Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed Vundo Trojan & Packed.win32.klone.j Among Others, Scanning Clean But Still Slow


  • This topic is locked This topic is locked
35 replies to this topic

#1 Nalyn

Nalyn

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 21 February 2007 - 01:39 PM

Hello, and thanks for being there to help. I've followed all the steps in the Prep Guide, leaving out the Micro Trend software due to the recent flaw they discovered. My computer is now scanning clean with Microsoft Live One Care, Zone Alarm, Ad-Aware SE, AVG Anti-Spyware, Bit Defender and Stinger 260. I deactivate the Live One Care at start up so I don't have duelling firewalls and will likely uninstall it altogether as I prefer Zone Alarm. The AVG Anti-Spyware is also not running at startup, just being used as a back-up scanner. I'm wondering, though, if all the scanning programs on my computer are slowing it down.

Also, Zone Alarm is regularly recording blocking outgoing messages to station6k.dscga.com, with the destination IP as 198.79.88.6:445. Obviously, something is still going on.

My computer originated as a work computer on which I issued insurance policies remotely, logging into a remote desktop. It was given to me when I left employment with the company, and I have administrative rights. However, Zone Alarm is also blocking outgoing messages to my former company's website. They did monitor me, so I suppose this was how they did it. I'm wondering, though, how I can turn this off. Another thing I'm wondering, is what I need to do to reconfigure the computer as a stand-alone. It is not attached to a network at all anymore, and I just learned that the way it is set up made it vulnerable to Trojan attack. My computer techie skills are not up to par, I'm afraid, but I'm learning fast. ;o) Thanks for all the help you can give me. Here's the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:33:17 AM, on 2/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Photomax Digital Developer\DDStub.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {60DF53E6-41F2-481D-9916-0B1115E42A08} - C:\WINDOWS\System32\kdphtdpf.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {BD257DCB-B5D0-459F-9F7D-42E27AC55266} - C:\WINDOWS\System32\kdphtdpf.dll (file missing)
O2 - BHO: (no name) - {C3611AF4-EF36-4167-94C1-B204F2D526F9} - C:\WINDOWS\java\mwsawve.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\jm.BAINDT003.000\Local Settings\Temporary Internet Files\Content.IE5\IWJEITG0\WAS5Scan[1].exe"
O4 - HKLM\..\Run: [DigitalDeveloper] C:\Program Files\Photomax Digital Developer\DDStub.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171005507397
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{755BF88C-460B-4D04-826A-A67BCE20A0CE}: NameServer = 4.2.2.2,4.2.2.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{755BF88C-460B-4D04-826A-A67BCE20A0CE}: NameServer = 4.2.2.2,4.2.2.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{755BF88C-460B-4D04-826A-A67BCE20A0CE}: NameServer = 4.2.2.2,4.2.2.3
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:09:17 PM

Posted 21 February 2007 - 05:39 PM

Heya :thumbsup:

I'm Victor and I will be helping you.

I would like to see if any other startups are involved. To do this, I need to see another type of log please. Go here and download Silent Runners.vbs to a new folder on your Desktop (Clicking the the download link works if you use IE. If you use FireFox, rightclick on the link and choose "Save Link As") and run it. It generates a log too. It takes a minute or two and it will notify you with a popup when your log is ready (make sure you wait for the popups please) Please post the information back in this thread too (you may need to make a couple of posts). If your antivirus program queries the script, allow it to run. It's not malicious.

