Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Drive Cleaner


  • This topic is locked This topic is locked
23 replies to this topic

#1 jjcol01

jjcol01

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 25 April 2007 - 06:50 AM

Hi
I've been having problems with pop-ups for a while and have tried a number of programs to try and fix the problem, including avg anti-spyware, spy-bot s&d, adawre SE Super anti-spyware and smitfraudfix. Recently i've started having problems with internet explorer, with hyperlinks not working and errors shuting down the browser, especially on hotmail and related sites. Any help would be greatly appreciated.

Thanks

Here is my Hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 9:46:33 PM, on 25/04/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {32227629-ebb5-4ea6-b7d7-3db262666bb9} - C:\WINDOWS\system32\h32ale.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {B2DE0537-F0DC-478E-BA77-E95A07E52C20} - C:\WINDOWS\System32\rjutqhok.dll (file missing)
O2 - BHO: (no name) - {D48DEAE2-B1BD-45F3-BF6C-7381BFCD7899} - C:\WINDOWS\repair\dobcmxl.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vbgtmexn] c:\windows\system32\vbgtmexn.exe vbgtmexn
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\RunServices: [Windows Spool Services] ssvcc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O10 - Broken Internet access because of LSP provider 'abcdefgh.dll' missing
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {201B9B37-848F-40BD-90EA-7B8F0AA89D6A} - http://us2-scripts.dlv4.com/binaries/egacc..._1071_em_XP.cab
O16 - DPF: {321F38B6-7E5F-470E-B58C-927523B7AF92} - http://us2-scripts.dlv4.com/binaries/egacc..._1069_em_XP.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {AA59202C-5E41-48FC-AF7D-324F5FD6A9F1} - http://scripts.dlv4.com/binaries/egaccess4..._1070_em_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: NameServer = 213.203.124.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: NameServer = 213.203.124.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: NameServer = 213.203.124.146
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: h32ale - h32ale.dll (file missing)
O21 - SSODL: XVauRI - {206918BE-8AC3-B214-15BB-C7DC59CA8F31} - C:\WINDOWS\System32\pvk.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - %WINDIR%\system\svchest.exe (file missing)
O23 - Service: Indexing Helper (Indexingboxs) - Unknown owner - c:\temp\svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 25 April 2007 - 07:22 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum jjcol01 :thumbsup:

Before we can provide you with any further assistance,you first need to go here and install Service Pack 1;
http://www.microsoft.com/windowsxp/downloa...p1/default.mspx
This will patch numerous security vulnerabilities in Internet Explorer and the Windows operating system.
As your machine stands right now it's exremely vulnerable to infection.
You need to get these updates installed first before we can proceed or weíll both be wasting our time.

Note:
Do not install Service pack 2.
If you install SP 2 on an infected machine it will cause serious problems within the operating system.
Posted Image
Posted Image

#3 jjcol01

jjcol01
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 25 April 2007 - 09:38 AM

Ok

I've installed Service Pack 1.

Here is an updated Hijack this log:

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 25 April 2007 - 09:51 AM

Thanks :thumbsup:

It seems you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Active Virus Shield
There's a nice setup tutorial Here:
http://www.activevirusshield.com/antivirus/freeav/

When you've done that,restart your pc and post a new Hijackthis log into your next reply.
Please don't post your replies as attachments,post them directly into this topic,thanks.
Posted Image
Posted Image

#5 jjcol01

jjcol01
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 25 April 2007 - 10:44 PM

I have installed Active Virus scan and ran a scan.

Here is a new HijsackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 1:39:52 PM, on 26/04/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTP06568 - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O2 - BHO: (no name) - {32227629-ebb5-4ea6-b7d7-3db262666bb9} - C:\WINDOWS\system32\h32ale.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {B2DE0537-F0DC-478E-BA77-E95A07E52C20} - C:\WINDOWS\System32\rjutqhok.dll (file missing)
O2 - BHO: (no name) - {D48DEAE2-B1BD-45F3-BF6C-7381BFCD7899} - C:\WINDOWS\repair\dobcmxl.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vbgtmexn] c:\windows\system32\vbgtmexn.exe vbgtmexn
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\RunServices: [Windows Spool Services] ssvcc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O10 - Broken Internet access because of LSP provider 'abcdefgh.dll' missing
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {201B9B37-848F-40BD-90EA-7B8F0AA89D6A} - http://us2-scripts.dlv4.com/binaries/egacc..._1071_em_XP.cab
O16 - DPF: {321F38B6-7E5F-470E-B58C-927523B7AF92} - http://us2-scripts.dlv4.com/binaries/egacc..._1069_em_XP.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177506937858
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {AA59202C-5E41-48FC-AF7D-324F5FD6A9F1} - http://scripts.dlv4.com/binaries/egaccess4..._1070_em_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: NameServer = 213.203.124.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: NameServer = 213.203.124.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: NameServer = 213.203.124.146
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: h32ale - h32ale.dll (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O21 - SSODL: XVauRI - {206918BE-8AC3-B214-15BB-C7DC59CA8F31} - C:\WINDOWS\System32\pvk.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Indexing Helper (Indexingboxs) - Unknown owner - c:\temp\svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)

