Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

3 Freaky Problems...


  • Please log in to reply
16 replies to this topic

#1 flashdoofus

flashdoofus

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 12 March 2007 - 03:00 PM

I am currently experiencing 3 strange problems (I'll list the results of my hijackthis logfile at the bottom):

1. When I boot or re-boot, sometimes the taskbar and all my desktop icons are gone (and they never appear after waiting around forever - I can't even call up the taskmanager with ctrl+alt+delete), so i have to re-boot again.

2. Upon a successful boot, I immediately get an error message saying that my pc can't find "C:\Windows\system32\lsakhcah.dll".

3. Occasional popups and virus warnings after I open a web browser - after I ran a virus scan (multiple times) with AVG (registered version), it keeps telling me that it found "TROJAN HORSE Lop.AX", but it cant delete it. Every hour or so, I'll get subsequent warnings from AVG telling me it found something else. After awhile, the speed of my PC seems to slow down considerably.

This only seems to happen after I open a web browser - Lop.AX doesn't seem to do or trigger anything until after a browser window has been opened, assuming that this problem is being caused by this Lop.AX thing.

---------------------------------------------------------------------------------------------------------------------------

I have also used spyware doctor, windows defender and pestpatrol, but they don't even find Lop.AX, and they tell me that my computer is fine. Any advice that you could give me would be greatly appreciated. Thanks in advance!

-joe (flashdoofus@yahoo.com)

-----------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:19:15 PM, on 3/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system32\nvsvc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\windows\system32\svchost.exe
C:\windows\system32\atwtusb.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\windows\system32\ctfmon.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\windows\system32\TBLMOUSE.EXE
C:\Program Files\Ares\Ares.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Documents and Settings\Compaq_Owner\Desktop\aswclnr.exe
C:\Documents and Settings\Compaq_Owner\Desktop\aswclnr.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\taskmgr.exe
C:\Program Files\Trillian\trillian.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\windows\system32\userinit.exe,,,,,
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\windows\system32\lsakhcah.dll",setvm
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cscsupport.webex.com/client/T23L/support/ieatgpc.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by flashdoofus, 12 March 2007 - 03:02 PM.


BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:43 PM

Posted 17 March 2007 - 10:15 PM

Apologies for the delay in responding.

The workload on this forum is intense, and sometimes it is not possible to respond to every inquiry.

It is best to have the most current log possible, so please run HijackThis again.

However, before doing so, please make sure HijackThis is in its own folder.

If you want to keep the program on the Desktop, right click an empty area, select New > Folder, name the folder HijackThis, and place the HijackThis.exe file in it.

HijackThis makes backups of what is fixed/removed, and needs its own folder to create and keep these secure. Backups allow you to restore removed entries, and this option may be necessary.

Run the program from its own folder, and post the new log.

I will be notified, and will be glad to assist you.

Old duck...


#3 flashdoofus

flashdoofus
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 24 March 2007 - 06:41 PM

I totally understand about your workload - no worries:) Any advice that you can give me would be great.

I created a folder on my desktop called hijackThis, put the .exe inside of it and ran the program - here is the logfile that I just got:

Logfile of HijackThis v1.99.1
Scan saved at 7:34:41 PM, on 3/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\windows\system32\atwtusb.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\TBLMOUSE.EXE
C:\Program Files\Ares\Ares.exe
C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\PROGRA~1\MACROM~1\FLASH8~2\Flash.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Owner\Desktop\hijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\windows\system32\userinit.exe,,,,,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3E5006C4-1AAA-4469-B51E-6DE632C6301B} - C:\windows\system32\pmkjg.dll (file missing)
O2 - BHO: (no name) - {4080E6EA-17E9-78F5-5289-09A0BD506047} - C:\windows\system32\bywhsuh.dll
O2 - BHO: (no name) - {51353BAE-9C7F-4EC9-8BB0-E9EDFA13E0D1} - C:\windows\system32\byxvtus.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: (no name) - {5FF939DE-4367-466F-9796-1605C3987EDF} - C:\windows\system32\vtsqn.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\windows\system32\aqmoydrp.dll (file missing)
O2 - BHO: (no name) - {D89B4019-28C5-4284-8F21-2200C2535846} - C:\windows\system32\pmkhh.dll (file missing)
O2 - BHO: (no name) - {F93C5BFF-16F9-4DC5-B78C-EC46F896EE56} - C:\Program Files\Install Provider\InstallProvider.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\windows\system32\lsakhcah.dll",setvm
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cscsupport.webex.com/client/T23L/support/ieatgpc.cab
O20 - Winlogon Notify: byxvtus - byxvtus.dll (file missing)
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll
O20 - Winlogon Notify: pmkhh - C:\windows\system32\pmkhh.dll (file missing)
O20 - Winlogon Notify: pmkjg - C:\windows\system32\pmkjg.dll (file missing)
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks Aaflac
-Joe