#3 Nalyn

Nalyn
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 21 February 2007 - 07:02 PM

Thanks so much for your response. I ran the log you requested, only I left the room briefly while it was scanning and just missed whatever the pop up on screen was saying when I returned, so I ran it again, only now I'm confused which of the scan results on the desktop was which. I think the below is complete. They seem to be identical except for the running time. This one was longer. I did say I was techno-challenged. ;o) Anyway, here's the log:

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "C:\WINDOWS\system32\mobsync.exe /logon"
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"NI.UWAS5LP_0001_0811" = ""C:\Documents and Settings\jm.BAINDT003.000\Local Settings\Temporary Internet Files\Content.IE5\IWJEITG0\WAS5Scan[1].exe"" [file not found]
"(Default)" = "(empty string)" [file not found]
"DigitalDeveloper" = "C:\Program Files\Photomax Digital Developer\DDStub.exe" [null data]
"OneCareUI" = ""C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"" [MS]
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"ZoneAlarm Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{60DF53E6-41F2-481D-9916-0B1115E42A08}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\kdphtdpf.dll" [file not found]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."]
{BD257DCB-B5D0-459F-9F7D-42E27AC55266}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\kdphtdpf.dll" [file not found]
{C3611AF4-EF36-4167-94C1-B204F2D526F9}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\java\mwsawve.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
AntivirusShlExt\(Default) = "{BE79B9C8-9791-41d3-9267-C4123AC0AEAE}"
-> {HKLM...CLSID} = "AVShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Windows OneCare Live\AVShellExt.dll" [MS]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "jm" & "All Users" startup folders:
----------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Adobe Reader Synchronizer" -> shortcut to: "C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe" [null data]
"APC UPS Status" -> shortcut to: "C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe" ["American Power Conversion Corporation"]


Enabled Scheduled Tasks:
------------------------

"MP Scheduled Scan" -> launches: "C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe Scan -RestrictPrivileges" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 09
%SystemRoot%\system32\rsvpsp.dll [MS], 10 - 11


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_11"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_11"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll" ["Sun Microsystems, Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

APC UPS Service, APC UPS Service, "C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe" ["American Power Conversion Corporation"]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
OneCare AntiSpyware and AntiVirus, OneCareMP, ""C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"" [MS]
OneCare Firewall, msfwsvc, ""C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"" [MS]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\HPZipm12.exe" ["HP"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor S200\Driver = "CNMLM3w.DLL" ["CANON INC."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 152 seconds, including 55 seconds for message boxes)

#4 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:09:17 PM

Posted 21 February 2007 - 09:18 PM

Well, for starters, you seem to have removed Vundo almost successfully, good job on that one :thumbsup:

Let's take care of the orphaned registry keys :

Open hijackthis and check the following lines :


O2 - BHO: (no name) - {60DF53E6-41F2-481D-9916-0B1115E42A08} - C:\WINDOWS\System32\kdphtdpf.dll (file missing)
O2 - BHO: (no name) - {BD257DCB-B5D0-459F-9F7D-42E27AC55266} - C:\WINDOWS\System32\kdphtdpf.dll (file missing)
O2 - BHO: (no name) - {C3611AF4-EF36-4167-94C1-B204F2D526F9} - C:\WINDOWS\java\mwsawve.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\jm.BAINDT003.000\Local Settings\Temporary Internet Files\Content.IE5\IWJEITG0\WAS5Scan[1].exe"


Make sure you have selected all the lines above and press Fix Checked

REBOOT

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply along with a new hijackthis log.

#5 Nalyn

Nalyn
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 21 February 2007 - 10:13 PM

Okay, thanks. I checked all six items you mentioned and hit the fix key in HijackThis. And I'm on my way to reboot and do the other items, only thought you'd want to know I received an error message when I hit the fix key: 'Unexpected error occurred! Error #52 (Bad file name or number) in Sub Get Long Path (exe".exe). Please report to merjin@spywareinfo.com mentioning what you were doing and what version of Windows you have.'

I think I got the email address right, but it was hard to read in the script. I have XP Professional, if that helps.

Nalyn

#6 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:09:17 PM

Posted 22 February 2007 - 05:05 AM

Ok, cary on and post the logs I requested.

#7 Nalyn

Nalyn
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 22 February 2007 - 01:51 PM

I've tried numerous times to get the Kaspersky online scanner to install without success. After I click to allow the ad-on file and enable Active X it goes immediately to the "Welcome to the Kapersky Online Scanner!" box and deadends. I'm not getting a Windows box asking me if I want to install at all. I changed my firewall settings to Medium but still no go. By the way, the Welcome box is about half-sized and I can't maximize or scroll to see if there's more to it. Any ideas?