Attached Files



#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 26 April 2007 - 04:14 AM

Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Please then reboot your computer into Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode, right click the SDFix.zip folder and choose Extract All,
* Open the extracted folder and double click RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

*********************************

Download LSPFix from:
http://www.bleepingcomputer.com/files/spyware/lspfix.zip
Once LSP-Fix is downloaded, extract it to your desktop.
Close all windows on your computer.
Launch/start lspfix.
Put a checkmark in the 'I know what I'm doing' checkbox.
Now move any instances of "abcdefgh.dll" into the remove box using the >> button.
Press the finish button.
Then reboot.

*********************************

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-

*********************************

Download\unzip to your desktop AVG Anti-Rootkit Free:
http://free.grisoft.com/softw/70free/setup...up-1.1.0.42.exe
Launch AVG,click on the 'Search for Rootkits' tab.
Then click on 'Perform in-depth search'.
When the scan has finished click on 'Save result to file'.
Copy and paste those results into your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#7 jjcol01

jjcol01
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 26 April 2007 - 08:48 AM

All done.

Here are the logs


SDFix: Version 1.79

Run by James - Thu 26/04/2007 - 22:55:11.95

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:

Name:
EXAMPLE
Office Source Engine Help
Runtime

ImagePath:
\??\C:\WINDOWS\System32\main.sys
C:\Program Files\NetMeeting\msmsgs
\??\C:\WINDOWS\System32\drivers\runtime.sys

EXAMPLE - Deleted
Office Source Engine Help - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\PFB0E0~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\PFCA7F~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\SFXZMT~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\SFXZMT~2.DLL - Deleted
C:\WINDOWS\SYSTEM32\SFXZMT~3.DLL - Deleted
C:\WINDOWS\SYSTEM32\SFXZMT~4.DLL - Deleted
C:\543758~1 - Deleted
C:\WINDOWS\system32\cent.exe.exe - Deleted
C:\DOCUME~1\JAMES~1.ME-\LOCALS~1\Temp\ICD1.tmp\wuweb.cat - Deleted
C:\DOCUME~1\JAMES~1.ME-\LOCALS~1\Temp\ICD1.tmp\wuweb.dll - Deleted
C:\DOCUME~1\JAMES~1.ME-\LOCALS~1\Temp\ICD1.tmp\wuweb.inf - Deleted
C:\as.txt - Deleted
C:\WINDOWS\system\svchest.reg - Deleted
C:\WINDOWS\system32\8_exception.nls - Deleted
C:\WINDOWS\system32\max1d164v.exe - Deleted
C:\WINDOWS\system32\TFTP1732 - Deleted
C:\WINDOWS\Temp\kaw - Deleted


