Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo And Smitfraud Removed?


  • This topic is locked This topic is locked
13 replies to this topic

#1 Dallient Climber

Dallient Climber

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 17 January 2007 - 03:40 PM

I had some sort of trojan and with the help of your forums I think I was able to remove it (Thanks :thumbsup: ) I was hoping you could take a look at my hijackthis log to make sure I didn't miss anything. Here is what I ran into while trying to find the source of my popups:

Symantec: Found and removed trojan.nebuler found but could not remove trojan.vundo

Ad Aware and Spybot found and removed the following that would always come back: Softomatic toolbar, smitfraud-c toolbar888, Yazzle Sodoku, winsoftware winantiviruspro2006.

I was getting all sorts of popups and fake error messages, i also think that google was being hijacked because my regular searches now had new results from advertising and search sites as the first results that were never there before.

I ran Vundofix and Smitfraud fix and they seem to have done the job, when I run Adaware and Spybot I get no results so I think I may have gotten to the source of the problems. Here is my HJT log after I used the two fixes:

Logfile of HijackThis v1.99.1
Scan saved at 2:23:29 PM, on 1/17/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\mobsync.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ACT\ACT for Windows\Act8.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57A62825-840C-4FFE-8717-80A308558154} - C:\WINNT\system32\pmnmnml.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINNT\system32\aemvarvq.dll (file missing)
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: (no name) - {D7F0D309-CC76-4D1A-A905-B0DBD30847AE} - C:\WINNT\system32\ddccy.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\ACT for Windows\Act8.exe" -stayrunning
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0191339b00579f...ip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dol.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dol.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dol.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINNT\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

If anyone sees anything that I missed please help me out. Like I said, my machine seems to be running fine now, but I don't know if there is something sneaky running that I am not aware of.

Thanks for all the help!! :flowers:

DC

BC AdBot (Login to Remove)

 


#2 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:05 PM

Posted 17 January 2007 - 03:50 PM

Hello Dallient Climber, and welcome to BleepingComputer. I will be handling your log to help you get cleaned up.

Please take note of the following:
1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.
4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Thanks,

htv8
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:05 PM

Posted 19 January 2007 - 09:22 AM

IMPORTANT
You have a Sdbot trojan backdoor infection. W32/Sdbot-LM is a worm which attempts to spread to remote network shares. It also contains backdoor trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
It spreads to network shares with weak passwords as a result of the backdoor trojan element receiving the appropriate command from a remote user.

Due to the status of some of the files you have on your computer, I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer from the internet until the computer can be cleaned. Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable - for email, banks, eBay, forums, etc. Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information.


Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1
Go to Start > Settings > Control Panel > Add/Remove Programs and uninstall Spyware Terminator. It's a suspect/rogue anti-spyware program, not recommended for anti-spyware protection.
For more information, see this reference: The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites.

Step #2
Scan again with HijackThis. Put a checkmark by these entries if they are present, double-checking to be sure that only these entries are checked:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {57A62825-840C-4FFE-8717-80A308558154} - C:\WINNT\system32\pmnmnml.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINNT\system32\aemvarvq.dll (file missing)
O2 - BHO: (no name) - {D7F0D309-CC76-4D1A-A905-B0DBD30847AE} - C:\WINNT\system32\ddccy.dll (file missing)
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0191339b00579f...ip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dol.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dol.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dol.com
O23 - Service: COM+ Messages - Unknown owner - C:\WINNT\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe


Close all other windows - you should only see HijackThis on your Desktop - and then click the button labelled "Fix checked".

HijackThis will ask you to reboot. Please do so. If not, reboot your computer manually.

Step #3
We need to use HijackThis to delete a service. Please perform these instructions:
1. Close all programs so that you are at your Desktop.
2. Launch HijackThis.
3. Click on the Config... button.
4. Go to the Misc Tools section by clicking on the Misc Tools button on top of the screen.
5. Click once on the button labelled "Delete an NT service...".
6. Copy the entire contents inside the CODE box below and paste them into the empty box provided.
COM+ Messages
7. Press the OK button.
8. Close HijackThis.

Step #4
First enable the viewing of hidden files in Windows XP by following these steps:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Remove the checkmark from the checkbox labelled "Hide file extensions for known file types".
6. Remove the checkmark from the checkbox labelled "Hide protected operating system files".
7. Select the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Your computer is now configured to show all hidden system files and folders.

Reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

Now delete the following files or directories (do not be concerned if they do not exist):
C:\windows\system32\blank.htm
C:\WINNT\system32\pmnmnml.dll
C:\WINNT\system32\aemvarvq.dll
C:\WINNT\system32\ddccy.dll
C:\Program Files\Spyware Terminator <-- this folder
C:\WINNT\system32\svchosts.exe - WARNING: Do NOT mistakenly delete the legit svchost.exe file - without an 's' at the end - that is located in the same folder. Notice the difference: svchosts.exe (with an 's') is the bad file you need to delete.

