Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Generic3.ggi Hjt Log Attached


  • This topic is locked This topic is locked
11 replies to this topic

#1 skiabe

skiabe

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 02 April 2007 - 11:41 PM

AVG scan detected a Trojan horse Generic3.GGI but was unable to "cleanse" the system. Housecall Anti-Virus didn't seem to detect it but did find various other things of which Worm_Locksky.DQ in WINDOWS\system32\sysvx.exe and couldn't "cleanse" that either. HJT Log follows:
Logfile of HijackThis v1.99.1
Scan saved at 9:27:39 PM, on 4/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\sysvx.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Image Helper - {31677ADF-17D9-5516-E17D-3E459D631863} - C:\WINDOWS\system\bplctw32.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {8F5D37E0-DA7E-41D5-878B-AF051B339719} - C:\WINDOWS\system32\khbakhb.dll
O2 - BHO: (no name) - {AC5E6233-FF60-43B9-AA27-C4F32CBD8042} - C:\WINDOWS\system32\khbakhb.dll
O2 - BHO: (no name) - {E5806BE0-25EA-42FE-8FD5-93583CEF4E16} - C:\WINDOWS\system32\khbakhb.dll
O4 - HKLM\..\Run: [dmtja.exe] C:\WINDOWS\system32\dmtja.exe
O4 - HKLM\..\Run: [sysvx.exe] C:\WINDOWS\system32\sysvx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [IEFilter] C:\Documents and Settings\Gabriella Klein\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\IExpl32d.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130293253363
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67EB7FD4-8899-430C-A31B-549ED51B7130}: NameServer = 85.255.114.7,85.255.112.174
O17 - HKLM\System\CCS\Services\Tcpip\..\{833B760B-D476-4F0C-8C16-94950C862E27}: NameServer = 85.255.114.7,85.255.112.174
O17 - HKLM\System\CCS\Services\Tcpip\..\{D86CA8D4-83CF-4ECD-BB37-B3E91A8349F0}: NameServer = 85.255.114.7,85.255.112.174
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.7 85.255.112.174
O17 - HKLM\System\CS1\Services\Tcpip\..\{67EB7FD4-8899-430C-A31B-549ED51B7130}: NameServer = 85.255.114.7,85.255.112.174
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.7 85.255.112.174
O20 - Winlogon Notify: dslkmlhg - C:\WINDOWS\SYSTEM32\khbakhb.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

Thanks,
Andrew

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 03 April 2007 - 08:26 AM

Welcome to the BleepingComputer HijackThis forum skiabe :thumbsup:

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

*********************

Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Please then reboot your computer into Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode, right click the SDFix.zip folder and choose Extract All,
* Open the extracted folder and double click RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

********************

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the results file Report.txt,the contents of the logfile C:\fixwareout\report.txt,and a new Hijackthis log please.
Posted Image
Posted Image

#3 skiabe

skiabe
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 03 April 2007 - 02:09 PM

Here is the report file from SDFix:


SDFix: Version 1.76

Run by Gabriella Klein - Tue 04/03/2007 - 11:53:00.00

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
EXAMPLE

ImagePath:
\??\C:\WINDOWS\system32\main.sys

EXAMPLE Deleted


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\as.txt - Deleted
C:\WINDOWS\system32\sysvx.exe - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\eyvaaaaa.exe"="C:\\WINDOWS\\system32\\eyvaaaaa.exe:*:Enabled:enable"
"C:\\WINDOWS\\system32\\sysvx.exe"="C:\\WINDOWS\\system32\\sysvx.exe:*:Enabled:enable"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\Documents and Settings\Gabriella Klein\Local Settings\Temp\sbwivpbd.sys
C:\Documents and Settings\Gabriella Klein\My Documents\drafts\~WRL1351.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\drafts\~WRL3128.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\LCS\Letters\~WRL1342.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\LCS\Letters\~WRL2515.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\LCS\Letters\~WRL3272.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\LCS\Report Cards\March\~WRL0276.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\LCS\Report Cards\March\~WRL1517.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\LCS\Report Cards\March\~WRL1557.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\LCS\Report Cards\March\~WRL2190.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\LCS\Report Cards\March\~WRL2213.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\LCS\Report Cards\March\~WRL2302.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\LCS\Report Cards\March\~WRL2313.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\LCS\Report Cards\March\~WRL2483.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\LCS\Report Cards\March\~WRL2555.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\LCS\Report Cards\March\~WRL2814.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\LCS\Report Cards\March\~WRL2816.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\LCS\Report Cards\March\~WRL3669.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\Norumbega, What Ship\~WRL0827.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\Norumbega, What Ship\~WRL0944.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\Norumbega, What Ship\~WRL1161.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\Norumbega, What Ship\~WRL3285.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\Norumbega, What Ship\~WRL4049.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\submissions\~WRL0127.tmp
C:\Documents and Settings\Gabriella Klein\My Documents\submissions\~WRL1848.tmp