Folder C:\DOCUME~1\JAMES~1.ME-\LOCALS~1\Temp\ICD1.tmp - Removed

Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"c:\\windows\\system32\\servics2.exe"="c:\\windows\\system32\\servics2.exe:*:Enabled:servics2"
"C:\\DOCUME~1\\JAMES~1.ME-\\LOCALS~1\\Temp\\5.tmp"="C:\\DOCUME~1\\JAMES~1.ME-\\LOCALS~1\\Temp\\5.tmp:*:Enabled:Server"
"c:\\windows\\system32\\smsse2.exe"="c:\\windows\\system32\\smsse2.exe:*:Enabled:smsse2"
"C:\\WINDOWS\\TEMP\\D.tmp"="C:\\WINDOWS\\TEMP\\D.tmp:*:Enabled:Server"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\DOCUME~1\\JAMES~1.ME-\\LOCALS~1\\Temp\\5.tmp"="C:\\DOCUME~1\\JAMES~1.ME-\\LOCALS~1\\Temp\\5.tmp:*:Enabled:Server"
"C:\\WINDOWS\\TEMP\\D.tmp"="C:\\WINDOWS\\TEMP\\D.tmp:*:Enabled:Server"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\System Volume Information\_restore{CE4F240C-2272-4B76-8D03-ABD50332781E}\RP0\A0000005.DLL
C:\System Volume Information\_restore{CE4F240C-2272-4B76-8D03-ABD50332781E}\RP1\A0000012.DLL
C:\System Volume Information\_restore{CE4F240C-2272-4B76-8D03-ABD50332781E}\RP1\A0000047.DLL
C:\System Volume Information\_restore{CE4F240C-2272-4B76-8D03-ABD50332781E}\RP1\A0000060.DLL
C:\System Volume Information\_restore{CE4F240C-2272-4B76-8D03-ABD50332781E}\RP1\A0000069.DLL
C:\System Volume Information\_restore{CE4F240C-2272-4B76-8D03-ABD50332781E}\RP1\A0000074.DLL
C:\System Volume Information\_restore{CE4F240C-2272-4B76-8D03-ABD50332781E}\RP1\A0000079.DLL
C:\System Volume Information\_restore{CE4F240C-2272-4B76-8D03-ABD50332781E}\RP1\A0000084.DLL
C:\System Volume Information\_restore{CE4F240C-2272-4B76-8D03-ABD50332781E}\RP2\A0000120.DLL
C:\System Volume Information\_restore{CE4F240C-2272-4B76-8D03-ABD50332781E}\RP2\A0000127.DLL
C:\Downloads\ceremu_suite(1).exe
C:\Documents and Settings\James\My Documents\~WRL1505.tmp
C:\Documents and Settings\James\My Documents\~WRL1514.tmp
C:\Documents and Settings\James\My Documents\~WRL3519.tmp
C:\Documents and Settings\James\My Documents\~WRL4006.tmp
C:\Documents and Settings\James.ME-OWT4WMPIPASD\My Documents\My Pictures\New Folder\Serious stuff\mhp 5011\~WRL0001.tmp
C:\WINDOWS\system32\hhkmp.tmp

Finished



AVG anti-root kit came up clean with no installed root kits.

Heres the hijack this log
Logfile of HijackThis v1.99.1
Scan saved at 11:44:29 PM, on 26/04/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Documents and Settings\James.ME-OWT4WMPIPASD\Desktop\AVG Anti-Rootkit Free\avgarkt.exe
C:\Documents and Settings\James.ME-OWT4WMPIPASD\Desktop\AVG Anti-Rootkit Free\eM0Goiww7.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTP06568 - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O2 - BHO: (no name) - {32227629-ebb5-4ea6-b7d7-3db262666bb9} - C:\WINDOWS\system32\h32ale.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {B2DE0537-F0DC-478E-BA77-E95A07E52C20} - C:\WINDOWS\System32\rjutqhok.dll (file missing)
O2 - BHO: (no name) - {D48DEAE2-B1BD-45F3-BF6C-7381BFCD7899} - C:\WINDOWS\repair\dobcmxl.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vbgtmexn] c:\windows\system32\vbgtmexn.exe vbgtmexn
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\RunServices: [Windows Spool Services] ssvcc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {201B9B37-848F-40BD-90EA-7B8F0AA89D6A} - http://us2-scripts.dlv4.com/binaries/egacc..._1071_em_XP.cab
O16 - DPF: {321F38B6-7E5F-470E-B58C-927523B7AF92} - http://us2-scripts.dlv4.com/binaries/egacc..._1069_em_XP.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177506937858
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {AA59202C-5E41-48FC-AF7D-324F5FD6A9F1} - http://scripts.dlv4.com/binaries/egaccess4..._1070_em_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: NameServer = 213.203.124.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: NameServer = 213.203.124.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: NameServer = 213.203.124.146
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: h32ale - h32ale.dll (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O21 - SSODL: XVauRI - {206918BE-8AC3-B214-15BB-C7DC59CA8F31} - C:\WINDOWS\System32\pvk.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Indexing Helper (Indexingboxs) - Unknown owner - c:\temp\svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 26 April 2007 - 09:55 AM

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
Indexing Helper (Indexingboxs)
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

