Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c.toolbar888 / Drivecleaner Popup


  • This topic is locked This topic is locked
14 replies to this topic

#1 colourscan

colourscan

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 02 May 2007 - 09:49 PM

Hello. I am getting a Drive Cleaner popup everytime I surf the web on this particular computer at work. There are various other random popups, but Drive Cleaner is the most common. I have run AdAware 3 times and it presently can't detect any ads. Spybot S&D detects something called Smitfraud-C.Toolbar888 and says I need to restart to remove it, as it resides in system memory. Upon restarting, it scans, detects the same entry again and gives the same message that it needs to restart and scan system memory. Online virus scanners such as Panda show no infections, have just run Stinger and it didn't seem to come up with anything. I have just run HijackThis, and selected system scan and log file, it seems to do the scan, but a windows dialogue comes up saying 'Program Error' 'HijackThis.exe has generated errors and will be closed by Windows. You will need to restart the program. An error log is being created.' A log still appears in the HijackThis folder so I will post its contents below. System is running Windows 2000. Thank you for your assistance.


Logfile of HijackThis v1.99.1
Scan saved at 12:41:35 PM, on 3/05/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\Smtray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = selectingsuper
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINNT\system32\bhluhrxx.dll",realset
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\ScanSoft\PDF Converter\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = COLOUR
O17 - HKLM\System\CCS\Services\Tcpip\..\{03E0F6A4-F905-4370-B298-B5ABF31E4A52}: NameServer = 192.168.0.222,144.140.70.30,144.140.71.16
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = COLOUR
O17 - HKLM\System\CS1\Services\Tcpip\..\{03E0F6A4-F905-4370-B298-B5ABF31E4A52}: NameServer = 192.168.0.222,144.140.70.30,144.140.71.16
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = COLOUR
O17 - HKLM\System\CS2\Services\Tcpip\..\{03E0F6A4-F905-4370-B298-B5ABF31E4A52}: NameServer = 192.168.0.222,144.140.70.30,144.140.71.16
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 03 May 2007 - 10:15 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Using My Computer/Windows Explorer, navigate to where you have HJT saved.
Right-click on the hijackthis.exe file.
Select "Rename", call it fluffybunny and press enter.
Use fluffybunny.exe from now on.

From your log it appears that you are missing one important program: an antivirus. This is somewhat suicidal in today's digital world. Without one you are at a high-risk of reinfection; while I can try to sort your problem out, if you have no protection, the infections will keep resurfacing.
Here are some great free antivirus programs:
Antivir, Avast!, AVG, Bitdefender Free
Install one of these, then run a full scan, letting it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

I have also noticed that you do not appear to have a firewall installed. This is an essential piece of software that acts as an extra layer of security, which restricts access to your computer from the outside world.
Therefore, please download one of these free firewalls:
Zone Alarm
Kerio
If you would like some more information about firewalls and how to use them effectively, take a look here.

Once you have done all of this, please post back with a new HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 colourscan

colourscan
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 03 May 2007 - 07:05 PM

Hi Charles, thank you for your assistance. I have installed AVG and Kerio. AVG detected a few things but removed them. Every now and then Windows Explorer tries to connect to the following address:

04/May/2007 09:54:06 Windows Explorer blocked; Out TCP; localhost:1087->82.98.235.140:80; Owner: C:\WINNT\EXPLORER.EXE

Should I allow or deny?

New HJT log below:

Logfile of HijackThis v1.99.1
Scan saved at 9:50:54 AM, on 4/05/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\Smtray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HijackThis\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = selectingsuper
O2 - BHO: (no name) - {215C24B6-447F-4344-B210-1C3D65DDC44C} - C:\WINNT\system32\vturp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57A27211-336B-4528-B221-B450151593DE} - C:\WINNT\system32\awvvw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINNT\system32\jppdcfsk.dll (file missing)
O2 - BHO: (no name) - {E273C70B-B738-4F62-840C-42FC5D669259} - C:\WINNT\system32\rkuqlcko.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINNT\system32\vohhnjny.dll",realset
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\ScanSoft\PDF Converter\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = COLOUR
O17 - HKLM\System\CCS\Services\Tcpip\..\{03E0F6A4-F905-4370-B298-B5ABF31E4A52}: NameServer = 192.168.0.222,144.140.70.30,144.140.71.16
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = COLOUR
O17 - HKLM\System\CS1\Services\Tcpip\..\{03E0F6A4-F905-4370-B298-B5ABF31E4A52}: NameServer = 192.168.0.222,144.140.70.30,144.140.71.16
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = COLOUR
O17 - HKLM\System\CS2\Services\Tcpip\..\{03E0F6A4-F905-4370-B298-B5ABF31E4A52}: NameServer = 192.168.0.222,144.140.70.30,144.140.71.16
O20 - Winlogon Notify: awvvw - C:\WINNT\system32\awvvw.dll
O20 - Winlogon Notify: pmnnm - C:\WINNT\system32\pmnnm.dll (file missing)
O20 - Winlogon Notify: vturp - C:\WINNT\system32\vturp.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 04 May 2007 - 09:37 AM

Here is a "whois" for that IP address: http://www.dnsstuff.com/tools/whois.ch?ip=82.98.235.140
It is owned by a compandy called CYBERTECHNOLOGY. If you know of this company, such as if they aer your ISP, please allow it. If not, you can keep it blocked.

