Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan.dloader/lx


  • This topic is locked This topic is locked
11 replies to this topic

#1 Sara Bijan

Sara Bijan

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 11 February 2007 - 04:50 PM

When I am in Internet Explorer, my page always gets redirected to about:blank that says I am infected with a virus called Trojan.DLoader/LX, and then says to download SpySoldier and Spyware Knight. The redirection to this page is really annoying and I appriciate help in removing it. Thanks.


Logfile of HijackThis v1.99.1
Scan saved at 4:41:46 PM, on 2/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\toshiba\ivp\ism\pinger.exe
C:\toshiba\sysstability\tsyssmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com/tai
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - C:\WINDOWS\system32\drivera.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: ASGP32.ASGP - {FA5B9933-1AE8-4A8D-9822-B20A6CA2B5EC} - C:\WINDOWS\System32\asgp32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [yjgddu] C:\WINDOWS\System32\arcldw.exe reg_run
O4 - HKLM\..\Run: [htxplwi.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\NetworkService\Local Settings\Application Data\htxplwi.dll",gmcawef
O4 - HKLM\..\Run: [jpmyoze.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\LocalService\Local Settings\Application Data\jpmyoze.dll",hiconc
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {A4F64D63-3576-4754-8DD5-4D0A49345FD5} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: p4reg - p432.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e mc-110-12-0000501 (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 11 February 2007 - 05:19 PM

Welcome to Bleeping Computer Sara Bijan :thumbsup:

Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt
Post the smitfraudfix report into your next reply

================

Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Please then reboot your computer into Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode, right click the SDFix.zip folder and choose Extract All,
* Open the extracted folder and double click RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.Also post the Smitfraudfix report and a new Hijackthis log.
Posted Image
Posted Image

#3 Sara Bijan

Sara Bijan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 12 February 2007 - 07:28 PM

SDFix

SDFix: Version 1.64

Run by: Sara Bijan - Mon 02/12/2007 @ 19:11:15.93

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Client IP-IPX

Path:
"C:\WINDOWS\System32\svchosts.exe" -e mc-110-12-0000501

Client IP-IPX Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found..




ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\Program Files\Common Files\aolshare\shell\us\shellext.dll
C:\Program Files\America Online 8.0\aolphx.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\America Online 8.0\RBM.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\COMIT\cswitch.exe
C:\WINDOWS\LastGood.Tmp\INF\java.inf
C:\WINDOWS\LastGood.Tmp\INF\java.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem25.inf
C:\WINDOWS\LastGood.Tmp\INF\oem25.PNF

Finished


Smitfraudfix


SmitFraudFix v2.138

Scan done at 18:32:24.85, Sun 02/11/2007
Run from C:\Documents and Settings\Sara Bijan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

Hijackthis


Logfile of HijackThis v1.99.1
Scan saved at 7:20:50 PM, on 2/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\toshiba\ivp\ism\pinger.exe
C:\toshiba\sysstability\tsyssmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - C:\WINDOWS\system32\drivera.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: ASGP32.ASGP - {FA5B9933-1AE8-4A8D-9822-B20A6CA2B5EC} - C:\WINDOWS\System32\asgp32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [yjgddu] C:\WINDOWS\System32\arcldw.exe reg_run
O4 - HKLM\..\Run: [htxplwi.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\NetworkService\Local Settings\Application Data\htxplwi.dll",gmcawef
O4 - HKLM\..\Run: [jpmyoze.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\LocalService\Local Settings\Application Data\jpmyoze.dll",hiconc
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {A4F64D63-3576-4754-8DD5-4D0A49345FD5} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: p4reg - p432.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Edited by Sara Bijan, 12 February 2007 - 07:29 PM.