Here's the HijackThis log at least:

Logfile of HijackThis v1.99.1
Scan saved at 10:49:02 AM, on 2/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Photomax Digital Developer\DDStub.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\jm.BAINDT003.000\Local Settings\Temporary Internet Files\Content.IE5\IWJEITG0\WAS5Scan[1].exe"
O4 - HKLM\..\Run: [DigitalDeveloper] C:\Program Files\Photomax Digital Developer\DDStub.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171005507397
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{755BF88C-460B-4D04-826A-A67BCE20A0CE}: NameServer = 4.2.2.2,4.2.2.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{755BF88C-460B-4D04-826A-A67BCE20A0CE}: NameServer = 4.2.2.2,4.2.2.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{755BF88C-460B-4D04-826A-A67BCE20A0CE}: NameServer = 4.2.2.2,4.2.2.3
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:09:17 PM

Posted 22 February 2007 - 03:11 PM

Okay, I assume you were using Internet Explorer on that.

Let's leave that for later and use AVG AS to scan the pc. Please update Avg antispyware and run a full system scan. When the scan is finished, click the "Apply all actions" and then go to the Report section and post the scan report in here.

#9 Nalyn

Nalyn
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 22 February 2007 - 06:32 PM

Here's the report, only I forgot to Apply All Actions. I could just delete cookies, I guess, only I'm not sure if you wanted me to quarantine or delete them, so I'll run the scan again and Apply All Actions. My computer's not good for much besides scanning right now anyway, as it often slows to a crawl. Also, I'm noticing a square in my tray showing CPU usage at 99%. It goes up and down for no apparent reason. I got a message from Zone Labs Firewall that IE was attempting to track me, I'm guessing from the cookies, and I disallowed that. Something strange happened with ZoneAlarm's Alerts and Logs feature. It seems to have stopped recording several hours ago, only the setting shows logging as enabled. Yes, by the way, I'm running Internet Explorer 7.0.

The Report from AVG:

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:53:05 PM 2/22/2007

+ Scan result:



C:\Documents and Settings\jm.BAINDT003.000\Cookies\jm@ehg-kasperskylab.hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\jm.BAINDT003.000\Cookies\jm@hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.


::Report end

#10 Nalyn

Nalyn
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 22 February 2007 - 11:41 PM

Update: I got the cookies deleted, didn't have to re-scan after all. Also, my firewall is acting okay again. I don't know what that was. I think the ATF Cleaner may have removed all the log information from my firewall - is that possible? Anyway, my firewall is logging blocked incoming and outgoing messages again. I've been getting that Suspicious Behavior message from Zone Alarm even after deleting the tracking cookies.

Nalyn

#11 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:09:17 PM

Posted 23 February 2007 - 06:17 AM

Please download
VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files,
    click YES
  • Once you click yes, your desktop will go blank as it starts removing
    Vundo.
  • When completed, it will prompt that it will shutdown your computer,
    click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new
    HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not
remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please download F-Secure Blacklight (blbeta.exe) and save to your C:\ drive.
1. Open a command window by going to Start > Run and typing: cmd
2. Copy/paste or type the following in the command window:

C:\blbeta.exe /expert

3. Hit "Enter" to start the program and then close the cmd box.
4. Accept the user agreement and click "Next".
5 Click "Scan".
6. After the scan is complete, click "Next", then "Exit". BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
7. The log will have a list of all items found. Do not choose to rename any yet! I want to see the log first because legitimate items can also be present.
8. Exit Blacklight and post the contents of the log in your next reply.

#12 Nalyn

Nalyn
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 23 February 2007 - 03:29 PM

There was an infected file Vundo fix removed. The C:\blbeta.exe/expert command was not recognized, however I was able to open the Application file in C: drive and run the scanner. Nothing was found. I'll post the logs below, but want to mention some of the other Trojans found on my computer and (I hope) deleted were TrojanSpy.DBStat.H, DropperAgent.bct, and a Win32.Backdoor something or other (sorry-can't locate the report). Since running Vundo Fix, my computer is still extremely slow and I'm still getting the Suspicious Behavior firewall message, so I still suspect a further Trojan problem.