Edited by flashdoofus, 24 March 2007 - 06:42 PM.


#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:43 PM

Posted 24 March 2007 - 09:41 PM

Please download AVG Anti-Spyware:
http://www.ewido.net/en/download/
Locate the icon on the Desktop and double-click it to launch the program.

Now, update the definition files:
On the main screen select Update, and then select the Update Now link.
Next, select the Start Update button
(The update starts and a progress bar shows the updates installed.)

Once the update completes select: Scanner (the top of the screen)
Select the Settings tab
Once in the Settings screen click on: Recommended actions
Select: Quarantine
Under: Reports, select: Automatically generate report after every scan
Un-Select: Only if threats were found
Close AVG AS for now.

~~~~
Next, run HijackThis, Scan
Check box for:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {3E5006C4-1AAA-4469-B51E-6DE632C6301B} - C:\windows\system32\pmkjg.dll (file missing)
O2 - BHO: (no name) - {4080E6EA-17E9-78F5-5289-09A0BD506047} - C:\windows\system32\bywhsuh.dll
O2 - BHO: (no name) - {51353BAE-9C7F-4EC9-8BB0-E9EDFA13E0D1} - C:\windows\system32\byxvtus.dll (file missing)
O2 - BHO: (no name) - {5FF939DE-4367-466F-9796-1605C3987EDF} - C:\windows\system32\vtsqn.dll (file missing)
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\windows\system32\aqmoydrp.dll (file missing)
O2 - BHO: (no name) - {D89B4019-28C5-4284-8F21-2200C2535846} - C:\windows\system32\pmkhh.dll (file missing)
O2 - BHO: (no name) - {F93C5BFF-16F9-4DC5-B78C-EC46F896EE56} - C:\Program Files\Install Provider\InstallProvider.dll

O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\windows\system32\lsakhcah.dll",setvm

O20 - Winlogon Notify: byxvtus - byxvtus.dll (file missing)
O20 - Winlogon Notify: pmkhh - C:\windows\system32\pmkhh.dll (file missing)
O20 - Winlogon Notify: pmkjg - C:\windows\system32\pmkjg.dll (file missing)


Select: Fix checked

~~~~
Reboot to Safe Mode :
-Restart your computer.
-When the machine first starts again, tap the F8 key before Windows starts
-You are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

~~~~
Search for and remove the following file (bold):
C:\windows\system32\lsakhcah.dll

~~~~
Go to Start > Control Panel > Internet Options
In the General tab, Temporary Internet Files, click: Delete Files
When prompted, check: Delete all offline content
You can also check: Delete Cookies
(You will have to re-enter passwords at websites that require them.)
Click OK

Then, go to Start >Run and enter: cleanmgr
Select the drive to clean: C:\
Check the following boxes and then press OK to remove:
Temporary Files
Temporary Internet Files
RecycleBin

Agree to the prompt to perform the action...

~~~~
Still in Safe Mode, launch AVG AS once again
Select: Scanner (at the top)
Select the Scan tab
Click on: Complete System Scan
AVG AS begins the scanning process, and it may take a while.
Please do not open any other windows or programs while AVG AS is scanning, it may interfere with the scanning process!!

Once the scan is complete, AVG AS lists any infections found.
It also automatically sets the recommended action.
Click: Apply all actions
AVG AS will then display: All actions have been applied

Next select: Reports (at the top)
Select: Save report as (lower left of the screen)
Save the report to a text file in a location where you can find it!
Close AVG AS.