#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 12 February 2007 - 07:52 PM

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

****************************

Please download/install AVG Anti-Spyware 7.5.
Welcome Trailrider
Please follow these instructions carefully.
Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - C:\WINDOWS\system32\drivera.dll (file missing)
O2 - BHO: ASGP32.ASGP - {FA5B9933-1AE8-4A8D-9822-B20A6CA2B5EC} - C:\WINDOWS\System32\asgp32.dll
O4 - HKLM\..\Run: [yjgddu] C:\WINDOWS\System32\arcldw.exe reg_run
O4 - HKLM\..\Run: [htxplwi.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\NetworkService\Local Settings\Application Data\htxplwi.dll",gmcawef
O9 - Extra button: (no name) - {A4F64D63-3576-4754-8DD5-4D0A49345FD5} - (no file) (HKCU)
O20 - Winlogon Notify: p4reg - p432.dll (file missing)

Exit Hijackthis.

Find and delete if present:
C:\WINDOWS\System32\asgp32.dll
C:\WINDOWS\System32\arcldw.exe
C:\WINDOWS\system32\drivera.dll
C:\Documents and Settings\NetworkService\Local Settings\Application Data\htxplwi.dll


Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.
Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

****************************

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a log.
Post the C:\ComboFix.txt in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Reboot,post the AVG Anti Spyware report,the C:\ComboFix.txt, and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#5 Sara Bijan

Sara Bijan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 12 February 2007 - 08:07 PM

My Pc is running fine, apart from the annoying redirection. Also, when I click Update, on AVG Spyware, it says that no updates are available.

Edited by Sara Bijan, 12 February 2007 - 08:11 PM.


#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 12 February 2007 - 08:30 PM

Go to Control Panel.
If you are using Windows XP's Category View,select 'Network and Internet Connections',otherwise double click on 'Network Connections'.
Then right click on your default connection, usually local area connection for cable and dsl, and left click on 'Properties'.
Double-click on 'Internet Protocol (TCP/IP)' and select the radio dial that says 'Obtain DNS servers automatically'.
Press OK twice to get out of the properties screen and reboot if it asks.

Do that for every connection listed,reboot when you've finished.
Let me know whats happening now please.
Posted Image
Posted Image

#7 Sara Bijan

Sara Bijan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 12 February 2007 - 09:42 PM

My computer is running fine.

AVG Spyware Scan

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:23:08 PM 2/12/2007

+ Scan result:



C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun3.exe -> Adware.Nexus : Cleaned.
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun3.exe -> Adware.Nexus : Cleaned.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QWRDXSH2\ac4[1].txt -> Downloader.Agent.awb : Cleaned.
C:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP32\A0002237.exe -> Downloader.Agent.axh : Cleaned.
C:\Documents and Settings\Sara Bijan\Local Settings\Temporary Internet Files\Content.IE5\JIGZ3H8D\1[1].exe -> Downloader.Agent.bca : Cleaned.
C:\Documents and Settings\Sara Bijan\Local Settings\Temporary Internet Files\Content.IE5\JIGZ3H8D\1[2].exe -> Downloader.Agent.bca : Cleaned.
C:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP32\A0002231.exe -> Downloader.Agent.bca : Cleaned.
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun10.exe -> Downloader.Obfuscated.bf : Cleaned.
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun10.exe -> Downloader.Obfuscated.bf : Cleaned.
C:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP32\A0002232.exe -> Downloader.Small : Cleaned.
C:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP32\A0002235.dll -> Downloader.Small.dxm : Cleaned.
C:\Documents and Settings\Sara Bijan\Local Settings\Application Data\dfbbaaaa.exe -> Downloader.Small.efh : Cleaned.
C:\Documents and Settings\Sara Bijan\Local Settings\Temporary Internet Files\Content.IE5\A1HURQXG\ml[1].exe -> Downloader.Small.efh : Cleaned.
C:\Documents and Settings\Sara Bijan\Local Settings\Temporary Internet Files\Content.IE5\A1HURQXG\ml[2].exe -> Downloader.Small.efh : Cleaned.
C:\Documents and Settings\Sara Bijan\Local Settings\Temporary Internet Files\Content.IE5\JIGZ3H8D\ml[1].exe -> Downloader.Small.efh : Cleaned.
C:\Documents and Settings\Sara Bijan\Local Settings\Temporary Internet Files\Content.IE5\JIGZ3H8D\ml[2].exe -> Downloader.Small.efh : Cleaned.
C:\Documents and Settings\Sara Bijan\Local Settings\Temporary Internet Files\Content.IE5\JIGZ3H8D\ml[3].exe -> Downloader.Small.efh : Cleaned.
C:\Documents and Settings\Sara Bijan\Local Settings\Temporary Internet Files\Content.IE5\JIGZ3H8D\ml[4].exe -> Downloader.Small.efh : Cleaned.
C:\Documents and Settings\Sara Bijan\Local Settings\Temporary Internet Files\Content.IE5\JIGZ3H8D\ml[5].exe -> Downloader.Small.efh : Cleaned.
C:\Documents and Settings\Sara Bijan\Local Settings\Temporary Internet Files\Content.IE5\LBFJDTWE\ml[1].exe -> Downloader.Small.efh : Cleaned.
C:\Documents and Settings\Sara Bijan\Local Settings\Temporary Internet Files\Content.IE5\Q983EVIP\ml[1].exe -> Downloader.Small.efh : Cleaned.
C:\Documents and Settings\Sara Bijan\Local Settings\Temporary Internet Files\Content.IE5\U1Q50TUT\ml[1].exe -> Downloader.Small.efh : Cleaned.
C:\Documents and Settings\Sara Bijan\Local Settings\Temporary Internet Files\Content.IE5\U1Q50TUT\ml[2].exe -> Downloader.Small.efh : Cleaned.
C:\Documents and Settings\Sara Bijan\Local Settings\Temporary Internet Files\Content.IE5\U1Q50TUT\ml[3].exe -> Downloader.Small.efh : Cleaned.
C:\Documents and Settings\Sara Bijan\Local Settings\Temporary Internet Files\Content.IE5\U1Q50TUT\ml[4].exe -> Downloader.Small.efh : Cleaned.
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun12.exe -> Dropper.Agent.azk : Cleaned.
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun12.exe -> Dropper.Agent.azk : Cleaned.
C:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP32\A0002239.dll -> Heuristic.Win32.Morphine-Crypted : Cleaned.
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun14.exe -> Logger.BZub.gr : Cleaned.
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun14.exe -> Logger.BZub.gr : Cleaned.
C:\Documents and Settings\LocalService\Local Settings\Temp\2.dllb -> Not-A-Virus.Hoax.Win32.Renos.ha : Cleaned.
C:\Documents and Settings\NetworkService\Local Settings\Temp\2.dllb -> Not-A-Virus.Hoax.Win32.Renos.ha : Cleaned.
C:\Documents and Settings\Sara Bijan\Cookies\sara bijan@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Sara Bijan\Cookies\sara bijan@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Sara Bijan\Cookies\sara bijan@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Sara Bijan\Cookies\sara bijan@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Sara Bijan\Cookies\sara bijan@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Sara Bijan\Cookies\sara bijan@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Sara Bijan\Cookies\sara bijan@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Sara Bijan\Cookies\sara bijan@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Sara Bijan\Cookies\sara bijan@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Sara Bijan\Cookies\sara bijan@web4.realtracker[2].txt -> TrackingCookie.Realtracker : Cleaned.
C:\Documents and Settings\Sara Bijan\Cookies\sara bijan@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Sara Bijan\Cookies\sara bijan@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Sara Bijan\Cookies\sara bijan@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Sara Bijan\Cookies\sara bijan@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Sara Bijan\Cookies\sara bijan@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP32\A0002236.dll -> Trojan.Agent.adl : Cleaned.
C:\Documents and Settings\NetworkService\Local Settings\Temp\mst15.tmp -> Trojan.Agent.vg : Cleaned.
C:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP32\A0002234.dll -> Trojan.AntiSpySoldier.a : Cleaned.
C:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP32\A0002233.dll -> Trojan.Kolweb.b : Cleaned.
C:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP20\A0001479.exe -> Trojan.Kolweb.j : Cleaned.
C:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP21\A0001488.exe -> Trojan.Kolweb.j : Cleaned.
C:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP21\A0001497.exe -> Trojan.Kolweb.j : Cleaned.
C:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP21\A0001509.exe -> Trojan.Kolweb.j : Cleaned.
C:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP22\A0001523.exe -> Trojan.Kolweb.j : Cleaned.
C:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP22\A0001536.exe -> Trojan.Kolweb.j : Cleaned.
C:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP22\A0001673.exe -> Trojan.Kolweb.j : Cleaned.
C:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP32\A0002227.exe -> Trojan.Kolweb.j : Cleaned.
C:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP32\A0002228.exe -> Trojan.Kolweb.j : Cleaned.
C:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP32\A0002229.exe -> Trojan.Kolweb.j : Cleaned.
C:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP32\A0002230.exe -> Trojan.Kolweb.j : Cleaned.
C:\WINDOWS\system32\monterreya_unknown.exe -> Trojan.Kolweb.j : Cleaned.
C:\System Volume Information\_restore{1D754853-CD2B-4287-9A0D-7BEC62082DED}\RP32\A0002238.exe -> Trojan.LdPinch.bdf : Cleaned.
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun13.exe -> Trojan.VB.tg : Cleaned.
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun13.exe -> Trojan.VB.tg : Cleaned.
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun15.exe -> Worm.Zhelatin.n : Cleaned.
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun15.exe -> Worm.Zhelatin.n : Cleaned.