Reboot your computer to boot back into normal mode.

Step #5
Go to Start > Settings > Control Panel > Network and Dial-up Connections.
Right-click on your default connection, usually Local Area Connection or Dial-up Connection if you are using dial-up, and click on Properties.
Double-click on the Internet Protocol (TCP/IP) item and select the radio button labelled "Obtain DNS servers automatically".
Click OK twice and restart your computer.

Step #6
Go to Start > Run. In the Run: field type cmd and press the OK button. This will open a Command Prompt.
Type or copy/paste the entire contents inside the QUOTE box below into the command window:

ipconfig /flushdns

Hit Enter and exit the Command Prompt.

Step #7
Please download Combofix and save it to your Desktop.
Download combofix.exe

Once downloaded, double-click combofix.exe and follow the on-screen prompts.
When finished, it shall produce a log for you. Post that log in your next reply.

NOTE: Do not mouseclick Combofix's window whilst it's running. That may cause it to stall!

Step #8
Scan with HijackThis again and post a new HijackThis log.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#4 Dallient Climber

Dallient Climber
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 19 January 2007 - 12:17 PM

Thanks for your help!!! Here is the combofix log:

"xxxxx" - Fri 01/19/2007 10:10:06 Service Pack 4
ComboFix 07-01-18 - Running from: "C:\Documents and Settings\xxxxx\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\WINNT\system32\unsvchosts.lzma
C:\Program Files\Common Files\{2C832~1
C:\Program Files\Common Files\{2C832~2
C:\Program Files\Common Files\{3C832~1
C:\Program Files\Outerinfo
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\xxxxx
C:\qoobox\purity\DOCUME~1\xxxxx\My Documents
C:\qoobox\purity\DOCUME~1\xxxxx\My Documents\from.txt
C:\qoobox\purity\DOCUME~1\xxxxx\My Documents\SKS~1
C:\qoobox\purity\DOCUME~1\xxxxx\My Documents\SKS~1\winword.exe
C:\qoobox\purity\DOCUME~1\xxxxx\My Documents\SKS~1\??sks


((((((((((((((((((((((((((((((( Files Created from 2006-12-19 to 2007-01-19 ))))))))))))))))))))))))))))))))))


2007-01-19 09:13 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-01-19 08:18 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-01-17 13:55 2,822 --a------ C:\WINNT\system32\tmp.reg
2007-01-17 12:43 75,512 --a------ C:\WINNT\zllsputility.exe
2007-01-17 12:43 11,264 --a------ C:\WINNT\system32\SpOrder.dll
2007-01-17 12:42 1,087,216 --a------ C:\WINNT\system32\zpeng24.dll
2007-01-17 12:42 <DIR> d-a------ C:\WINNT\system32\ZoneLabs
2007-01-17 12:41 <DIR> d-a------ C:\WINNT\Internet Logs
2007-01-17 11:54 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-01-17 11:46 <DIR> d-------- C:\HJT
2007-01-17 10:40 97,792 --a------ C:\VundoFix.exe
2007-01-17 10:40 <DIR> d-------- C:\VundoFix Backups
2007-01-17 10:03 60,416 --a------ C:\WINNT\system32\qpnzv.dll
2007-01-17 09:10 155,648 ---h----- C:\Program Files\Common Files\svchost.exe
2007-01-17 09:07 76,412 --a------ C:\WINNT\system32\hmbgtihh.dll
2007-01-17 08:34 <DIR> d-------- C:\DOCUME~1\xxxxx\.housecall6.6
2007-01-17 08:11 2 --a------ C:\WINNT\system32\wnsapisv.exe
2007-01-16 16:09 <DIR> d-------- C:\WINNT\Downloaded Installations
2007-01-16 15:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-16 08:40 <DIR> d-------- C:\Program Files\SpywareBot
2007-01-05 14:48 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-05 14:48 <DIR> d-------- C:\DOCUME~1\mboland\Application Data\Lavasoft
2007-01-05 10:08 <DIR> d-a------ C:\Program Files\Spyware Terminator
2007-01-05 09:59 <DIR> d-------- C:\WINNT\qfur
2007-01-05 09:52 <DIR> d-------- C:\Program Files\ToniArts
2007-01-05 09:35 <DIR> d-------- C:\Program Files\Google
2007-01-05 09:35 <DIR> d-------- C:\DOCUME~1\xxxxx\Application Data\Google
2007-01-05 09:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Google
2007-01-05 09:28 <DIR> d---s---- C:\DOCUME~1\DEFAUL~1\UserData
2006-12-21 09:02 <DIR> d-------- C:\DOCUME~1\mboland\Application Data\Opera
2006-12-21 08:34 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\Application Data\Adobe Systems
2006-12-21 08:33 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-12-19 17:35 2,174,976 --a------ C:\WINNT\system32\wmvcore.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-19 10:10 1682 --ahs---- C:\WINNT\system32\kgygaavl.sys
2007-01-19 10:09 -------- d-------- C:\Program Files\symantec antivirus
2007-01-17 12:42 -------- d-------- C:\Program Files\quicktime
2007-01-17 12:38 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-01-17 11:25 -------- d---s---- C:\DOCUME~1\xxxxx\Application Data\microsoft
2007-01-16 11:11 -------- d-------- C:\DOCUME~1\xxxxx\Application Data\adobeum
2007-01-05 09:52 -------- d--h----- C:\Program Files\installshield installation information
2007-01-05 09:52 -------- d-------- C:\Program Files\Common Files\installshield
2006-12-21 09:59 -------- d-------- C:\DOCUME~1\xxxxx\Application Data\adobe
2006-12-21 08:37 -------- d-------- C:\Program Files\Common Files\adobe
2006-12-18 15:11 -------- d-------- C:\Program Files\spss
2006-11-06 12:47 596480 --a------ C:\WINNT\system32\inetcomm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"IgfxTray"="C:\\WINNT\\System32\\igfxtray.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Act! Preloader"="\"C:\\Program Files\\ACT\\ACT for Windows\\Act8.exe\" -stayrunning"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57A62825-840C-4FFE-8717-80A308558154}"=""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
WmdmPmSN