~~~~
Restart the computer.

~~~~
Please provide the following:
The AVG AS report, and a new HijackThis log.

Old duck...


#5 flashdoofus

flashdoofus
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 26 March 2007 - 02:38 AM

WOW! You really know your stuff...thanks a million!

I don't know if I'm totally out of the woods yet or not, but everything seems to be resolved. The only thing that remains to be somewhat annoying is that my pc still boots up a little slow, but I can live with it unless you know some tricks, like turning off uneccessary startup items via MSCONFIG or something...

Anyway, after a full system scan with AVG, it scanned 151213 objects, and it found no threats or errors and moved nothing to the vault and deleted nothing as well.

I did however run a full system scan before I got your feedback, and it put a bunch of stuff in the virus vault - here is the textfile that I saved from the vault:

"","","Trojan horse Collected.11.B","C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\xpogyttj.dll","3/14/2007 5:11:12 PM","xpogyttj.dll","74.6 KB"
"","","Trojan horse Collected.11.B","C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\lnusyjvb.dll","3/12/2007 2:31:08 PM","lnusyjvb.dll","74.6 KB"
"","","Trojan horse Lop.AX","C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\JG8IO98P\lo1[1]","3/9/2007 1:06:46 AM","lo1[1]","275.6 KB"
"","","Trojan horse Generic3.GTG","C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\mstC.tmp","3/11/2007 9:44:16 AM","mstC.tmp","20.5 KB"
"","","Trojan horse Lop.AX","C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\SVZXAPNA\lo1[1]","3/11/2007 9:44:16 AM","lo1[1]","275.6 KB"
"","","Trojan horse Lop.AX","C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\SVZXAPNA\lo1[2]","3/11/2007 9:44:16 AM","lo1[2]","275.6 KB"
"","","Trojan horse Lop.AX","C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\SVZXAPNA\lo1[1]","3/10/2007 9:58:07 AM","lo1[1]","275.6 KB"
"","","Adware Generic.SIT","C:\WINDOWS\system32\jupundnf.exe","3/10/2007 9:58:08 AM","jupundnf.exe","86.27 KB"
"","","Trojan horse Generic3.GTG","C:\WINDOWS\system32\winrvc32.dll","3/10/2007 9:58:09 AM","winrvc32.dll","20.5 KB"
"","","Trojan horse Lop.BG","C:\WINDOWS\system32\byxvtus.dll","3/16/2007 12:16:44 PM","byxvtus.dll","26 KB"
"","","Trojan horse Lop.BF","C:\WINDOWS\system32\pmkjg.dll","3/16/2007 12:20:19 PM","pmkjg.dll","275.6 KB"
"","","Trojan horse PSW.Generic3.KGK","C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP362\A0058617.exe","3/16/2007 12:21:56 PM","A0058617.exe","100 KB"
"","","Trojan horse Lop.AX","C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\SVZXAPNA\lo1[1]","3/11/2007 6:59:53 PM","lo1[1]","275.6 KB"
"","","Trojan horse Lop.AX","C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\JG8IO98P\lo1[1]","3/10/2007 4:18:34 PM","lo1[1]","275.6 KB"
"","","Trojan horse Lop.AX","C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\E3FAJ6J6\lo1[1]","3/10/2007 5:18:29 PM","lo1[1]","275.6 KB"
"","","Trojan horse Generic3.KOE","C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\acbtudmd.dll","3/15/2007 9:45:53 AM","acbtudmd.dll","129 KB"
"","","Trojan horse Lop.AX","C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\SVZXAPNA\lo1[1]","3/10/2007 8:18:31 PM","lo1[1]","275.6 KB"
"","","Trojan horse Lop.AX","C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\E3FAJ6J6\lo1[1]","3/9/2007 4:52:15 PM","lo1[1]","275.6 KB"
"","","Trojan horse Generic3.KOE","C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\tqdffqfs.dll","3/15/2007 5:11:10 PM","tqdffqfs.dll","129 KB"
"","","Trojan horse Collected.11.B","C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\pegvkrtv.dll","3/15/2007 5:11:13 PM","pegvkrtv.dll","74.6 KB"
"","","Trojan horse Lop.AX","C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\JG8IO98P\lo1[1]","3/12/2007 9:45:45 AM","lo1[1]","275.6 KB"

/**************************************************************************************/

Here are the results from my hijack this logfile:

Logfile of HijackThis v1.99.1
Scan saved at 9:41:38 PM, on 3/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\windows\system32\atwtusb.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\windows\system32\TBLMOUSE.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgvv.exe
C:\Documents and Settings\Compaq_Owner\Desktop\hijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\windows\system32\userinit.exe,,,,,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3E5006C4-1AAA-4469-B51E-6DE632C6301B} - C:\windows\system32\pmkjg.dll (file missing)
O2 - BHO: (no name) - {4080E6EA-17E9-78F5-5289-09A0BD506047} - C:\windows\system32\bywhsuh.dll
O2 - BHO: (no name) - {51353BAE-9C7F-4EC9-8BB0-E9EDFA13E0D1} - C:\windows\system32\byxvtus.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: (no name) - {5FF939DE-4367-466F-9796-1605C3987EDF} - C:\windows\system32\vtsqn.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\windows\system32\aqmoydrp.dll (file missing)
O2 - BHO: (no name) - {D89B4019-28C5-4284-8F21-2200C2535846} - C:\windows\system32\pmkhh.dll (file missing)
O2 - BHO: (no name) - {F93C5BFF-16F9-4DC5-B78C-EC46F896EE56} - C:\Program Files\Install Provider\InstallProvider.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\windows\system32\lsakhcah.dll",setvm
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cscsupport.webex.com/client/T23L/support/ieatgpc.cab
O20 - Winlogon Notify: byxvtus - byxvtus.dll (file missing)
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll
O20 - Winlogon Notify: pmkhh - C:\windows\system32\pmkhh.dll (file missing)
O20 - Winlogon Notify: pmkjg - C:\windows\system32\pmkjg.dll (file missing)
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

/************************************************************************************/

Anyway, thanks again for everything - you really helped me out. Let me know if there's anything else that I should do and if you have any tips or tricks about getting my machine to bootup a little faster. I really appreciate everything - you guys rock:)

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:43 PM

Posted 27 March 2007 - 10:05 AM

We are not out of the woods yet!!


Please highlight the AVG Virus Vault, and click: Empty Vault