*******************************

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

*******************************

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {32227629-ebb5-4ea6-b7d7-3db262666bb9} - C:\WINDOWS\system32\h32ale.dll (file missing)
O2 - BHO: (no name) - {B2DE0537-F0DC-478E-BA77-E95A07E52C20} - C:\WINDOWS\System32\rjutqhok.dll (file missing)
O2 - BHO: (no name) - {D48DEAE2-B1BD-45F3-BF6C-7381BFCD7899} - C:\WINDOWS\repair\dobcmxl.dll (file missing)
O4 - HKLM\..\Run: [vbgtmexn] c:\windows\system32\vbgtmexn.exe vbgtmexn
O4 - HKLM\..\RunServices: [Windows Spool Services] ssvcc.exe
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {201B9B37-848F-40BD-90EA-7B8F0AA89D6A} - http://us2-scripts.dlv4.com/binaries/egacc..._1071_em_XP.cab
O16 - DPF: {321F38B6-7E5F-470E-B58C-927523B7AF92} - http://us2-scripts.dlv4.com/binaries/egacc..._1069_em_XP.cab
O16 - DPF: {AA59202C-5E41-48FC-AF7D-324F5FD6A9F1} - http://scripts.dlv4.com/binaries/egaccess4..._1070_em_XP.cab
O20 - Winlogon Notify: h32ale - h32ale.dll (file missing)
O21 - SSODL: XVauRI - {206918BE-8AC3-B214-15BB-C7DC59CA8F31} - C:\WINDOWS\System32\pvk.dll (file missing)
O23 - Service: Indexing Helper (Indexingboxs) - Unknown owner - c:\temp\svchost.exe (file missing)


Exit Hijackthis,find and delete if present:
c:\windows\system32\vbgtmexn.exe
ssvcc.exe

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Anti Spyware report and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#9 jjcol01

jjcol01
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 26 April 2007 - 11:54 AM

The computer seems to be running better and i have not had any pop-ups so far. When i restart the computer i get a system error message however.

here are the logs

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:42:45 AM 27/04/2007

+ Scan result:



C:\Documents and Settings\James.ME-OWT4WMPIPASD\Cookies\james@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\James.ME-OWT4WMPIPASD\Cookies\james@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\James.ME-OWT4WMPIPASD\Cookies\james@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\James.ME-OWT4WMPIPASD\Cookies\james@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\James.ME-OWT4WMPIPASD\Cookies\james@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\James.ME-OWT4WMPIPASD\Cookies\james@connextra[1].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\James.ME-OWT4WMPIPASD\Cookies\james@enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\James.ME-OWT4WMPIPASD\Cookies\james@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\James.ME-OWT4WMPIPASD\Cookies\james@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\James.ME-OWT4WMPIPASD\Cookies\james@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 2:51:31 AM, on 27/04/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTP06568 - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177506937858
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: NameServer = 213.203.124.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: NameServer = 213.203.124.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: NameServer = 213.203.124.146
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 26 April 2007 - 12:37 PM

When i restart the computer i get a system error message however.

Could you let me know the exact wording of that error please.

***********************************

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Posted Image

#11 jjcol01

jjcol01
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 26 April 2007 - 08:06 PM

The error is:

The system has recovered from a serious error.

Error signature
BCCode : 1000008e BCP1 : C0000005 BCP2 : 804F2A45 BCP3 : F3889760
BCP4 : 00000000 OSVer : 5_1_2600 SP : 0_0 Product : 256_1

Error report contents
C:\WINDOWS\Minidump\Mini042707-04.dmp
C:\DOCUME~1\JAMES~1.ME-\LOCALS~1\Temp\WER2.tmp.dir00\sysdata.x


ComboFix 07-04-27.V - Running from: "C:\Documents and Settings\James.ME-OWT4WMPIPASD\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-03-27 to 2007-04-27 ))))))))))))))))))))))))))))))))))