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070119-094131-996
O23 - Service: COM+ Messages - Unknown owner - C:\WINNT\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
backup-20070119-094131-691
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dol.com
backup-20070119-094131-259
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dol.com
backup-20070119-094131-344
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0191339b00579f...ip/RdxIE601.cab
backup-20070119-094131-698
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dol.com
backup-20070119-094131-145
O2 - BHO: (no name) - {D7F0D309-CC76-4D1A-A905-B0DBD30847AE} - C:\WINNT\system32\ddccy.dll (file missing)
backup-20070119-094131-878
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINNT\system32\aemvarvq.dll (file missing)
backup-20070119-094131-253
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
backup-20070119-094131-428
R3 - Default URLSearchHook is missing
backup-20070119-094131-242
O2 - BHO: (no name) - {57A62825-840C-4FFE-8717-80A308558154} - C:\WINNT\system32\pmnmnml.dll (file missing)
backup-20070119-094131-336
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
Completion time: Fri 2007-01-19 10:15:04

And my HJT Log:

OOPs I just realized I don't have my HJT log with me it's on the infected computer, I'll get that to you asap

Sorry

DC

#5 Dallient Climber

Dallient Climber
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 19 January 2007 - 02:02 PM

OK Sorry about that here is my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:15, on 07-01-19
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ACT\ACT for Windows\Act8.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\HJT\HijackThis.exe
C:\WINNT\system32\cmd.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\ACT for Windows\Act8.exe" -stayrunning
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dol.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dol.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dol.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

In my combofix log i replaced personal info with xxxxx, but I'm sure you figured that out. Please let me know what to do next. Thanks for your help.

DC

#6 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:05 PM

Posted 20 January 2007 - 09:51 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1
Go to Start > Settings > Control Panel > Add/Remove Programs and uninstall the following programs (if they are listed):
Yazzle by Oin
YazzleActiveX By OIN
Purityscan by Oin
MediaTickets by OIN
Snowballwars by Oin
Cowabanga by OIN

... or anything similar with Oin in its name.

NOTE: Remember that these programs may require you to reboot your computer to complete the uninstallation - just let them.

Step #2
Scan again with HijackThis. Put a checkmark by these entries if they are present, double-checking to be sure that only these entries are checked:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dol.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dol.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dol.com


Close all other windows - you should only see HijackThis on your Desktop - and then click the button labelled "Fix checked".

Step #3
Go to Start > Run and copy/paste each of the following lines in the Run: field, followed by pressing the Enter key after each line:
regsvr32 /u C:\WINNT\system32\qpnzv.dll
regsvr32 /u C:\WINNT\system32\hmbgtihh.dll

Step #4
If not already enabled, please follow these steps to enable the viewing of hidden files in Windows XP:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Remove the checkmark from the checkbox labelled "Hide file extensions for known file types".
6. Remove the checkmark from the checkbox labelled "Hide protected operating system files".
7. Select the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Your computer is now configured to show all hidden system files and folders.

Reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

Now delete the following files or directories (do not be concerned if they do not exist):

C:\WINNT\system32\qpnzv.dll
C:\Program Files\Common Files\svchost.exe
C:\WINNT\system32\hmbgtihh.dll
C:\WINNT\system32\wnsapisv.exe
C:\Program Files\Spyware Terminator <-- this folder
C:\WINNT\qfur <-- this folder
C:\Program Files\spss <-- this folder

Reboot your computer to boot back into normal mode.

