Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c Toolbar Removal Help


  • This topic is locked This topic is locked
13 replies to this topic

#1 Rangz

Rangz

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 25 April 2007 - 10:56 PM

Hi guys,

I've had the SmitFraud and SmitFraud-c Toolbar bugs on my computer for just over a week now. I'm pretty sure I acquired them when I (less than legally) tried to obtain a passkey for Norton AV 2007. I learned my lesson pretty much straight away and bought the program, but I'm left with the remnants of my mistake.

Any and all help will be really appreciated. I may even have more buggy stuff on my computer, but the SmitFraud boys are the ones which don't seem to go away.

Here's my hijackthis log;

------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:50:00 AM, on 26/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\sistray.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\Desktop\Virus and Trojan Apps\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKLM\..\Run: [onciki.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\onciki.dll,latgqme
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\ljsnbmnb.dll",setvm
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [ruoizr.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ruoizr.dll,taafrpf
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [dtxlmv.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\dtxlmv.dll,qklblte
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [zpanuyd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zpanuyd.dll,kxkahh
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\iukfmidr.dll",realset
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{927714E4-F388-44C2-8BBC-27D957B6ACC3}: Domain = wa.bigpond.net.au
O18 - Protocol: dadb - {82D6F09F-4AC2-11D3-8BD9-0080ADB8683C} - C:\Program Files\OrangeCD\dadb.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:11 AM

Posted 28 April 2007 - 09:33 AM

Hello,

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Rangz

Rangz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 28 April 2007 - 10:52 AM

Cheers for your help!

Here's the ComboFix text;

"Owner" - 07-04-28 23:18:52 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Owner\Desktop\Virus and Trojan Apps\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\jkkjh.dll
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\system32\vturp.dll
C:\WINDOWS\system32\eftgddrj.dll
C:\WINDOWS\system32\awttqqp.dll
C:\WINDOWS\system32\winosz32.dll
C:\WINDOWS\system32\ijkkj.bak1
C:\WINDOWS\system32\ijkkj.bak2
C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\awturom.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\components
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\SKS~1
C:\qoobox\purity\C\Program Files\Common Files\SMBOLS~1


((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-28 ))))))))))))))))))))))))))))))))))


