not? Read "Rogue/Suspect Anti-Spyware Products".




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users