Step #5
Copy the entire contents inside the CODE box below into Notepad. Then click File > Save and save as remove.reg (save as type: All files) to the Desktop.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57A62825-840C-4FFE-8717-80A308558154}"=-
Go to the Desktop and double-click remove.reg. When prompted to merge its contents to the registry, click the Yes button.

Step #6
Go to Start > Settings > Control Panel > Network and Dial-up Connections.
Right-click on your default connection, usually Local Area Connection or Dial-up Connection if you are using dial-up, and click on Properties.
Double-click on the Internet Protocol (TCP/IP) item and select the radio button labelled "Obtain DNS servers automatically".
Click OK twice and restart your computer.

Step #7
Go to Start > Run. In the Run: field type cmd and press the OK button. This will open a Command Prompt.
Type or copy/paste the entire contents inside the QUOTE box below into the command window:

ipconfig /flushdns

Hit Enter and exit the Command Prompt.

Step #8
Please download Combofix and save it to your Desktop (if it is not on your Desktop already).
Download combofix.exe

Once downloaded, double-click combofix.exe and follow the on-screen prompts.
When finished, it shall produce a log for you. Post that log in your next reply.

NOTE: Do not mouseclick Combofix's window whilst it's running. That may cause it to stall!

Step #9
Please provide me an uninstall list by performing these instructions:
1. Open HijackThis.
2. Click once on the Config... button.
3. Go to the Misc Tools section by clicking on the Misc Tools button on top of the screen.
4. Click on the button labelled "Open Uninstall Manager...". You'll see a list of currently installed programs.
5. Click on the button labelled "Save list..." and specify where you would like to save the uninstall list.

When you press the Save button, Notepad will open up with the contents of that file. Copy and paste the contents of that Notepad file as a reply to this topic.

Step #10
Scan with HijackThis again and post a new HijackThis log.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#7 Dallient Climber

Dallient Climber
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 22 January 2007 - 10:11 AM

Hi htv8,

I ran into a problem at step 3, the qpnzv.dll command worked fine, when i tried to do whatever it was I was doing to hmbgtihh.dll it brought up a combo box telling me it failed and my antivirus program gave me a message telling me that it found the file to be a virus and the file was deleted successfully (mhbgtihh.dll)

Here is my Combo Fix Log

"xxxxx" - Mon 01/22/2007 8:51:42 Service Pack 4
ComboFix 07-01-18 - Running from: "C:\Documents and Settings\xxxxx\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\xxxxx
C:\qoobox\purity\DOCUME~1\xxxxx\My Documents
C:\qoobox\purity\DOCUME~1\xxxxx\My Documents\from.txt
C:\qoobox\purity\DOCUME~1\xxxxx\My Documents\SKS~1
C:\qoobox\purity\DOCUME~1\xxxxx\My Documents\SKS~1\winword.exe
C:\qoobox\purity\DOCUME~1\xxxxx\My Documents\SKS~1\??sks


((((((((((((((((((((((((((((((( Files Created from 2006-12-22 to 2007-01-22 ))))))))))))))))))))))))))))))))))


2007-01-19 09:13 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-01-19 08:18 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-01-17 13:55 2,822 --a------ C:\WINNT\system32\tmp.reg
2007-01-17 12:43 75,512 --a------ C:\WINNT\zllsputility.exe
2007-01-17 12:43 11,264 --a------ C:\WINNT\system32\SpOrder.dll
2007-01-17 12:42 1,087,216 --a------ C:\WINNT\system32\zpeng24.dll
2007-01-17 12:42 <DIR> d-a------ C:\WINNT\system32\ZoneLabs
2007-01-17 12:41 <DIR> d-a------ C:\WINNT\Internet Logs
2007-01-17 11:54 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-01-17 11:46 <DIR> d-------- C:\HJT
2007-01-17 10:40 97,792 --a------ C:\VundoFix.exe
2007-01-17 10:40 <DIR> d-------- C:\VundoFix Backups
2007-01-17 10:03 60,416 --a------ C:\WINNT\system32\qpnzv.dll
2007-01-17 08:34 <DIR> d-------- C:\DOCUME~1\xxxxx\.housecall6.6
2007-01-16 16:09 <DIR> d-------- C:\WINNT\Downloaded Installations
2007-01-16 15:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-16 08:40 <DIR> d-------- C:\Program Files\SpywareBot
2007-01-05 14:48 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-05 14:48 <DIR> d-------- C:\DOCUME~1\xxxxx\Application Data\Lavasoft
2007-01-05 09:52 <DIR> d-------- C:\Program Files\ToniArts
2007-01-05 09:35 <DIR> d-------- C:\Program Files\Google
2007-01-05 09:35 <DIR> d-------- C:\DOCUME~1\xxxxx\Application Data\Google
2007-01-05 09:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Google
2007-01-05 09:28 <DIR> d---s---- C:\DOCUME~1\DEFAUL~1\UserData