2007-04-26 12:59 53,248 --a------ C:\WINDOWS\system32\bfdcaaebedbfaea.dll
2007-04-26 12:56 86,528 --a------ C:\WINDOWS\system32\yefxwdl.dll
2007-04-26 12:56 64,000 --a------ C:\WINDOWS\system32\artafpk.dll
2007-04-26 11:17 102,912 --------- C:\WINDOWS\system32\drivers\FWDRV.SYS
2007-04-26 11:17 <DIR> d-------- C:\Program Files\Kerio
2007-04-26 00:51 132,660 --a------ C:\WINDOWS\system32\iukfmidr.dll
2007-04-24 19:58 86,528 --a------ C:\WINDOWS\system32\zpanuyd.dll
2007-04-24 19:58 63,488 --a------ C:\WINDOWS\system32\rawiqgc.dll
2007-04-15 20:32 86,016 --a------ C:\WINDOWS\system32\mpwizoc.dll
2007-04-15 20:32 63,488 --a------ C:\WINDOWS\system32\atfroil.dll
2007-04-13 23:42 87,040 --a------ C:\WINDOWS\system32\dtxlmv.dll
2007-04-13 23:42 63,488 --a------ C:\WINDOWS\system32\enjzzqi.dll
2007-04-12 18:25 86,528 --a------ C:\WINDOWS\system32\gwlgtyb.dll
2007-04-12 18:25 63,488 --a------ C:\WINDOWS\system32\hopowkl.dll
2007-04-12 18:16 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-04-12 17:43 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-04-12 17:42 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-04-12 17:42 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-04-06 12:41 518,498 --ahs---- C:\WINDOWS\system32\xbadd.ini2
2007-04-05 21:44 <DIR> d-------- C:\!KillBox
2007-04-01 21:14 87,040 --a------ C:\WINDOWS\system32\ruoizr.dll
2007-04-01 21:14 63,488 --a------ C:\WINDOWS\system32\cwxtbxi.dll
2007-04-01 14:37 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-01 14:17 86,528 --a------ C:\WINDOWS\system32\xhfuvlg.dll
2007-04-01 14:17 63,488 --a------ C:\WINDOWS\system32\lhlyrrj.dll
2007-04-01 12:20 3,470 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-01 12:16 <DIR> d-------- C:\Program Files\RogueRemover
2007-03-30 10:23 515,435 --ahs---- C:\WINDOWS\system32\xbadd.bak2
2007-03-30 10:23 <DIR> d-------- C:\DOCUME~1\Adrian\APPLIC~1\Lavasoft
2007-03-29 10:09 516,762 --ahs---- C:\WINDOWS\system32\xbadd.bak1
2007-03-29 10:02 86,528 --a------ C:\WINDOWS\system32\uqryjhd.dll
2007-03-29 10:02 64,000 --a------ C:\WINDOWS\system32\aebozji.dll
2007-03-28 23:26 <DIR> d-------- C:\VundoFix Backups
2007-03-28 22:55 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\TrojanHunter
2007-03-28 22:52 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-03-28 17:31 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-03-28 14:44 86,528 --a------ C:\WINDOWS\system32\iwohaxi.dll
2007-03-28 14:44 63,488 --a------ C:\WINDOWS\system32\usvsotg.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-28 09:19 119 --a------ C:\DOCUME~1\Owner\APPLIC~1\iscrobbler.ini
2007-04-26 11:46 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-04-26 11:17 -------- d--h----- C:\Program Files\installshield installation information
2007-04-18 18:11 -------- d-------- C:\Program Files\soulseek
2007-04-12 18:39 -------- d-------- C:\Program Files\call of duty
2007-04-12 18:35 -------- d-------- C:\Program Files\stardock
2007-04-12 17:44 -------- d-------- C:\Program Files\symantec
2007-04-09 20:08 -------- d-------- C:\Program Files\ephpod
2007-04-09 11:37 -------- d-------- C:\Program Files\itunes
2007-04-09 11:36 -------- d-------- C:\Program Files\ipod
2007-04-06 15:07 96256 --a------ C:\WINDOWS\system32\drivers\sptd1181.sys
2007-04-05 22:38 -------- d-------- C:\Program Files\smartftp client 2.0
2007-04-05 22:28 -------- d-------- C:\Program Files\hewlett-packard
2007-04-04 17:13 -------- d-------- C:\Program Files\dvd collector
2007-03-28 09:02 -------- d-------- C:\Program Files\daemon tools
2007-03-27 22:11 87040 --a------ C:\WINDOWS\system32\onciki.dll
2007-03-27 22:11 64000 --a------ C:\WINDOWS\system32\bmgojgh.dll
2007-03-17 21:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-13 21:07 -------- d-------- C:\Program Files\Common Files\xing shared
2007-03-13 20:44 -------- d-------- C:\Program Files\google
2007-03-13 20:44 -------- d-------- C:\Program Files\divx
2007-03-08 23:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 23:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 23:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 21:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 14:33 -------- d-------- C:\Program Files\quicktime