Finished
Fixwareout and HJT LOg to follow.
Thanks,
Andrew

#4 skiabe

skiabe
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 03 April 2007 - 02:28 PM

Here is the Fixwareout report (to be followed by HJT Log w/in this post):


Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmtja"
HKLM\SOFTWARE\~\Winlogon\ "System"="cshak.exe"

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\version\Run\ "dmtja"
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
HKLM\~\currentversion\run "dmtja.exe" Deleted
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"IEFilter"="C:\\Documents and Settings\\Gabriella Klein\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Filters\\IExpl32d.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


Now here is the HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 12:20:34 PM, on 4/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {8F5D37E0-DA7E-41D5-878B-AF051B339719} - c:\windows\system32\khbakhb.dll
O2 - BHO: (no name) - {AC5E6233-FF60-43B9-AA27-C4F32CBD8042} - C:\WINDOWS\system32\khbakhb.dll
O2 - BHO: (no name) - {E5806BE0-25EA-42FE-8FD5-93583CEF4E16} - C:\WINDOWS\system32\khbakhb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [IEFilter] C:\Documents and Settings\Gabriella Klein\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\IExpl32d.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130293253363
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67EB7FD4-8899-430C-A31B-549ED51B7130}: NameServer = 85.255.114.7,85.255.112.174
O17 - HKLM\System\CCS\Services\Tcpip\..\{833B760B-D476-4F0C-8C16-94950C862E27}: NameServer = 85.255.114.7,85.255.112.174
O17 - HKLM\System\CCS\Services\Tcpip\..\{D86CA8D4-83CF-4ECD-BB37-B3E91A8349F0}: NameServer = 85.255.114.7,85.255.112.174
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.7 85.255.112.174
O17 - HKLM\System\CS1\Services\Tcpip\..\{67EB7FD4-8899-430C-A31B-549ED51B7130}: NameServer = 85.255.114.7,85.255.112.174
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.7 85.255.112.174
O20 - Winlogon Notify: dslkmlhg - C:\WINDOWS\SYSTEM32\khbakhb.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

Thanks for all your help.
Andrew

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 03 April 2007 - 02:38 PM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:


Files to delete:
C:\WINDOWS\system32\khbakhb.dll
C:\Documents and Settings\Gabriella Klein\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\IExpl32d.exe

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Also post a new Hijackthis log please.
Posted Image
Posted Image

#6 skiabe

skiabe
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 03 April 2007 - 04:57 PM

Downloaded Avenger and followed directions as clearly explained, everything seemed a go. Upon reboot, Avenger report stated that it failed to find the above quoted material. Was just about to copy and paste report when the computer "blue-screened" and restarted itself. THIS IS A NEW EVENT. Avenger log was lost. Should I be reluctant to try again?
BTW AVG scan reported no record of the original Generic3.GGI Trojan Horse.
Please advise.

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 03 April 2007 - 05:21 PM

Ok,restart your pc and post a new Hijackthis log please.
Posted Image
Posted Image

#8 skiabe

skiabe
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 03 April 2007 - 07:55 PM

Here's the latest HJT Log (I appreciate your prompt attention):
Logfile of HijackThis v1.99.1
Scan saved at 5:51:17 PM, on 4/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Atievxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {8F5D37E0-DA7E-41D5-878B-AF051B339719} - C:\WINDOWS\system32\khbakhb.dll
O2 - BHO: (no name) - {AC5E6233-FF60-43B9-AA27-C4F32CBD8042} - C:\WINDOWS\system32\khbakhb.dll
O2 - BHO: (no name) - {E5806BE0-25EA-42FE-8FD5-93583CEF4E16} - C:\WINDOWS\system32\khbakhb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [lrpqfuxr] C:\jstvyqnk.bat
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [IEFilter] C:\Documents and Settings\Gabriella Klein\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\IExpl32d.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130293253363
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67EB7FD4-8899-430C-A31B-549ED51B7130}: NameServer = 85.255.114.7,85.255.112.174
O17 - HKLM\System\CCS\Services\Tcpip\..\{833B760B-D476-4F0C-8C16-94950C862E27}: NameServer = 85.255.114.7,85.255.112.174
O17 - HKLM\System\CCS\Services\Tcpip\..\{D86CA8D4-83CF-4ECD-BB37-B3E91A8349F0}: NameServer = 85.255.114.7,85.255.112.174
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.7 85.255.112.174
O17 - HKLM\System\CS1\Services\Tcpip\..\{67EB7FD4-8899-430C-A31B-549ED51B7130}: NameServer = 85.255.114.7,85.255.112.174
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.7 85.255.112.174
O20 - Winlogon Notify: dslkmlhg - C:\WINDOWS\SYSTEM32\khbakhb.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