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-22 08:46 1682 --ahs---- C:\WINNT\system32\kgygaavl.sys
2007-01-22 08:44 -------- d-------- C:\Program Files\symantec antivirus
2007-01-17 12:42 -------- d-------- C:\Program Files\quicktime
2007-01-17 12:38 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-01-17 11:25 -------- d---s---- C:\DOCUME~1\xxxxx\Application Data\microsoft
2007-01-16 11:11 -------- d-------- C:\DOCUME~1\xxxxx\Application Data\adobeum
2007-01-05 09:52 -------- d--h----- C:\Program Files\installshield installation information
2007-01-05 09:52 -------- d-------- C:\Program Files\Common Files\installshield
2006-12-21 09:59 -------- d-------- C:\DOCUME~1\xxxxx\Application Data\adobe
2006-12-21 09:02 -------- d-------- C:\DOCUME~1\xxxxx\Application Data\opera
2006-12-21 08:37 -------- d-------- C:\Program Files\Common Files\adobe
2006-12-21 08:33 -------- d-------- C:\Program Files\Common Files\adobe systems shared
2006-12-07 19:02 2174976 --a------ C:\WINNT\system32\wmvcore.dll
2006-11-06 12:47 596480 --a------ C:\WINNT\system32\inetcomm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"IgfxTray"="C:\\WINNT\\System32\\igfxtray.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Act! Preloader"="\"C:\\Program Files\\ACT\\ACT for Windows\\Act8.exe\" -stayrunning"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
WmdmPmSN

Completion time: Mon 2007-01-22 8:54:07
C:\ComboFix2.txt ... 07-01-19 10:15

Here is my Uninstall List:

Abacast Client
ACT! 2006
Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9
Adobe Help Center 1.0
Adobe Photoshop 5.0 Limited Edition
Adobe Photoshop CS2
Adobe Reader 7.0.9
Adobe Stock Photos 1.0
DirectX 9 Hotfix - KB839643
Easy CD Creator 5 Basic
EasyCleaner
Gateway Drivers and Applications Recovery
HijackThis 1.99.1
Hotfix for MDAC 2.71 (KB911562)
Intel® 845G Chipset Graphics Driver Software
Intel® PRO Ethernet Adapter and Software
Intel® PROSet II
LiveUpdate 2.0 (Symantec Corporation)
MailFrontier Desktop
MetaFrame Presentation Server Client
Microsoft .NET Framework 1.1
Microsoft Office 2000 SR-1 Premium
Microsoft Office Outlook 2003
MSN Messenger 7.0
NetTraffic
Panda ActiveScan
RealPlayer
Security Update for Windows 2000 (KB904706)
Security Update for Windows 2000 (KB923689)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Symantec AntiVirus
Update Rollup 1 for Windows 2000 SP4
VNC 4.0
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB889293
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB911567
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB917159
Windows 2000 Hotfix - KB917422
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix - KB918899
Windows 2000 Hotfix - KB920213
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB920685
Windows 2000 Hotfix - KB920958
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB921883
Windows 2000 Hotfix - KB922582
Windows 2000 Hotfix - KB922616
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923414
Windows 2000 Hotfix - KB923694
Windows 2000 Hotfix - KB923980
Windows 2000 Hotfix - KB924191
Windows 2000 Hotfix - KB924270
Windows 2000 Hotfix - KB925454
Windows 2000 Hotfix - KB925486
Windows 2000 Hotfix - KB929969
Windows Installer 3.1 (KB893803)
Windows Media Player Hotfix [See Q828026 for more information]
Windows Media Player system update (9 Series)
WinZip
ZoneAlarm

And my latest HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 09:10, on 07-01-22
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ACT\ACT for Windows\Act8.exe
C:\WINNT\system32\mobsync.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\ACT for Windows\Act8.exe" -stayrunning
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dol.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dol.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dol.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

I'll watch for your reply. Thank you so much for all your help.

DC

#8 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:05 PM

Posted 23 January 2007 - 07:57 AM

Question: Do you recognize the dol.com domain as belonging to your ISP or company? Do you have to log in to work from home and does the DNS server belong to it?

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1
Please download Pocket Killbox from the link below and save it to your Desktop.
Download Pocket KillBox

Once downloaded, extract the ZIP file to your Desktop and start Pocket KillBox by double-clicking on the KillBox.exe file that is located in the extracted KillBox folder. Now please follow these instructions to use Pocket KillBox:
1. Select the radio button labelled "Delete on Reboot".
2. Copy the entire filepath inside the CODE box below to the clipboard and paste the line into the top Full Path of File to Delete box.
C:\WINNT\system32\qpnzv.dll
3. If not greyed out, place a checkmark in the checkbox labelled "Unregister .dll Before Deleting".
4. Click the Delete File button that is a red-and-white X.
5. Click Yes at the Delete on Reboot prompt.
6. Click Yes at the Delete next Reboot prompt.