~~~~
Sometimes the real time protection used by Windows Defender interferes with malware cleaning procedures.
To temporarily disable Windows Defender's Real Time Protection, please do the following:

Open Windows Defender
Click Tools
Click General Settings
Scroll down to Real Time Protection Options
Uncheck Turn on Real Time Protection (recommended)
After you uncheck this, click on the Save button
Close Windows Defender

Please leave Windows Defender disabled during the cleaning process.

Once the system has been deemed free from malware, you can re-enable Windows Defender's Real Time Protection.


~~~~
Next, download the following to the Desktop:
VundoFix.exe
* Double-click VundoFix.exe to run it
* Click: Scan for Vundo
* Once done scanning, click: Remove Vundo
* A prompt asking if you want to remove the files appears, click: Yes
* The Desktop goes blank as it starts removing Vundo.
* When completed, a prompt to shutdown the computer appears, click OK
* Turn the computer back on.

A log is created and found in C:\vundofix.txt. You need to post this log in your reply.

~~~~
Run HijackThis, Scan
Check box for:


R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {3E5006C4-1AAA-4469-B51E-6DE632C6301B} - C:\windows\system32\pmkjg.dll (file missing)
O2 - BHO: (no name) - {4080E6EA-17E9-78F5-5289-09A0BD506047} - C:\windows\system32\bywhsuh.dll
O2 - BHO: (no name) - {51353BAE-9C7F-4EC9-8BB0-E9EDFA13E0D1} - C:\windows\system32\byxvtus.dll (file missing)
O2 - BHO: (no name) - {5FF939DE-4367-466F-9796-1605C3987EDF} - C:\windows\system32\vtsqn.dll (file missing)
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\windows\system32\aqmoydrp.dll (file missing)
O2 - BHO: (no name) - {D89B4019-28C5-4284-8F21-2200C2535846} - C:\windows\system32\pmkhh.dll (file missing)
O2 - BHO: (no name) - {F93C5BFF-16F9-4DC5-B78C-EC46F896EE56} - C:\Program Files\Install Provider\InstallProvider.dll