::Report end


ComboFix

"Sara Bijan" - 07-02-12 21:27:09 Service Pack 1
ComboFix 07-02-11 - Running from: "C:\Documents and Settings\Sara Bijan\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\unsvchosts.exe
C:\Program Files\Common Files\{C0AC7~2
C:\Program Files\Common Files\{C0AC7~1


((((((((((((((((((((((((((((((( Files Created from 2007-01-12 to 2007-02-12 ))))))))))))))))))))))))))))))))))


2007-02-11 18:40 <DIR> d-------- C:\SDFix
2007-02-11 16:39 <DIR> d-------- C:\Program Files\HijackThis
2007-02-09 21:11 <DIR> d-------- C:\Program Files\Ultimate Defender
2007-02-09 15:18 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-09 15:18 <DIR> d-------- C:\Program Files\Grisoft
2007-02-06 18:09 <DIR> d-------- C:\DOCUME~1\SARABI~1\Application Data\Ultimate Cleaner
2007-02-03 18:23 <DIR> d-------- C:\DOCUME~1\SARABI~1\Application Data\DivX
2007-02-03 18:01 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-02-03 18:01 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-02-03 18:01 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-02-03 18:01 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-02-03 18:01 3,220 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-03 18:01 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-02-03 18:01 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-02-02 20:59 <DIR> d-------- C:\Program Files\DivX
2007-02-01 18:05 <DIR> d-------- C:\Program Files\Ultimate Cleaner
2007-02-01 18:05 <DIR> d-------- C:\Program Files\softwa~1
2007-02-01 18:05 <DIR> d-------- C:\Program Files\akl
2007-02-01 17:59 <DIR> d-------- C:\Program Files\Lavasoft
2007-02-01 17:59 <DIR> d-------- C:\DOCUME~1\SARABI~1\Application Data\Lavasoft
2007-02-01 17:32 4,666 --a------ C:\WINDOWS\winus1.exe
2007-02-01 16:57 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-02-01 16:55 <DIR> d-------- C:\DOCUME~1\SARABI~1\Application Data\Real
2007-01-31 23:56 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-01-31 23:56 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-01-31 23:56 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-01-31 23:56 639,066 --a------ C:\WINDOWS\system32\DivX.dll
2007-01-31 16:27 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-01-30 18:15 118,784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-01-30 00:03 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-30 00:03 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-30 00:03 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-29 23:56 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-29 23:56 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-01-29 23:56 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-01-29 23:56 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-01-29 23:56 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-01-29 23:56 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-01-29 23:56 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-01-29 23:56 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-01-22 18:59 <DIR> d--h-c--- C:\WINDOWS\$MSI30UninstallMSI30-KB884016$
2007-01-22 18:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Windows Genuine Advantage
2007-01-21 11:51 <DIR> d-------- C:\Program Files\NetBattle
2007-01-14 12:33 150,016 --a------ C:\WINDOWS\system32\durvilz.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-12 21:25 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-02-06 18:35 -------- d-------- C:\DOCUME~1\SARABI~1\Application Data\macromedia
2007-02-05 17:43 -------- d---s---- C:\DOCUME~1\SARABI~1\Application Data\microsoft
2007-02-01 17:31 133120 --a------ C:\WINDOWS\system32\sfc_os.dll
2007-02-01 16:57 -------- d-------- C:\Program Files\Common Files\real
2006-12-22 12:16 -------- d-------- C:\Program Files\spywarebot
2006-12-21 15:22 -------- d-------- C:\Program Files\musicnotes
2006-12-21 13:15 -------- d-------- C:\Program Files\emule
2006-12-20 22:54 -------- d-------- C:\DOCUME~1\SARABI~1\Application Data\help
2006-12-12 11:24 12288 --a------ C:\WINDOWS\system32\divxwmpexttype.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ACTX1"=""
"yahoostock"=""
"intell321.exe"=""
"UMGR32.EXE"=""
"wingo"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
"biosadapter"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"00THotkey"="C:\\WINDOWS\\System32\\00THotkey.exe"
"000StTHK"="000StTHK.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"PmProxy"="C:\\Program Files\\Analog Devices\\SoundMAX\\PmProxy.exe"
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"TFNF5"="TFNF5.exe"
"Tpwrtray"="TPWRTRAY.EXE"
"TouchED"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"NDSTray.exe"="\"C:\\Program Files\\Toshiba\\ConfigFree\\NDSTray.exe\""
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"NAV CfgWiz"="C:\\PROGRA~1\\NORTON~1\\Cfgwiz.exe /R"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"Pinger"="c:\\toshiba\\ivp\\ism\\pinger.exe /run"
"TSysSMon"="c:\\toshiba\\sysstability\\tsyssmon.exe /detect"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"jpmyoze.dll"="C:\\WINDOWS\\System32\\rundll32.exe \"C:\\Documents and Settings\\LocalService\\Local Settings\\Application Data\\jpmyoze.dll\",hiconc"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-12 21:31:10


Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 9:35:04 PM, on 2/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\toshiba\ivp\ism\pinger.exe
C:\toshiba\sysstability\tsyssmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [jpmyoze.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\LocalService\Local Settings\Application Data\jpmyoze.dll",hiconc
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 13 February 2007 - 03:00 AM

Copy and paste the following bold blue text below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.
==============================================
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"jpmyoze.dll"=-

==============================================

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKLM\..\Run: [jpmyoze.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\LocalService\Local Settings\Application Data\jpmyoze.dll",hiconc
Exit Hijackthis.

****************************

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Find and delete if present:
C:\WINDOWS\winus1.exe
C:\WINDOWS\system32\durvilz.dll
C:\Program Files\spywarebot
C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\LocalService\Local Settings\Application Data\jpmyoze.dll
Reboot normally.

****************************

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

****************************

Reboot,post a new Hijackthis log into your next reply.
Posted Image
Posted Image

#9 Sara Bijan

Sara Bijan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 13 February 2007 - 06:59 PM

I couldn't find O4 - HKLM\..\Run: [jpmyoze.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\LocalService\Local Settings\Application Data\jpmyoze.dll", hiconc on Hijackthis.

New HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 6:54:19 PM, on 2/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\toshiba\ivp\ism\pinger.exe
C:\toshiba\sysstability\tsyssmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 13 February 2007 - 07:24 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Please revert these settings back to default:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Turn off System Restore,then turn it back on again:
Help if needed:
http://www.pchell.com/virus/systemrestore.shtml

Create a new System Restore Point:
Help if needed:
Click on Start/All Programs/Accessories/System Tools/System Restore.
In the System Restore window,click "Create a Restore Point" button,then click 'Next'.
In the window that appears,enter a description,then click on "Create", then "Close".
The date and time is created automatically.

You should now go to Windows Update and install any available critical/high priority updates.

Read through the info found here,to help you prevent any possible future infections.
How did I get infected?
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Posted Image
Posted Image

#11 Sara Bijan

Sara Bijan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 13 February 2007 - 07:49 PM

Thank you so much for helping me over the past two days! My computer is running fine right now.

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 13 February 2007 - 08:34 PM

You're most welcome Sara :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users