Thanks again

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 04 April 2007 - 06:51 AM

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.zip
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:

C:\WINDOWS\SYSTEM32\khbakhb.dll

Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

********************************

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

*******************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {8F5D37E0-DA7E-41D5-878B-AF051B339719} - C:\WINDOWS\system32\khbakhb.dll
O2 - BHO: (no name) - {AC5E6233-FF60-43B9-AA27-C4F32CBD8042} - C:\WINDOWS\system32\khbakhb.dll
O2 - BHO: (no name) - {E5806BE0-25EA-42FE-8FD5-93583CEF4E16} - C:\WINDOWS\system32\khbakhb.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{67EB7FD4-8899-430C-A31B-549ED51B7130}: NameServer = 85.255.114.7,85.255.112.174
O17 - HKLM\System\CCS\Services\Tcpip\..\{833B760B-D476-4F0C-8C16-94950C862E27}: NameServer = 85.255.114.7,85.255.112.174
O17 - HKLM\System\CCS\Services\Tcpip\..\{D86CA8D4-83CF-4ECD-BB37-B3E91A8349F0}: NameServer = 85.255.114.7,85.255.112.174
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.7 85.255.112.174
O17 - HKLM\System\CS1\Services\Tcpip\..\{67EB7FD4-8899-430C-A31B-549ED51B7130}: NameServer = 85.255.114.7,85.255.112.174
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.7 85.255.112.174
O20 - Winlogon Notify: dslkmlhg - C:\WINDOWS\SYSTEM32\khbakhb.dll


Find and delete if present:
C:\WINDOWS\SYSTEM32\khbakhb.dll

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.


Post the AVG Anti-Spyware report,and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#10 skiabe

skiabe
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 04 April 2007 - 01:49 PM

When I ran killbox it did not reboot automatically and it gave me the message:
"PendingFileOperations Registry Data has been removed by External Process!"

I rebooted manually.

Here is the AVG Spy-ware report:

--------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:26:39 AM 4/4/2007

+ Scan result:



:mozilla.41:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.42:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.86:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.29:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.30:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.31:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.32:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.27:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.72:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.73:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.74:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.75:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.76:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.83:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.19:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.51:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.64:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.65:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.66:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.67:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.56:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.57:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.58:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.59:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.60:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.61:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.69:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.38:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.39:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.40:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.79:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.80:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.81:C:\Documents and Settings\Gabriella Klein\Application Data\Mozilla\Firefox\Profiles\ugzl7dax.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.

AND HERE IS THE LATEST HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:43:13 AM, on 4/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\Atievxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {8F5D37E0-DA7E-41D5-878B-AF051B339719} - c:\windows\system32\khbakhb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [lrpqfuxr] C:\jstvyqnk.bat
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [IEFilter] C:\Documents and Settings\Gabriella Klein\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\IExpl32d.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130293253363
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: dslkmlhg - C:\WINDOWS\SYSTEM32\khbakhb.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

Thanks Again,
Andrew

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 04 April 2007 - 04:20 PM

Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.vbs
Save it to the desktop and double-click on it.
If you get any kind of warning message about scripts,please choose to allow the script to run.
When the scan is finished it will create a logfile on your desktop.
Please post the entire contents of this logfile into your next reply.

******************************

Please download Sophos Anti-Rootkit,and save it on your desktop.
1. Double-click sarsfx.exe to extract the files and leave the default settings.
2. Open the folder C:\SOPHTEMP and double-click sargui.exe to start the program.
3. Make sure the following are checked:
- Running processes
- Windows Registry
- Local Hard Drives
4. Click the "Start Scan" button.
5. Click the "OK" button after you get the notification that the scan has finished and close the program.
6. Click on Start>Run and type, or copy and paste: %temp%\sarscan.log then press Enter.
7. This should open the log from the rootkit scan.
Post this log into your next reply.

Note:
If the scan is performed while the computer is in use, false positives may appear in the scan results.
This is caused by files or registry entries being deleted,including temporary files being deleted automatically.
It has also been reported that Trojan Hunter is detecting Sophos Anti-rootkit as Trojan.Dropper.Interlac.100
So if you have Trojan Hunter installed you will need to disable it prior to running a scan.
Posted Image
Posted Image

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 25 April 2007 - 08:34 AM

Due to the lack of feedback this topic will now be closed.
If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users