O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\windows\system32\lsakhcah.dll",setvm

O20 - Winlogon Notify: byxvtus - byxvtus.dll (file missing)
O20 - Winlogon Notify: pmkhh - C:\windows\system32\pmkhh.dll (file missing)
O20 - Winlogon Notify: pmkjg - C:\windows\system32\pmkjg.dll (file missing)


Select: Fix checked

~~~~
Restart in Safe Mode.

~~~~
Search for and remove the following file (bold):
C:\windows\system32\lsakhcah.dll

~~~~
Restart the computer.


~~~~
Download SuperAntiSpyware Home Edition Free Version
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

~~~~
Please provide the C:\vundofix.txt, the information in the SuperAntiSpyware log and a new HijackThis log in your reply.

Old duck...


#7 flashdoofus

flashdoofus
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 30 March 2007 - 02:45 PM

here are the results from vundoFix:

VundoFix V6.3.18

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Scan started at 12:20:21 AM 3/29/2007

Listing files found while scanning....

C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll

...and here are the results from SuperAntiSpyware:

SUPERAntiSpyware Scan Log
Generated 03/29/2007 at 07:55 PM

Application Version : 3.6.1000

Core Rules Database Version : 3209
Trace Rules Database Version: 1219

Scan type : Complete Scan
Total Scan Time : 00:50:47

Memory items scanned : 388
Memory threats detected : 0
Registry items scanned : 7064
Registry threats detected : 3
File items scanned : 55506
File threats detected : 34

Adware.Tracking Cookie
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@sixapart.112.2o7[1].txt
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@short-media[2].txt
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@shortmedia.us.intellitxt[1].txt
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@www.burstnet[1].txt
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@www.short-media[2].txt
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@www.smartadserver[1].txt
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@xiti[1].txt

Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
HKU\S-1-5-21-2394274454-4146489803-3982707517-1009\Software\WinAntiVirus Pro 2007
\WA7P
C:\DOCUMENTS AND SETTINGS\COMPAQ_OWNER\LOCAL SETTINGS\TEMP\INSTALLPROVIDER\SETUP.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP359\A0058310.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP359\A0058311.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP359\A0058318.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP359\A0058328.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP359\A0058342.SYS

Trojan.Incestuously
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#incestuously [ {03413bf7-e34c-445b-bfc0-a2b127255871} ]

Malware.SpywareBot
HKU\S-1-5-21-2394274454-4146489803-3982707517-1009\Software\SpywareBot
C:\Program Files\SpywareBot\DataBaseNew.ref
C:\Program Files\SpywareBot\Log\log_2007_03_08_14_51_12.log
C:\Program Files\SpywareBot\Log\log_2007_03_08_14_51_16.log
C:\Program Files\SpywareBot\Log\log_2007_03_08_14_57_05.log
C:\Program Files\SpywareBot\Log\log_2007_03_08_14_57_16.log
C:\Program Files\SpywareBot\Log\log_2007_03_08_17_40_42.log
C:\Program Files\SpywareBot\Log\log_2007_03_08_17_41_08.log
C:\Program Files\SpywareBot\Log
C:\Program Files\SpywareBot\Quarantine
C:\Program Files\SpywareBot\Registry Backups
C:\Program Files\SpywareBot\Settings\CustomScan.stg
C:\Program Files\SpywareBot\Settings\IgnoreList.stg
C:\Program Files\SpywareBot\Settings\ScanInfo.stg
C:\Program Files\SpywareBot\Settings\ScanResults.stg
C:\Program Files\SpywareBot\Settings\SelectedFolders.stg
C:\Program Files\SpywareBot\Settings\Settings.stg
C:\Program Files\SpywareBot\Settings
C:\Program Files\SpywareBot

Adware.VSToolbar
C:\SYSTEM VOLUME INFORMATION\_RESTORE{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP362\A0058654.DLL

Trojan.Downloader-Quake11
C:\SYSTEM VOLUME INFORMATION\_RESTORE{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP367\A0065509.DLL

Thanks again for all the help!

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:43 PM

Posted 31 March 2007 - 10:49 PM

I assume you let SuperAntiSpyware clean any malware it found.

For good measure, please download Dr.Web CureIt to the Desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Do not use it yet.