Vundo Fix log:
C:\WINDOWS\System32\jrobleepy.dll

New HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 12:21:16 PM, on 2/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Photomax Digital Developer\DDStub.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\jm.BAINDT003.000\Local Settings\Temporary Internet Files\Content.IE5\IWJEITG0\WAS5Scan[1].exe"
O4 - HKLM\..\Run: [DigitalDeveloper] C:\Program Files\Photomax Digital Developer\DDStub.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171005507397
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{755BF88C-460B-4D04-826A-A67BCE20A0CE}: NameServer = 4.2.2.2,4.2.2.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{755BF88C-460B-4D04-826A-A67BCE20A0CE}: NameServer = 4.2.2.2,4.2.2.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{755BF88C-460B-4D04-826A-A67BCE20A0CE}: NameServer = 4.2.2.2,4.2.2.3
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Blacklight Log:
2/23/07 11:35:06 [Info]: BlackLight Engine 1.0.55 initialized
02/23/07 11:35:06 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/23/07 11:35:07 [Note]: 7019 4
02/23/07 11:35:07 [Note]: 7005 0
02/23/07 11:36:07 [Note]: 7006 0
02/23/07 11:36:11 [Note]: 7011 1680
02/23/07 11:36:12 [Note]: 7026 0
02/23/07 11:36:12 [Note]: 7026 0
02/23/07 11:36:40 [Note]: FSRAW library version 1.7.1021
02/23/07 11:49:20 [Note]: 2000 1012
02/23/07 11:49:40 [Note]: 7007 0

#13 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:09:17 PM

Posted 24 February 2007 - 07:09 AM

I asked the vundofix log for a reason. So please post it

#14 Nalyn

Nalyn
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 24 February 2007 - 08:49 PM

Oops! Sorry. Here's the correct file (I've run VundoFix several times now, including today - it found and deleted the same file as yesterday. The log starts with the first date I scanned and ends with my scan today):

VundoFix V6.3.5

Checking Java version...

Scan started at 8:14:53 AM 1/30/2007

Listing files found while scanning....

C:\Program Files\VSAdd-in\VSAdd-in.dll
C:\WINDOWS\java\evwaswm.bak1
C:\WINDOWS\java\evwaswm.bak2
C:\WINDOWS\java\evwaswm.ini
C:\WINDOWS\java\evwaswm.ini2
C:\WINDOWS\java\evwaswm.tmp
C:\WINDOWS\java\mwsawve.dll
C:\WINDOWS\system32\atxtmhgs.dll
C:\WINDOWS\system32\euhneuli.ini
C:\WINDOWS\system32\ffhruvyn.dll
C:\WINDOWS\system32\gynsqpvk.dll
C:\WINDOWS\system32\iifdb.dll
C:\WINDOWS\system32\iluenhue.dll
C:\WINDOWS\System32\jrobleepy.dll
C:\WINDOWS\System32\jxafbdfm.dll
C:\WINDOWS\System32\lrisllxf.dll
C:\WINDOWS\system32\mgtnwepb.dll
C:\WINDOWS\system32\ojobgeil.dll
C:\WINDOWS\system32\pkwjvsxh.dll
C:\WINDOWS\system32\rfstvpxq.dll
C:\WINDOWS\system32\uryapsce.dll
C:\WINDOWS\System32\vcgousqd.dll
C:\WINDOWS\system32\vwfocybw.exe
C:\WINDOWS\system32\wlehpfbq.dll
C:\WINDOWS\system32\yckmnhds.dll

Beginning removal...

Attempting to delete C:\Program Files\VSAdd-in\VSAdd-in.dll
C:\Program Files\VSAdd-in\VSAdd-in.dll Has been deleted!