2007-02-23 12:29 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-02-23 12:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-02-23 12:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-23 12:29 129784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-02-23 12:29 118520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-02-23 12:29 116472 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-02-23 12:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-23 12:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-02-23 12:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-02-23 12:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-02-23 12:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-02-23 12:25 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-02-23 12:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-02-23 12:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-02-23 12:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-02-23 12:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-02-23 12:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-02-23 12:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-02-23 12:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-02-16 09:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-02-06 04:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
{06EE6C8E-48A9-27A2-D0F5-04E9543260E1} C:\WINDOWS\system32\usvsotg.dll
{162CFDE7-2422-403B-897B-76071D9E255e} C:\WINDOWS\system32\iifkqidk.dll [x]
{23FD9706-9AA1-5722-CD8F-0A329739A14A} C:\WINDOWS\system32\artafpk.dll
{2F3BF69F-6BAB-4816-B2F1-B07EAE04F18E} C:\WINDOWS\system32\ddabc.dll [x]
{3D4B1868-33B7-42CF-46A5-0B4A7D7F1789} C:\WINDOWS\system32\bmgojgh.dll
{41D050B0-305C-D8BD-C080-0297C19D1ADC} C:\WINDOWS\system32\rawiqgc.dll
{43E21256-16A2-DD7D-554B-04054C8179BA} C:\WINDOWS\system32\cwxtbxi.dll
{4BE3A037-3E85-57ED-E0B0-0B0896044A64} C:\WINDOWS\system32\atfroil.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{6095E398-41FF-211D-8919-052292CF54A2} C:\WINDOWS\system32\hopowkl.dll
{61D99BB0-DD62-BBE9-5021-0162C48A6398} C:\WINDOWS\system32\aebozji.dll
{630CB7F2-335E-9C5F-5370-0034912F5085} C:\WINDOWS\system32\enjzzqi.dll
{6C7AC8ED-DBC2-54D4-0D41-08F33D1942C1} C:\WINDOWS\system32\lhlyrrj.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{8EC4B0B4-A15D-4054-9E04-D4394B46E818} C:\WINDOWS\system32\mljjh.dll [x]
{904CCFDB-F34A-4A0A-8B09-B2F33A4FBF05} C:\WINDOWS\system32\xxywuvw.dll [x]
{AA2866FB-A89D-468D-B1CE-468A185D90B1} C:\WINDOWS\system32\iifkqidk.dll [x]
{AAEC87EF-A0F9-4F5B-B9B7-92C1ABEBDCF3} C:\WINDOWS\system32\mljjh.dll [x]
{AE7CD045-E861-484f-8273-0445EE161910} C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
{C1C7E88A-054A-460E-8BCC-D0B7D2780857} C:\WINDOWS\system32\ddabc.dll [x]
{D651AFF4-9590-424d-BD1E-8E33E090DFB3} C:\WINDOWS\system32\eftgddrj.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AdobeVersionCue"="C:\\Program Files\\Adobe\\Adobe Version Cue\\ControlPanel\\VersionCueTray.exe"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb08.exe"
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"onciki.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\onciki.dll,latgqme"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"ruoizr.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\ruoizr.dll,taafrpf"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"dtxlmv.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\dtxlmv.dll,qklblte"
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
"zpanuyd.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\zpanuyd.dll,kxkahh"
"InfoData"="rundll32.exe \"C:\\WINDOWS\\system32\\iukfmidr.dll\",realset"
"yefxwdl.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\yefxwdl.dll,dzsieg"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"=""
"{904CCFDB-F34A-4A0A-8B09-B2F33A4FBF05}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bfdcaaebedbfaea
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywuvw

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Owner.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-28 23:42:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-28 23:45:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-28 23:45


and here's the hijackthis.log;

Logfile of HijackThis v1.99.1
Scan saved at 11:46:32 PM, on 28/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\Virus and Trojan Apps\HijackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06EE6C8E-48A9-27A2-D0F5-04E9543260E1} - C:\WINDOWS\system32\usvsotg.dll
O2 - BHO: (no name) - {162CFDE7-2422-403B-897B-76071D9E255e} - C:\WINDOWS\system32\iifkqidk.dll (file missing)
O2 - BHO: (no name) - {23FD9706-9AA1-5722-CD8F-0A329739A14A} - C:\WINDOWS\system32\artafpk.dll
O2 - BHO: (no name) - {2F3BF69F-6BAB-4816-B2F1-B07EAE04F18E} - C:\WINDOWS\system32\ddabc.dll (file missing)
O2 - BHO: (no name) - {3D4B1868-33B7-42CF-46A5-0B4A7D7F1789} - C:\WINDOWS\system32\bmgojgh.dll
O2 - BHO: (no name) - {41D050B0-305C-D8BD-C080-0297C19D1ADC} - C:\WINDOWS\system32\rawiqgc.dll
O2 - BHO: (no name) - {43E21256-16A2-DD7D-554B-04054C8179BA} - C:\WINDOWS\system32\cwxtbxi.dll
O2 - BHO: (no name) - {4BE3A037-3E85-57ED-E0B0-0B0896044A64} - C:\WINDOWS\system32\atfroil.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6095E398-41FF-211D-8919-052292CF54A2} - C:\WINDOWS\system32\hopowkl.dll
O2 - BHO: (no name) - {61D99BB0-DD62-BBE9-5021-0162C48A6398} - C:\WINDOWS\system32\aebozji.dll
O2 - BHO: (no name) - {630CB7F2-335E-9C5F-5370-0034912F5085} - C:\WINDOWS\system32\enjzzqi.dll
O2 - BHO: (no name) - {6C7AC8ED-DBC2-54D4-0D41-08F33D1942C1} - C:\WINDOWS\system32\lhlyrrj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8EC4B0B4-A15D-4054-9E04-D4394B46E818} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {904CCFDB-F34A-4A0A-8B09-B2F33A4FBF05} - C:\WINDOWS\system32\xxywuvw.dll (file missing)
O2 - BHO: (no name) - {AA2866FB-A89D-468D-B1CE-468A185D90B1} - C:\WINDOWS\system32\iifkqidk.dll (file missing)
O2 - BHO: (no name) - {AAEC87EF-A0F9-4F5B-B9B7-92C1ABEBDCF3} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C1C7E88A-054A-460E-8BCC-D0B7D2780857} - C:\WINDOWS\system32\ddabc.dll (file missing)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\eftgddrj.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [onciki.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\onciki.dll,latgqme
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [ruoizr.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ruoizr.dll,taafrpf
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [dtxlmv.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\dtxlmv.dll,qklblte
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [zpanuyd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zpanuyd.dll,kxkahh
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\iukfmidr.dll",realset
O4 - HKLM\..\Run: [yefxwdl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\yefxwdl.dll,dzsieg
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{927714E4-F388-44C2-8BBC-27D957B6ACC3}: Domain = wa.bigpond.net.au
O18 - Protocol: dadb - {82D6F09F-4AC2-11D3-8BD9-0080ADB8683C} - C:\Program Files\OrangeCD\dadb.dll
O20 - Winlogon Notify: bfdcaaebedbfaea - C:\WINDOWS\system32\bfdcaaebedbfaea.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xxywuvw - xxywuvw.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:11 AM

Posted 28 April 2007 - 11:05 AM

Hello,

Still a lot we have to delete here, so it's important you follow next instructions in the right order...

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {06EE6C8E-48A9-27A2-D0F5-04E9543260E1} - C:\WINDOWS\system32\usvsotg.dll
O2 - BHO: (no name) - {162CFDE7-2422-403B-897B-76071D9E255e} - C:\WINDOWS\system32\iifkqidk.dll (file missing)
O2 - BHO: (no name) - {23FD9706-9AA1-5722-CD8F-0A329739A14A} - C:\WINDOWS\system32\artafpk.dll
O2 - BHO: (no name) - {2F3BF69F-6BAB-4816-B2F1-B07EAE04F18E} - C:\WINDOWS\system32\ddabc.dll (file missing)
O2 - BHO: (no name) - {3D4B1868-33B7-42CF-46A5-0B4A7D7F1789} - C:\WINDOWS\system32\bmgojgh.dll
O2 - BHO: (no name) - {41D050B0-305C-D8BD-C080-0297C19D1ADC} - C:\WINDOWS\system32\rawiqgc.dll
O2 - BHO: (no name) - {43E21256-16A2-DD7D-554B-04054C8179BA} - C:\WINDOWS\system32\cwxtbxi.dll
O2 - BHO: (no name) - {4BE3A037-3E85-57ED-E0B0-0B0896044A64} - C:\WINDOWS\system32\atfroil.dll
O2 - BHO: (no name) - {6095E398-41FF-211D-8919-052292CF54A2} - C:\WINDOWS\system32\hopowkl.dll
O2 - BHO: (no name) - {61D99BB0-DD62-BBE9-5021-0162C48A6398} - C:\WINDOWS\system32\aebozji.dll
O2 - BHO: (no name) - {630CB7F2-335E-9C5F-5370-0034912F5085} - C:\WINDOWS\system32\enjzzqi.dll
O2 - BHO: (no name) - {6C7AC8ED-DBC2-54D4-0D41-08F33D1942C1} - C:\WINDOWS\system32\lhlyrrj.dll
O2 - BHO: (no name) - {8EC4B0B4-A15D-4054-9E04-D4394B46E818} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {904CCFDB-F34A-4A0A-8B09-B2F33A4FBF05} - C:\WINDOWS\system32\xxywuvw.dll (file missing)
O2 - BHO: (no name) - {AA2866FB-A89D-468D-B1CE-468A185D90B1} - C:\WINDOWS\system32\iifkqidk.dll (file missing)
O2 - BHO: (no name) - {AAEC87EF-A0F9-4F5B-B9B7-92C1ABEBDCF3} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {C1C7E88A-054A-460E-8BCC-D0B7D2780857} - C:\WINDOWS\system32\ddabc.dll (file missing)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\eftgddrj.dll (file missing)
O4 - HKLM\..\Run: [onciki.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\onciki.dll,latgqme
O4 - HKLM\..\Run: [ruoizr.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ruoizr.dll,taafrpf
O4 - HKLM\..\Run: [dtxlmv.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\dtxlmv.dll,qklblte
O4 - HKLM\..\Run: [zpanuyd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zpanuyd.dll,kxkahh
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\iukfmidr.dll",realset
O4 - HKLM\..\Run: [yefxwdl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\yefxwdl.dll,dzsieg
O20 - Winlogon Notify: bfdcaaebedbfaea - C:\WINDOWS\system32\bfdcaaebedbfaea.dll
O20 - Winlogon Notify: xxywuvw - xxywuvw.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