~~~~
Start the computer in Safe Mode :
-When the machine starts again, just before the Windows icon appears, tap the F8 key
-You are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the keyboard arrow keys.
-Press Enter to boot into Safe Mode.
-Select your usual account

~~~~
Double-click the drweb-cureit.exe file
  • Allow the Express Scan to run
  • A short scan checks the files currently running in memory
  • If something is found, click the yes button when asked if you want to cure it.
  • Once the short scan has finished, Select Object for Scanning appears at the bottom.
  • Mark the drives to scan by clicking on each drive.
    (Select all drives. A red dot shows which drives have been chosen.)
  • Click the green arrow at the right, and the scan starts.
  • Click 'Yes to all' if asked to cure/move any files.
  • When the scan is finished, click the first icon to the left of Object: Posted Image
  • Then click the next icon right below and select Move Incurable as you'll see in next image:
    Posted Image
    This moves a file to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
  • Next, in the Dr.Web CureIt menu on top, click File and choose Save report list
  • Save the report to the Desktop. The report is called DrWeb.csv
  • Close Dr.Web CureIt.
  • Next, reboot the computer!! (Files in use are moved/deleted during reboot.)
~~~~
After rebooting, please post the contents of the Dr.Web CureIt log in your reply, along with a new HijackThis log.

Old duck...


#9 flashdoofus

flashdoofus
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 01 April 2007 - 05:11 PM

Here's the logfile generated from Dr.Web:

inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\AIMSUD338;Probably BACKDOOR.Trojan;Incurable.Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4024;Probably BACKDOOR.Trojan;Incurable.Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.7.1;Probably BACKDOOR.Trojan;Incurable.Moved.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Moved.;
inetchk.exe;C:\Program Files\music_now;Trojan.Click.2093;Deleted.;
PPCInstall.dll;C:\Program Files\Online Services\PeoplePC;Probably STPAGE.Trojan;Incurable.Moved.;
A0044653.dll;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP331;Adware.Minibug;Incurable.Moved.;
A0050519.exe;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP352;Trojan.DownLoader.19397;Deleted.;
A0050613.dll;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP352;Trojan.Virtumod;Deleted.;
A0056637.exe;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP354;Program.Ardamax;Incurable.Moved.;
A0065506.exe;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP367;Program.Ardamax;Incurable.Moved.;
A0065508.exe;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP367;Adware.TopSearch;Incurable.Moved.;
A0071282.exe;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP389;Trojan.Click.2093;Deleted.;
sb6adts.htc\Script.0;C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\sb6adts.htc;Probably SCRIPT.Virus;;
sb6adts.htc;C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts;Archive contains infected objects;Moved.;
rxbixv.dll;C:\WINDOWS\system32;Trojan.DownLoader.based;Deleted.;
firstopt.js;D:\I386\APPS\APP07896;Probably SCRIPT.Virus;Incurable.Moved.;


...and here's the new HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 6:05:46 PM, on 4/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\Explorer.EXE
C:\windows\system32\nvsvc32.exe
C:\windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system32\atwtusb.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\windows\system32\TBLMOUSE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\NOTEPAD.EXE
C:\windows\system32\NOTEPAD.EXE
C:\Documents and Settings\Compaq_Owner\Desktop\hijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\windows\system32\userinit.exe,,,,,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cscsupport.webex.com/client/T23L/support/ieatgpc.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks again for all your help:)

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:43 PM

Posted 02 April 2007 - 10:29 PM

The HijackThis log appears clean.

Are you still having malware problems?

Old duck...