Please download VundoFix to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please include VundoFix.txt and a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 colourscan

colourscan
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 07 May 2007 - 04:45 PM

Hi Charles, thanks again for all your help.

The first time I ran Vundo it found quite a few entries, but when it tried to delete them an error came up:

Registry Editor
Cannot import c:\VundoFix.reg: Error opening the file. There may be a disk or file system error.

The second scan I did, it only found 3 entries, but again had the same error. I ran it a third time and the same 3 entries were still there, and the same error when it tries to remove them. Logs posted below, thanks.



VundoFix V6.3.21

Checking Java version...

Scan started at 7:06:26 AM 8/05/2007

Listing files found while scanning....

C:\WINNT\system32\awvvw.dll
C:\WINNT\system32\jppdcfsk.dll
C:\WINNT\system32\kqhbooyk.dll
C:\WINNT\system32\mnnmp.bak1
C:\WINNT\system32\mnnmp.bak2
C:\WINNT\system32\mnnmp.ini
C:\WINNT\system32\mnnmp.ini2
C:\WINNT\system32\mnnmp.tmp
C:\WINNT\system32\mqgqynbl.dll
C:\WINNT\system32\nuhowokp.dll
C:\WINNT\system32\olmpdpfq.dll
C:\WINNT\system32\ossuqumi.dll
C:\WINNT\system32\oucshxtj.dll
C:\WINNT\system32\pmnnm.dll
C:\WINNT\system32\rsffgrdo.dll
C:\WINNT\system32\vturp.dll
C:\WINNT\system32\wvvwa.bak1
C:\WINNT\system32\wvvwa.bak2
C:\WINNT\system32\wvvwa.ini

Beginning removal...

Attempting to delete C:\WINNT\system32\awvvw.dll
C:\WINNT\system32\awvvw.dll Has been deleted!

Attempting to delete C:\WINNT\system32\kqhbooyk.dll
C:\WINNT\system32\kqhbooyk.dll Has been deleted!

Attempting to delete C:\WINNT\system32\mnnmp.bak1
C:\WINNT\system32\mnnmp.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\mnnmp.bak2
C:\WINNT\system32\mnnmp.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\mnnmp.ini
C:\WINNT\system32\mnnmp.ini Has been deleted!

Attempting to delete C:\WINNT\system32\mnnmp.ini2
C:\WINNT\system32\mnnmp.ini2 Has been deleted!

Attempting to delete C:\WINNT\system32\mnnmp.tmp
C:\WINNT\system32\mnnmp.tmp Has been deleted!

Attempting to delete C:\WINNT\system32\mqgqynbl.dll
C:\WINNT\system32\mqgqynbl.dll Has been deleted!

Attempting to delete C:\WINNT\system32\olmpdpfq.dll
C:\WINNT\system32\olmpdpfq.dll Has been deleted!

Attempting to delete C:\WINNT\system32\ossuqumi.dll
C:\WINNT\system32\ossuqumi.dll Has been deleted!

Attempting to delete C:\WINNT\system32\oucshxtj.dll
C:\WINNT\system32\oucshxtj.dll Has been deleted!

Attempting to delete C:\WINNT\system32\rsffgrdo.dll
C:\WINNT\system32\rsffgrdo.dll Has been deleted!

Attempting to delete C:\WINNT\system32\wvvwa.bak1
C:\WINNT\system32\wvvwa.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\wvvwa.bak2
C:\WINNT\system32\wvvwa.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\wvvwa.ini
C:\WINNT\system32\wvvwa.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Scan started at 7:16:51 AM 8/05/2007

Listing files found while scanning....

C:\WINNT\system32\awvvw.dll
C:\WINNT\system32\pmnnm.dll
C:\WINNT\system32\vturp.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Scan started at 7:24:37 AM 8/05/2007

Listing files found while scanning....

C:\WINNT\system32\awvvw.dll
C:\WINNT\system32\pmnnm.dll
C:\WINNT\system32\vturp.dll

Beginning removal...

Performing Repairs to the registry.
Done!