NOTE:
Restart manually when you get this message:

PendingFileRenameOperations Registry Data has been Removed by External Process!

Step #2
If not already enabled, please follow these steps to enable the viewing of hidden files in Windows XP:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Remove the checkmark from the checkbox labelled "Hide file extensions for known file types".
6. Remove the checkmark from the checkbox labelled "Hide protected operating system files".
7. Select the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Your computer is now configured to show all hidden system files and folders.

Reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

Now delete the following directories (do not be concerned if they do not exist):
C:\Program Files\Enigma Software Group <-- this folder
C:\Program Files\SpywareBot <-- this folder

Step #3
Please download AVG Anti-Spyware 7.5 from the link below and save it to your Desktop.
Download AVG Anti-Spyware 7.5

Once downloaded, locate the icon on your Desktop and double-click on it to launch the setup program. Follow the on-screen instructions to install AVG Anti-Spyware.

Before running AVG Anti-Spyware, it is mandatory that you update its definition files. Follow these instructions to update and configure the program:
1. Start AVG Anti-Spyware.
2. Click the Update icon at the top of the screen. On the newly presented screen, click the button labelled "Start Update". The update process will start.
3. Once the update has completed, select the Scanner icon at the top of the screen, followed by clicking the Settings tab.
4. In the newly presented screen, click on the link named "Recommended actions" and then select the Quarantine option.
5. Under Reports, select the radio button labelled "Automatically generate report after every scan". Unselect the checkbox labelled "Only if threats were found".
6. Close AVG Anti-Spyware 7.5.

Now reboot your computer into Safe Mode again. When in Safe Mode, please follow these instructions to run AVG Anti-Spyware:
1. Close all windows so that you have nothing open and lauch AVG Anti-Spyware by double-clicking the icon on your Desktop.
2. Click the Scanner icon at the top of the screen and select the Scan tab.
3. Click on the "Complete System Scan" icon and AVG Anti-Spyware will begin the scanning process. Be patient as this may take some time.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess.
4. When the scan has finished, AVG Anti-Spyware will list any infections found on the left-hand side. It should automatically set the recommended action to Quarantine.
5. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right-hand side.
6. Click on the button labelled "Save Report", followed by pressing the "Save Report As" button. This will create a text file. Make sure you know where to find this file again.
7. Close AVG Anti-Spyware.
8. Reboot your computer to boot back into normal mode.

Please post the entire contents of the saved text file in your next reply.

Step #4
Scan with HijackThis again and post a new HijackThis log.
Also let me know how your computer is running.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#9 Dallient Climber

Dallient Climber
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 23 January 2007 - 12:09 PM

Hi htv8,

I'm pretty sure dol.com belongs to my company since dol are the initials of my organization. I'm not 100% sure but like I said the name makes sense and is likely from my company.

I made a mistake when following your directions so you will see two reports.

I pasted your directions into wordpad so instead of entering C:\winnt......qpnzv.dll, I entered CODEC:\winnt....qpnzv.dll so when I scanned the first time that shows up in the system 32 folder:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:22:20 AM 01/23/2007

+ Scan result:



C:\WINNT\system32\qpnzv.dll -> Adware.PurityScan : No action taken.
C:\RECYCLER\S-1-5-18\Dc4\system.dll -> Adware.Softomate : No action taken.
C:\RECYCLER\S-1-5-18\Dc5\system.dll -> Adware.Softomate : No action taken.
C:\QooBox\Purity\DOCUME~1\xxxxx\My Documents\SKS~1\winword.exe -> Downloader.PurityScan.dt : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@aavalue[2].txt -> TrackingCookie.Aavalue : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxxer@eztracks.aavalue[2].txt -> TrackingCookie.Aavalue : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@ehg-findlaw.hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@searchportal.information[2].txt -> TrackingCookie.Information : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@ivwbox[1].txt -> TrackingCookie.Ivwbox : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@sales.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@sales.liveperson[2].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@data3.perf.overture[2].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@h.starware[1].txt -> TrackingCookie.Starware : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@www.starware[1].txt -> TrackingCookie.Starware : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\VundoFix Backups\winydp32.dll.bad -> Trojan.Mezzia : No action taken.


::Report end


After realizing my mistake I used killbox to get rid of the qpnzv.dll file, this time it didn't give me the message "Pending file operations...........External Process!" so as soon as windows started to shut down I did a hard restart.