#11 flashdoofus

flashdoofus
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 03 April 2007 - 04:36 PM

So far so good...everything seems to be working fine - thank you!

However, my computer is booting a little slow, but I don't know if this is a malware problem or not...if you know of anything that I can do to speed-up the boot process, that would be great.

In any event, thanks again for everything - you really helped me out tremendously! I really appreciate it:)

Joe

#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:43 PM

Posted 03 April 2007 - 06:23 PM

Here is some guidance for a slow computer:
http://users.telenet.be/bluepatchy/miekiem...owcomputer.html


If you are not having malware problems, you are good to go!

Take a good look at the following suggestions to remain malware free:
Tony Kleinís article 'How Did I Get Infected In The First Place'
http://forums.spywareinfo.com/index.php?showtopic=60955

Thank you for your patience, and performing the procedures requested.
If you have any questions or comments, post back. Otherwise...


Good luck, flashdoofus.

Old duck...


#13 flashdoofus

flashdoofus
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 04 April 2007 - 02:17 PM

UH-OH...I ran a full system scan with AVG, and it found 3 more bad guys, but it looks like they were already quarantined by dr.web - here's the logfile:

Potentially harmful program Ardamax.AD","C:\Documents and Settings\Compaq_Owner\DoctorWeb\Quarantine\A0056637.exe","4/4/2007 3:04:30 AM","A0056637.exe","490.5 KB"
Potentially harmful program Ardamax.FM","C:\Documents and Settings\Compaq_Owner\DoctorWeb\Quarantine\A0065506.exe","4/4/2007 3:04:31 AM","A0065506.exe","39.77 MB"
Adware Generic.SIT","C:\Documents and Settings\Compaq_Owner\DoctorWeb\Quarantine\A0065508.exe","4/4/2007 3:04:43 AM","A0065508.exe","86.27 KB"

From Here, I deleted the files from the vault in AVG, but when I went to the quarantine folder in Dr.Web, I still see a bunch of files in there, and I don't see any option in Dr.Web's interface to allow me to delete the files that are quarantined...

Here are the files that I found in Dr.Webs quarantine folder:

inst.exe
inst__0.exe
setup.exe
(the above 3 have aol icons)

KillWind.exe
A0044653.dll
PPCInstall.dll
sb6adts.htc
descript.ion
firstop.js

From here, I downloaded the Dr.Web update and ran a quick scan (nothing bad was found), but I haven't run a full scan with Dr.Web or done anything else just yet.

I live with my girlfriend, and she has let some of her friends use my computer in the past - this is how I must've gotten infected in the first place (I only go to websites that I know are safe, otherwise, I use my MAC to surf the web).

I don't know how this new malware turned up since nobody on my PC has gone to any potentially harmful websites since this whole mess began. Needless to say, my girlfriend's friends are only allowed to use my MAC from now on!

Anyway, thanks again for all the help...let me know what I should do next...

#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:43 PM

Posted 06 April 2007 - 10:38 PM

I don't see any option in Dr.Web's interface to allow me to delete the files that are quarantined...



Try going to the following location, and delete the files from there:

C:\Program Files\DrWeb\infected

Old duck...


#15 flashdoofus

flashdoofus
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 08 April 2007 - 01:18 PM

Cool - I deleted the files from dr.web and then I ran a full system scan with SuperAntiSpyware, and these were the results:

SUPERAntiSpyware Scan Log
Generated 03/29/2007 at 07:55 PM

Application Version : 3.6.1000

Core Rules Database Version : 3209
Trace Rules Database Version: 1219

Scan type : Complete Scan
Total Scan Time : 00:50:47

Memory items scanned : 388
Memory threats detected : 0
Registry items scanned : 7064
Registry threats detected : 3
File items scanned : 55506
File threats detected : 34

Adware.Tracking Cookie
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@sixapart.112.2o7[1].txt
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@short-media[2].txt
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@shortmedia.us.intellitxt[1].txt
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@www.burstnet[1].txt
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@www.short-media[2].txt
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@www.smartadserver[1].txt
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@xiti[1].txt

Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
HKU\S-1-5-21-2394274454-4146489803-3982707517-1009\Software\WinAntiVirus Pro 2007
\WA7P
C:\DOCUMENTS AND SETTINGS\COMPAQ_OWNER\LOCAL SETTINGS\TEMP\INSTALLPROVIDER\SETUP.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP359\A0058310.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP359\A0058311.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP359\A0058318.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP359\A0058328.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP359\A0058342.SYS

Trojan.Incestuously
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#incestuously [ {03413bf7-e34c-445b-bfc0-a2b127255871} ]

Malware.SpywareBot
HKU\S-1-5-21-2394274454-4146489803-3982707517-1009\Software\SpywareBot
C:\Program Files\SpywareBot\DataBaseNew.ref
C:\Program Files\SpywareBot\Log\log_2007_03_08_14_51_12.log
C:\Program Files\SpywareBot\Log\log_2007_03_08_14_51_16.log
C:\Program Files\SpywareBot\Log\log_2007_03_08_14_57_05.log
C:\Program Files\SpywareBot\Log\log_2007_03_08_14_57_16.log
C:\Program Files\SpywareBot\Log\log_2007_03_08_17_40_42.log
C:\Program Files\SpywareBot\Log\log_2007_03_08_17_41_08.log
C:\Program Files\SpywareBot\Log
C:\Program Files\SpywareBot\Quarantine
C:\Program Files\SpywareBot\Registry Backups
C:\Program Files\SpywareBot\Settings\CustomScan.stg
C:\Program Files\SpywareBot\Settings\IgnoreList.stg
C:\Program Files\SpywareBot\Settings\ScanInfo.stg
C:\Program Files\SpywareBot\Settings\ScanResults.stg
C:\Program Files\SpywareBot\Settings\SelectedFolders.stg
C:\Program Files\SpywareBot\Settings\Settings.stg
C:\Program Files\SpywareBot\Settings
C:\Program Files\SpywareBot

Adware.VSToolbar
C:\SYSTEM VOLUME INFORMATION\_RESTORE{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP362\A0058654.DLL

Trojan.Downloader-Quake11
C:\SYSTEM VOLUME INFORMATION\_RESTORE{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP367\A0065509.DLL

From here, I fired-up HijackThis, and these are the results of the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 1:44:40 PM, on 4/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\Explorer.EXE
C:\windows\system32\nvsvc32.exe
C:\windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alarm\AlarmMonitor.exe
C:\Program Files\Alarm\Alarm Tray.exe
C:\windows\system32\atwtusb.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\windows\system32\rundll32.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\TBLMOUSE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Owner\Desktop\hijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\windows\system32\userinit.exe,,,,,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Show missed alarms] C:\Program Files\Alarm\Alarm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cscsupport.webex.com/client/T23L/support/ieatgpc.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Talking Alarm Clock user logon monitor (AlarmClockMonitor) - Cinnamon Software Inc. - C:\Program Files\Alarm\AlarmMonitor.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Get this, I installed a Windows XP update and I got an error message poping up every time I booted my machine telling me that my driver for my graphics card (the one that came with my pc (ATI), not my current one) "failed to initialize - the ATI control panel is going to close", and another error message saying, "application_executable_name - Illegal System DLL Relocation

The system DLL user32.dll was relocated in memory. The application will not run properly. The relocation occurred because the DLL C:\Windows\System32\Hhctrl.ocx occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL."


After doing some research, I found out that the Microsoft update was causing the problem and that there was info about it, including a patch available from Microsoft's website, but this patch didn't clear up the problem with the ATI driver, so I did a system restore and rolled it back to the date when we thought everything was okay (april 2nd) and this ultimately solved the problem...maybe the rollback is somehow responsible for this new malware...?

In any event, this is the link to the Microsoft patch / info in case anyone else has this problem:
http://support.microsoft.com/kb/935448/

Everything seems to be working fine now, but it'd be cool if you could check out my latest HijackThis logfile - Sorry to keep hassling you with all of this...I really appreciate all your hard work and efforts that you've devoted towards helping me out - hopefully, everything is resolved now - I'm sure you're sick of me by now!

Thanks again:)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users