2007-04-27 10:42 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-26 23:26 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-04-26 01:05 <DIR> d-------- C:\Program Files\AOL Security Toolbar
2007-04-26 01:04 2,806,304 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-04-26 01:04 17,184 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-04-26 01:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\AOL
2007-04-26 00:03 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files
2007-04-25 23:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Windows Genuine Advantage
2007-04-25 23:36 <DIR> d-------- C:\WINDOWS\system32\bits
2007-04-25 23:34 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2007-04-25 23:34 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2007-04-25 23:34 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2007-04-25 23:34 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-04-25 23:34 158,720 --------- C:\WINDOWS\system32\xpob2res.dll
2007-04-25 23:22 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2007-04-25 23:22 41,240 --a------ C:\WINDOWS\system32\wups.dll
2007-04-25 23:22 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-04-25 23:22 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-04-25 23:22 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-04-25 23:22 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2007-04-25 19:03 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-04-25 18:42 <DIR> d-------- C:\DOCUME~1\JAMES~1.ME-\.housecall6.6
2007-04-25 17:59 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-25 17:59 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-25 17:38 2,206 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-25 13:07 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-20 17:23 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-04-20 17:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-20 17:23 <DIR> d-------- C:\DOCUME~1\JAMES~1.ME-\APPLIC~1\SUPERAntiSpyware.com
2007-04-20 17:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\SUPERAntiSpyware.com
2007-04-16 22:13 8,704 --a------ C:\WINDOWS\system32\sporder.dll
2007-04-16 22:11 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-04-15 11:03 98,304 --a------ C:\WINDOWS\system\cscript.exe
2007-04-15 11:03 97,203 --a------ C:\Temp\Optionsa.exe
2007-04-15 11:03 95 --a------ C:\WINDOWS\system\Hd.vbs
2007-04-15 11:03 222 --a------ C:\WINDOWS\system\gm.BAT
2007-04-15 11:03 2,783 --a------ C:\Temp\unins000.dat
2007-04-15 11:03 2,676 --a------ C:\Temp\options.reg
2007-04-15 11:03 <DIR> d-------- C:\tempsh
2007-04-09 16:48 1,929,216 --a------ C:\WINDOWS\system32\cdintf250.dll
2007-04-09 16:48 1,024 --a------ C:\WINDOWS\system32\clauth2.dll
2007-04-09 16:48 1,024 --a------ C:\WINDOWS\system32\clauth1.dll
2007-04-09 16:48 0 --a------ C:\WINDOWS\system32\ssprs.dll
2007-04-09 16:48 0 --a------ C:\WINDOWS\system32\serauth2.dll
2007-04-09 16:48 0 --a------ C:\WINDOWS\system32\serauth1.dll
2007-04-09 16:48 0 --a------ C:\WINDOWS\system32\nsprs.dll
2007-04-09 16:44 205 --a------ C:\WINDOWS\system32\lsprst7.dll
2007-04-09 16:44 1,025 --a------ C:\WINDOWS\system32\sysprs7.dll
2007-04-09 16:44 <DIR> d-------- C:\Program Files\SPSS GP


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-27 10:32 -------- d-------- C:\DOCUME~1\JAMES~1.ME-\APPLIC~1\skype
2007-04-27 00:50 -------- d-------- C:\Program Files\emule
2007-04-25 23:22 -------- d--h----- C:\Program Files\windowsupdate
2007-04-25 13:07 -------- d-------- C:\DOCUME~1\JAMES~1.ME-\APPLIC~1\lavasoft
2007-04-16 23:40 75264 --a------ C:\WINDOWS\system32\ws2_32.dll
2007-04-16 22:11 540 --a------ C:\WINDOWS\system32\vbgtmexn_navps.dat
2007-04-16 22:11 4486 --a------ C:\WINDOWS\system32\vbgtmexn.dat
2007-04-04 23:24 241066 --a------ C:\WINDOWS\system32\vbgtmexn_nav.dat
2007-03-24 15:28 -------- d-------- C:\Program Files\endnote
2007-03-23 20:02 -------- d-------- C:\DOCUME~1\JAMES~1.ME-\APPLIC~1\teamspeak2
2007-03-08 16:52 -------- d-------- C:\Program Files\divx
2007-03-08 13:36 -------- d-------- C:\Program Files\deskshare
2007-03-08 07:37 -------- d-------- C:\Program Files\sandisk
2007-03-06 22:10 356352 --a------ C:\WINDOWS\esellerateengine.dll
2007-02-23 14:29 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-02-23 14:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-02-23 14:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-23 14:29 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-02-23 14:29 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-02-23 14:29 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-02-23 14:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-23 14:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-02-23 14:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-02-23 14:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-02-23 14:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-02-23 14:25 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-02-23 14:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-02-23 14:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-02-23 14:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-02-23 14:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-02-23 14:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-02-23 14:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-02-23 14:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-02-16 11:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll"
"{311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6}"="C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"aol"="\"C:\\Program Files\\AOL\\Active Virus Shield\\avp.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-27 10:45:33
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-27 10:45:37
C:\ComboFix-quarantined-files.txt ... 07-04-27 10:45