REBOOT your computer. Important!!!!

After reboot,

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


delete next files and folders:

C:\WINDOWS\system32\bfdcaaebedbfaea.dll
C:\WINDOWS\system32\yefxwdl.dll
C:\WINDOWS\system32\artafpk.dll
C:\WINDOWS\system32\iukfmidr.dll
C:\WINDOWS\system32\zpanuyd.dll
C:\WINDOWS\system32\rawiqgc.dll
C:\WINDOWS\system32\mpwizoc.dll
C:\WINDOWS\system32\atfroil.dll
C:\WINDOWS\system32\dtxlmv.dll
C:\WINDOWS\system32\enjzzqi.dll
C:\WINDOWS\system32\gwlgtyb.dll
C:\WINDOWS\system32\hopowkl.dll
C:\WINDOWS\system32\xbadd.ini2
C:\!KillBox <== folder, since we don't need the files it killboxed anyway
C:\Qoobox <== folder, same reason as above
C:\WINDOWS\system32\ruoizr.dll
C:\WINDOWS\system32\cwxtbxi.dll
C:\WINDOWS\system32\xhfuvlg.dll
C:\WINDOWS\system32\lhlyrrj.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\xbadd.bak2
C:\WINDOWS\system32\xbadd.bak1
C:\WINDOWS\system32\uqryjhd.dll
C:\WINDOWS\system32\aebozji.dll
C:\WINDOWS\system32\iwohaxi.dll
C:\WINDOWS\system32\usvsotg.dll
C:\WINDOWS\system32\onciki.dll
C:\WINDOWS\system32\bmgojgh.dll

Don't worry if you can't delete some... we'll see afterwards.

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{904CCFDB-F34A-4A0A-8B09-B2F33A4FBF05}"=-

[-HKEY_CLASSES_ROOT\CLSID\{904CCFDB-F34A-4A0A-8B09-B2F33A4FBF05}]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Then, rerun Combofix and post the log you get together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Rangz

Rangz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 28 April 2007 - 11:38 AM

Thanks again. (Only .dll file I couldn't delete was the bfdcaaebedbfaea.dll as it was tied to winlogon.exe which was still running) Here's my updated ComboFix txt;

"Owner" - 07-04-29 0:28:04 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Owner\Desktop\Virus and Trojan Apps\"


((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-29 ))))))))))))))))))))))))))))))))))


2007-04-28 23:45 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-26 12:59 53,248 --a------ C:\WINDOWS\system32\bfdcaaebedbfaea.dll
2007-04-26 11:17 102,912 --------- C:\WINDOWS\system32\drivers\FWDRV.SYS
2007-04-26 11:17 <DIR> d-------- C:\Program Files\Kerio
2007-04-12 18:16 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-04-12 17:43 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-04-12 17:42 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-04-12 17:42 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-04-01 14:37 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-01 12:16 <DIR> d-------- C:\Program Files\RogueRemover
2007-03-30 10:23 <DIR> d-------- C:\DOCUME~1\Adrian\APPLIC~1\Lavasoft
2007-03-28 23:26 <DIR> d-------- C:\VundoFix Backups
2007-03-28 22:55 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\TrojanHunter
2007-03-28 22:52 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-03-28 17:31 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\AdobeUM