I restarted in safe mode and did not see the enigma folder or the spywarebot folder (I deleted them the first time around) so I rescanned with AVG. This time the qpnzv.dll file is in the !Killbox folder which I'm assuming is a good thing:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:40:23 AM 01/23/2007

+ Scan result:



C:\!KillBox\qpnzv.dll -> Adware.PurityScan : No action taken.
C:\RECYCLER\S-1-5-18\Dc4\system.dll -> Adware.Softomate : No action taken.
C:\RECYCLER\S-1-5-18\Dc5\system.dll -> Adware.Softomate : No action taken.
C:\QooBox\Purity\DOCUME~1\xxxxx\My Documents\SKS~1\winword.exe -> Downloader.PurityScan.dt : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@aavalue[2].txt -> TrackingCookie.Aavalue : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxxr@eztracks.aavalue[2].txt -> TrackingCookie.Aavalue : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@ehg-findlaw.hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@searchportal.information[2].txt -> TrackingCookie.Information : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxxr@ivwbox[1].txt -> TrackingCookie.Ivwbox : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@sales.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxxr@sales.liveperson[2].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@data3.perf.overture[2].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxxr@h.starware[1].txt -> TrackingCookie.Starware : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@www.starware[1].txt -> TrackingCookie.Starware : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxxr@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\VundoFix Backups\winydp32.dll.bad -> Trojan.Mezzia : No action taken.


::Report end

I didn't run HJT before redoing the instructions which in hindsight might have been a bad idea, but here is my current HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:03:15 AM, on 01/23/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ACT\ACT for Windows\Act8.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\ACT for Windows\Act8.exe" -stayrunning
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dol.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dol.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dol.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

My computer seems to be running just fine and it has been ever since I ran vundofix last week. So even though I still had an infection, it didn't seem to affect my performance which is kind of scary. It's a good thing I started to get all those popups or I might never have found it!

I'll keep an eye out for your reply. Keep up the good work!!!

Thanks

DC

#10 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:05 PM

Posted 24 January 2007 - 11:15 AM

This time the qpnzv.dll file is in the !Killbox folder which I'm assuming is a good thing...

Yes, that is a good. :thumbsup:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1
Scan again with HijackThis. Put a checkmark by this entry if it is present, double-checking to be sure that only this entry is checked:
R3 - Default URLSearchHook is missing

Close all other windows - you should only see HijackThis on your Desktop - and then click the button labelled "Fix checked".

Step #2
Your AVG Anti-Spyware log shows no action is taken. Please rescan with AVG Anti-Spyware and follow the instructions I posted so that it quarantines all that it found. (You probably forgot to tell AVG Anti-Spyware what to do with the bad files).
Do not forget to click the button labelled "Apply all actions" once the scan is finished, otherwise the bad files won't get removed. So please follow my instructions carefully and make sure you set the settings just as written. Once finished, please post the AVG Anti-Spyware log as a reply to this post.

Step #3
Please perform an online scan with Kaspersky Online Scanner (click).
Follow these instructions:
1. Click on the button labelled "Kaspersky Online Scanner".
2. You will be prompted to install an ActiveX component from Kaspersky. Install it.
3. The program will launch and then begin downloading the latest definition files. Once the files have been downloaded, click on NEXT.
4. Now click on "Scan Settings".
5. In the scan settings, make sure the following are selected:

Scan using the following Anti-Virus database:
Extended (if available, otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

6. Click OK.
7. Now under select a target to scan, select My Computer.

The program will start and scan your system.
NOTE: The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected. Click on the button labelled "Save as Text" and save a text file to your Desktop. Copy and paste that information in your next post.

Step #4
Please download ATF Cleaner from the link below and save it to your Desktop.
Download ATF Cleaner

Now follow these instructions to run ATF Cleaner:
1. Double-click ATF-Cleaner.exe to run the program.
2. Click once on the Main tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
3. Then click on the button labelled "Empty Selected".

If you use the Mozilla Firefox browser, please follow these instructions as well:
1. Click once on the Firefox tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
2. Then click on the button labelled "Empty Selected". NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser, please follow these instructions as well:
1. Click once on the Opera tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
2. Then click on the button labelled "Empty Selected". NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Now click the Exit button on the Main tab to exit the program.

Step #5
Scan with HijackThis again and post a new HijackThis log.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#11 Dallient Climber

Dallient Climber
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 24 January 2007 - 03:24 PM

Hi htv8,

I had the settings right on AVG, but I wasn't hitting the "Fix Checked" before saving the log. Looks like it worked better this time:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:14:38 PM 01/24/2007

+ Scan result:



C:\!KillBox\qpnzv.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc4\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc5\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\QooBox\Purity\DOCUME~1\xxxxx\My Documents\SKS~1\winword.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\Documents and Settings\xxxxx\Cookies\xxxxx@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@eztracks.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@ehg-findlaw.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@searchportal.information[2].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@h.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@www.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\xxxxx\Cookies\xxxxx@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\VundoFix Backups\winydp32.dll.bad -> Trojan.Mezzia : Cleaned with backup (quarantined).