04-11-17 15:11	  2296	--a------	C:\Qoobox\Quarantine\C\INSTALL.LOG.vir
05-10-15 15:55	  0	--a------	C:\Qoobox\Quarantine\C\WINDOWS\hosts.vir
07-04-16 22:14	  48	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmtaim.dll.vir
07-04-16 22:14	  48	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmtforum.dll.vir
07-04-16 22:14	  48	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmtgtal.dll.vir
07-04-16 22:14	  48	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmticq.dll.vir
07-04-16 22:14	  48	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmtwbmail.dll.vir
07-04-16 22:14	  48	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmtymsg.dll.vir
07-04-16 23:41	  113	--a------	C:\Qoobox\Quarantine\C\Documents and Settings\All Users.WINDOWS\Documents\Settings\desktop.ini.vir
07-04-18 19:46	  36908	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\JAMES~1.ME-\APPLIC~1\Microsoft\60787.dat.vir
07-04-27 10:42	  1268	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_DRIVERPP.reg.cf
07-04-27 10:42	  2730	--a------	C:\Qoobox\Quarantine\Registry_backups\services_driverpp.reg.cf


Folder PATH listing
Volume serial number is 71FAE346 2069:18BD
C:\QOOBOX
\---Quarantine
	+---C
	|   |   INSTALL.LOG.vir
	|   |   
	|   +---Documents and Settings
	|   |   \---All Users.WINDOWS
	|   |	   \---Documents
	|   |		   \---Settings
	|   |				   desktop.ini.vir
	|   |				   
	|   +---DOCUME~1
	|   |   \---JAMES~1.ME-
	|   |	   \---APPLIC~1
	|   |		   \---Microsoft
	|   |				   60787.dat.vir
	|   |				   
	|   \---WINDOWS
	|	   |   hosts.vir
	|	   |   
	|	   \---system32
	|			   pfxzmtaim.dll.vir
	|			   pfxzmtforum.dll.vir
	|			   pfxzmtgtal.dll.vir
	|			   pfxzmticq.dll.vir
	|			   pfxzmtwbmail.dll.vir
	|			   pfxzmtymsg.dll.vir
	|			   
	\---Registry_backups
			LEGACY_DRIVERPP.reg.cf
			services_driverpp.reg.cf


#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 27 April 2007 - 03:35 AM

Please download Brute Force Uninstaller to your desktop.
∑ Right click the BFU folder on your desktop, and choose Extract All
∑ Click "Next"
∑ In the box to choose where to extract the files to,
∑ Click "Browse"
∑ Click on the + sign next to "My Computer"
∑ Click on "Local Disk (C:) or whatever your primary drive is
∑ Click "Make New Folder"
∑ Type in BFU
∑ Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover.
Save it in the same folder you made earlier (c:\BFU).

Copy the part in bold below into notepad and save it as aftermath.bfu
Save it in the same folder you made earlier (c:\BFU) and set Filetype to "All files"

RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vbgtmexn
RegDelValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run\vbgtmexn
FileDelete %SYSDIR%\vbgtmexn_navps.dat
FileDelete %SYSDIR%\vbgtmexn_nav.dat
FileDelete %SYSDIR%\vbgtmexn.dat
FileDelete %SYSDIR%\vbgtmexn.exe
FileDelete %SYSDIR%\vbgtmexn_m2s.xml
FileDelete %WINDIR%\vbgtmexn.exe-*.pf



Then, please go to Start > My Computer and navigate to the C:\BFU folder.
∑ Start the Brute Force Uninstaller by doubleclicking BFU.exe
∑ Behind the scriptline to execute field click the folder icon and select EGDACCESS.bfu
∑ Press Execute and let it do itís job. (You ought to see a progress bar if you did this correctly.)
∑ Wait for the complete script execution box to pop up and press OK.
∑ Behind the scriptline to execute field click the folder icon again and this time select aftermath.bfu
∑ Press Execute and let it do itís job.
∑ Wait for the complete script execution box to pop up and press OK.
∑ Press exit to terminate the BFU program.

Reboot and post a new HijackThis log.

Edited by RichieUK, 27 April 2007 - 05:08 AM.

Posted Image
Posted Image

#13 jjcol01

jjcol01
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 27 April 2007 - 05:01 AM

The link for EGDACCESS remover didn't work, but i found it in another post.

Here's the updated hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 7:55:03 PM, on 27/04/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTP06568 - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177506937858
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: NameServer = 213.203.124.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: NameServer = 213.203.124.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{A56075CC-57B4-492B-BB9B-F304235BFE5A}: NameServer = 213.203.124.146
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



Forgot to mention, no error report on start up

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 27 April 2007 - 05:14 AM

Your log is clean,hows your pc running now please.
Posted Image
Posted Image

#15 jjcol01

jjcol01
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 27 April 2007 - 06:03 AM

it seems to be running better now. thanks for all your help




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users