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-29 00:02 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-04-28 09:19 119 --a------ C:\DOCUME~1\Owner\APPLIC~1\iscrobbler.ini
2007-04-26 11:17 -------- d--h----- C:\Program Files\installshield installation information
2007-04-18 18:11 -------- d-------- C:\Program Files\soulseek
2007-04-12 18:39 -------- d-------- C:\Program Files\call of duty
2007-04-12 18:35 -------- d-------- C:\Program Files\stardock
2007-04-12 17:44 -------- d-------- C:\Program Files\symantec
2007-04-09 20:08 -------- d-------- C:\Program Files\ephpod
2007-04-09 11:37 -------- d-------- C:\Program Files\itunes
2007-04-09 11:36 -------- d-------- C:\Program Files\ipod
2007-04-06 15:07 96256 --a------ C:\WINDOWS\system32\drivers\sptd1181.sys
2007-04-05 22:38 -------- d-------- C:\Program Files\smartftp client 2.0
2007-04-05 22:28 -------- d-------- C:\Program Files\hewlett-packard
2007-04-04 17:13 -------- d-------- C:\Program Files\dvd collector
2007-03-28 09:02 -------- d-------- C:\Program Files\daemon tools
2007-03-17 21:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-13 21:07 -------- d-------- C:\Program Files\Common Files\xing shared
2007-03-13 20:44 -------- d-------- C:\Program Files\google
2007-03-13 20:44 -------- d-------- C:\Program Files\divx
2007-03-08 23:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 23:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 23:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 21:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 14:33 -------- d-------- C:\Program Files\quicktime
2007-02-23 12:29 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-02-23 12:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-02-23 12:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-23 12:29 129784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-02-23 12:29 118520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-02-23 12:29 116472 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-02-23 12:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-23 12:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-02-23 12:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-02-23 12:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-02-23 12:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-02-23 12:25 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-02-23 12:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-02-23 12:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-02-23 12:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-02-23 12:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-02-23 12:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-02-23 12:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-02-23 12:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-02-16 09:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-02-06 04:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{AE7CD045-E861-484f-8273-0445EE161910} C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AdobeVersionCue"="C:\\Program Files\\Adobe\\Adobe Version Cue\\ControlPanel\\VersionCueTray.exe"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb08.exe"
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bfdcaaebedbfaea

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Owner.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-29 00:32:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-29 0:33:15
C:\ComboFix-quarantined-files.txt ... 07-04-29 00:33
C:\ComboFix2.txt ... 07-04-28 23:45

and my updated hijackthis.log;

Logfile of HijackThis v1.99.1
Scan saved at 12:35:36 AM, on 29/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\Virus and Trojan Apps\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{927714E4-F388-44C2-8BBC-27D957B6ACC3}: Domain = wa.bigpond.net.au
O18 - Protocol: dadb - {82D6F09F-4AC2-11D3-8BD9-0080ADB8683C} - C:\Program Files\OrangeCD\dadb.dll
O20 - Winlogon Notify: bfdcaaebedbfaea - C:\WINDOWS\system32\bfdcaaebedbfaea.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:11 AM

Posted 28 April 2007 - 11:46 AM

Hi,

Looking much better already, but still one infection to go (hope it's not a stubborn one)

Let's try next please..

Go to start > run and copy and paste next exact command into the field:

"C:\Documents and Settings\Owner\Desktop\Virus and Trojan Apps\ComboFix.exe" /v bfdcaaebedbfaea

Hit enter.