::Report end


Here is the Kaspersky Log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 24, 2007 2:02:46 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 24/01/2007
Kaspersky Anti-Virus database records: 261687
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 111989
Number of viruses found: 10
Number of infected objects: 21 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:26:09

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04B40000.VBN Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04B40001.VBN Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04B40002.VBN Infected: Trojan-Downloader.Win32.Small.dod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04B40003.VBN Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04B40004.VBN Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04F80000.VBN Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04F80001.VBN Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05200000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05200001.VBN Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05200002.VBN Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05800000.VBN Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06580000.VBN Infected: Exploit.HTML.IframeBof skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06580001.VBN Infected: Trojan-Dropper.Win32.Agent.azn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06780000.VBN Infected: Trojan-Dropper.Win32.Agent.azn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06780001.VBN Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06840000.VBN Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06840001.VBN Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06840002.VBN Infected: Trojan-Dropper.Win32.Agent.azn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07440000.VBN Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\All Users\Documents\ACT\ACT for Windows 8\Databases\ACT8Demo.ADF Object is locked skipped
C:\Documents and Settings\All Users\Documents\ACT\ACT for Windows 8\Databases\ACT8Demo.ALF Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\xxxxx\Application Data\ACT\ACT For Windows 8\ACTLOG.XML Object is locked skipped
C:\Documents and Settings\xxxxx\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\xxxxx\Local Settings\Application Data\ApplicationHistory\Act8.exe.fc6b858.ini.inuse Object is locked skipped
C:\Documents and Settings\xxxxx\Local Settings\Application Data\ApplicationHistory\Explorer.EXE.1d41aca2.ini.inuse Object is locked skipped
C:\Documents and Settings\xxxxx\Local Settings\Application Data\ApplicationHistory\IEXPLORE.EXE.26e3ad32.ini.inuse Object is locked skipped
C:\Documents and Settings\xxxxx\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\xxxxx\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\xxxxx\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\xxxxx\Local Settings\History\History.IE5\MSHist012007012420070125\index.dat Object is locked skipped
C:\Documents and Settings\xxxxx\Local Settings\Temp\~DF6A49.tmp Object is locked skipped
C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\xxxxx\My Documents\ACT\ACT for Windows 8\Databases\clientmain.ADF Object is locked skipped
C:\Documents and Settings\xxxxx\My Documents\ACT\ACT for Windows 8\Databases\clientmain.ALF Object is locked skipped
C:\Documents and Settings\xxxxx\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\xxxxx\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\LOG\ERRORLOG Object is locked skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\VundoFix Backups\lxpfemga.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gf skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\CTADVERTISING.ldb Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_2fc.dat Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_974.dat Object is locked skipped
C:\WINNT\Temp\ZLT0480e.TMP Object is locked skipped
C:\WINNT\Temp\ZLT04815.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
J:\Databases\CTEdit10.mdb Object is locked skipped
J:\Databases\CTEdit10.ldb Object is locked skipped

Scan process completed.

And my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:06:52 PM, on 01/24/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ACT\ACT for Windows\Act8.exe
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\ACT for Windows\Act8.exe" -stayrunning
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dol.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dol.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dol.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Thanks again for all your help.

DC

#12 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:05 PM

Posted 25 January 2007 - 06:31 AM

Your log looks clean now. Good work! :thumbsup: However, if you experience any more problems, please report back.

Now please follow the simple steps below in order to keep your computer clean and secure.

Step #1: re-hide hidden system files and folders
Re-hide your hidden system files and folders again, because above instructions to set your system to show all files, unhide legit files and folders as well, and I don't want you to delete them because they may look suspicious. To hide them again, just perform these instructions:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Place a checkmark in the checkbox labelled "Hide file extensions for known file types".
6. Place a checkmark in the checkbox labelled "Hide protected operating system files".
7. Deselect the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Now your computer is configured to hide all hidden system files and folders.

Step #2
Finally, and definitely the MOST IMPORTANT step, click on this tutorial and follow each step listed here:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there are any other problems related to your computer please feel free to post them in the appropriate forum. Do not forget to tell your friends about us.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#13 Dallient Climber

Dallient Climber
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 25 January 2007 - 11:28 AM

Hi htv8,

Thanks again for all your help, everything is running fine and my scanners aren't finding bad things anymore. I'll be sure and tell everyone I can about you guys :flowers:

Thanks again for your time :thumbsup:

DC

#14 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:05 PM

Posted 14 February 2007 - 07:52 AM

As the problem here seems to be resolved, this topic is now closed.
To get it reopened, PM a staff member with the address of this thread. This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.

Glad we could help. :thumbsup:
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users