Attempting to delete C:\WINDOWS\java\evwaswm.bak1
C:\WINDOWS\java\evwaswm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\java\evwaswm.bak2
C:\WINDOWS\java\evwaswm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\java\evwaswm.ini
C:\WINDOWS\java\evwaswm.ini Has been deleted!

Attempting to delete C:\WINDOWS\java\evwaswm.ini2
C:\WINDOWS\java\evwaswm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\java\evwaswm.tmp
C:\WINDOWS\java\evwaswm.tmp Has been deleted!

Attempting to delete C:\WINDOWS\java\mwsawve.dll
C:\WINDOWS\java\mwsawve.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\atxtmhgs.dll
C:\WINDOWS\system32\atxtmhgs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\euhneuli.ini
C:\WINDOWS\system32\euhneuli.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ffhruvyn.dll
C:\WINDOWS\system32\ffhruvyn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gynsqpvk.dll
C:\WINDOWS\system32\gynsqpvk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifdb.dll
C:\WINDOWS\system32\iifdb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iluenhue.dll
C:\WINDOWS\system32\iluenhue.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\jrobleepy.dll
C:\WINDOWS\System32\jrobleepy.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\jxafbdfm.dll
C:\WINDOWS\System32\jxafbdfm.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\lrisllxf.dll
C:\WINDOWS\System32\lrisllxf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mgtnwepb.dll
C:\WINDOWS\system32\mgtnwepb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ojobgeil.dll
C:\WINDOWS\system32\ojobgeil.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pkwjvsxh.dll
C:\WINDOWS\system32\pkwjvsxh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rfstvpxq.dll
C:\WINDOWS\system32\rfstvpxq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uryapsce.dll
C:\WINDOWS\system32\uryapsce.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\vcgousqd.dll
C:\WINDOWS\System32\vcgousqd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vwfocybw.exe
C:\WINDOWS\system32\vwfocybw.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wlehpfbq.dll
C:\WINDOWS\system32\wlehpfbq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yckmnhds.dll
C:\WINDOWS\system32\yckmnhds.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.6

Checking Java version...

Scan started at 9:24:01 AM 2/10/2007

Listing files found while scanning....

C:\WINDOWS\System32\jrobleepy.dll
C:\WINDOWS\System32\lrisllxf.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.3.9

Checking Java version...

Scan started at 10:38:50 AM 2/23/2007

Listing files found while scanning....

C:\WINDOWS\System32\jrobleepy.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.3.9

Checking Java version...

Scan started at 5:02:50 PM 2/24/2007

Listing files found while scanning....

C:\WINDOWS\System32\jrobleepy.dll

Beginning removal...

Performing Repairs to the registry.
Done!

#15 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:09:17 PM

Posted 25 February 2007 - 06:49 AM

Ok..

Open hijackthis and check the following line :

O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\jm.BAINDT003.000\Local Settings\Temporary Internet Files\Content.IE5\IWJEITG0\WAS5Scan[1].exe"

Press Fix checked

Do you still get an error?

I noticed you aren't running any antivirus on your computer. That is not a good security practice. I advise you to install AVG's Free Antivirus

Download KILLBOX, extract it to your desktop.

Open killbox.exe.

First

Click on Tools>Delete Temp Files

A box will open with a list of all user profiles.

Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.

Temporary Internet Files
Temp Files
XP Prefetch

If you want to clean your cookies, history, and list of recent files run you may check those boxes as well.

Then,,

Check on the Button titled "Delete Selected Temp Files"

Exit by clicking the Button titled "Exit(Save Settings)"

Once back into the main killbox program.

Check the following boxes:

Delete on Reboot

Highlight all the entries in the quote box below and then Copy them.

C:\WINDOWS\System32\jrobleepy.dll


Then in killbox click File>>Paste from Clipboard

At this point the "All Files" button should be enabled so you can click it.

Click the "All Files" button.

Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes

A second message will ask to Reboot now? you will need to click Yes to allow the reboot.

Note: Killbox will let you know if a file does not exist.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot

I see you have Avg AntiSpyware installed; please update it and run a full system scan. Post the scan log and a new hijackthis log in your next reply.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users