This will start combofix again, but in another way.
It will reboot your computer.
After reboot, copy and paste the contents of the combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Rangz

Rangz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 28 April 2007 - 12:00 PM

here goes (fingers crossed);

"Owner" - 07-04-29 0:45:37 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Owner\Desktop\Virus and Trojan Apps\"
Command switches used :: "/v bfdcaaebedbfaea"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bfdcaaebedbfaea.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-29 ))))))))))))))))))))))))))))))))))


2007-04-28 23:45 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-26 11:17 102,912 --------- C:\WINDOWS\system32\drivers\FWDRV.SYS
2007-04-26 11:17 <DIR> d-------- C:\Program Files\Kerio
2007-04-12 18:16 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-04-12 17:43 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-04-12 17:42 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-04-12 17:42 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-04-01 14:37 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-01 12:16 <DIR> d-------- C:\Program Files\RogueRemover
2007-03-30 10:23 <DIR> d-------- C:\DOCUME~1\Adrian\APPLIC~1\Lavasoft
2007-03-28 23:26 <DIR> d-------- C:\VundoFix Backups
2007-03-28 22:55 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\TrojanHunter
2007-03-28 22:52 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-03-28 17:31 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\AdobeUM


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-29 00:02 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-04-28 09:19 119 --a------ C:\DOCUME~1\Owner\APPLIC~1\iscrobbler.ini
2007-04-26 11:17 -------- d--h----- C:\Program Files\installshield installation information
2007-04-18 18:11 -------- d-------- C:\Program Files\soulseek
2007-04-12 18:39 -------- d-------- C:\Program Files\call of duty
2007-04-12 18:35 -------- d-------- C:\Program Files\stardock
2007-04-12 17:44 -------- d-------- C:\Program Files\symantec
2007-04-09 20:08 -------- d-------- C:\Program Files\ephpod
2007-04-09 11:37 -------- d-------- C:\Program Files\itunes
2007-04-09 11:36 -------- d-------- C:\Program Files\ipod
2007-04-06 15:07 96256 --a------ C:\WINDOWS\system32\drivers\sptd1181.sys
2007-04-05 22:38 -------- d-------- C:\Program Files\smartftp client 2.0
2007-04-05 22:28 -------- d-------- C:\Program Files\hewlett-packard
2007-04-04 17:13 -------- d-------- C:\Program Files\dvd collector
2007-03-28 09:02 -------- d-------- C:\Program Files\daemon tools
2007-03-17 21:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-13 21:07 -------- d-------- C:\Program Files\Common Files\xing shared
2007-03-13 20:44 -------- d-------- C:\Program Files\google
2007-03-13 20:44 -------- d-------- C:\Program Files\divx
2007-03-08 23:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 23:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 23:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 21:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 14:33 -------- d-------- C:\Program Files\quicktime
2007-02-23 12:29 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-02-23 12:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-02-23 12:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-23 12:29 129784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-02-23 12:29 118520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-02-23 12:29 116472 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-02-23 12:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-23 12:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-02-23 12:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-02-23 12:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-02-23 12:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-02-23 12:25 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-02-23 12:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-02-23 12:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-02-23 12:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-02-23 12:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-02-23 12:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-02-23 12:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-02-23 12:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-02-16 09:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-02-06 04:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{AE7CD045-E861-484f-8273-0445EE161910} C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AdobeVersionCue"="C:\\Program Files\\Adobe\\Adobe Version Cue\\ControlPanel\\VersionCueTray.exe"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb08.exe"
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Owner.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-29 00:54:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-29 0:56:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-29 00:56
C:\ComboFix2.txt ... 07-04-29 00:33
C:\ComboFix3.txt ... 07-04-28 23:45

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:11 AM

Posted 28 April 2007 - 12:11 PM

Looking good.

How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Rangz

Rangz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 28 April 2007 - 12:17 PM

Much better. No annoying error messages on startup at least.

Should I run spybot searches just to make sure or should everything be fine?

Also, do I need to keep the fix.reg file on my desktop or can than go elsewhere?

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:11 AM

Posted 28 April 2007 - 12:32 PM

You may delete the fix.reg.

Yes, run a full scan with your AV scanner to get rid of leftovers if still present.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Rangz

Rangz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 28 April 2007 - 12:45 PM

Thanks for all your help.

Fingers crossed all goes well!

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:11 AM

Posted 28 April 2007 - 12:51 PM

You're most welcome :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Rangz

Rangz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 28 April 2007 - 10:02 PM

Checked shortly after with Spybot and other AV stuff and still found the SmitFraud-cToolbar on the system, but after a restart this morning it was all clear.

Hallelujah!

Again, thanks for all your help and feel free to close this thread!

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:11 AM

Posted 29 April 2007 - 02:20 AM

Glad to hear :thumbsup:

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users