********************************************************************************





Logfile of HijackThis v1.99.1
Scan saved at 7:33:45 AM, on 8/05/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\Smtray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HijackThis\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = selectingsuper
O2 - BHO: (no name) - {215C24B6-447F-4344-B210-1C3D65DDC44C} - C:\WINNT\system32\vturp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {B9CF5BC4-1302-4BA1-A947-6D63B08BE03D} - C:\WINNT\system32\awvvw.dll (file missing)
O2 - BHO: (no name) - {E273C70B-B738-4F62-840C-42FC5D669259} - C:\WINNT\system32\rkuqlcko.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINNT\system32\vohhnjny.dll",realset
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\ScanSoft\PDF Converter\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = COLOUR
O17 - HKLM\System\CCS\Services\Tcpip\..\{03E0F6A4-F905-4370-B298-B5ABF31E4A52}: NameServer = 192.168.0.222,144.140.70.30,144.140.71.16
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = COLOUR
O17 - HKLM\System\CS1\Services\Tcpip\..\{03E0F6A4-F905-4370-B298-B5ABF31E4A52}: NameServer = 192.168.0.222,144.140.70.30,144.140.71.16
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = COLOUR
O17 - HKLM\System\CS2\Services\Tcpip\..\{03E0F6A4-F905-4370-B298-B5ABF31E4A52}: NameServer = 192.168.0.222,144.140.70.30,144.140.71.16
O20 - Winlogon Notify: awvvw - C:\WINNT\system32\awvvw.dll (file missing)
O20 - Winlogon Notify: pmnnm - C:\WINNT\system32\pmnnm.dll (file missing)
O20 - Winlogon Notify: vturp - C:\WINNT\system32\vturp.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 08 May 2007 - 01:38 AM

Hello again,
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O2 - BHO: (no name) - {215C24B6-447F-4344-B210-1C3D65DDC44C} - C:\WINNT\system32\vturp.dll (file missing)
O2 - BHO: (no name) - {B9CF5BC4-1302-4BA1-A947-6D63B08BE03D} - C:\WINNT\system32\awvvw.dll (file missing)
O2 - BHO: (no name) - {E273C70B-B738-4F62-840C-42FC5D669259} - C:\WINNT\system32\rkuqlcko.dll (file missing)
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINNT\system32\vohhnjny.dll",realset
O20 - Winlogon Notify: awvvw - C:\WINNT\system32\awvvw.dll (file missing)
O20 - Winlogon Notify: pmnnm - C:\WINNT\system32\pmnnm.dll (file missing)
O20 - Winlogon Notify: vturp - C:\WINNT\system32\vturp.dll (file missing)


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Next, please find and delete the following files (if present):

C:\WINNT\system32\awvvw.dll
C:\WINNT\system32\pmnnm.dll
C:\WINNT\system32\vturp.dll
C:\WINNT\system32\vohhnjny.dll

Reboot into Normal Mode again.

Please run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open, click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan has finished - if anything malicious is found - click the See Report button.
Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

Scan again with HijackThis and post the log in your next reply, along with the Panda report.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 colourscan

colourscan
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 08 May 2007 - 05:40 PM

Hi Charles, Panda log followed by HijackThis log. Thanks



Incident Status Location

Adware:adware/windowenhancer Not disinfected c:\winnt\system32\SBUtils
Adware:Adware/Henbang Not disinfected C:\WINNT\SYSTEM32\SLRKDOBD.DLL
Adware:Adware/Henbang Not disinfected C:\WINNT\SYSTEM32\HTHKQMXP.DLL
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Bryn\Local Settings\Temp\IBDTISXS.DLL
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Bryn\Cookies\bryn@overture[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Bryn\Cookies\bryn@mediaplex[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Bryn\Cookies\bryn@advertising[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Bryn\Cookies\bryn@com[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Bryn\Cookies\bryn@tribalfusion[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Bryn\Cookies\bryn@perf.overture[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Bryn\Cookies\bryn@www.myaffiliateprogram[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Bryn\Cookies\bryn@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Bryn\Cookies\bryn@doubleclick[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Bryn\Cookies\bryn@adultfriendfinder[2].txt
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\kqhbooyk.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\mqgqynbl.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\olmpdpfq.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ossuqumi.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\oucshxtj.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\rsffgrdo.dll.bad


*******************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 8:32:36 AM, on 9/05/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\Smtray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HijackThis\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = selectingsuper
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\ScanSoft\PDF Converter\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = COLOUR
O17 - HKLM\System\CCS\Services\Tcpip\..\{03E0F6A4-F905-4370-B298-B5ABF31E4A52}: NameServer = 192.168.0.222,144.140.70.30,144.140.71.16
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = COLOUR
O17 - HKLM\System\CS1\Services\Tcpip\..\{03E0F6A4-F905-4370-B298-B5ABF31E4A52}: NameServer = 192.168.0.222,144.140.70.30,144.140.71.16
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = COLOUR
O17 - HKLM\System\CS2\Services\Tcpip\..\{03E0F6A4-F905-4370-B298-B5ABF31E4A52}: NameServer = 192.168.0.222,144.140.70.30,144.140.71.16
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 09 May 2007 - 01:36 AM

Things are starting to look much better now.
Please download ATF Cleaner to your Desktop.
Don't run it yet.

Reboot into Safe Mode and delete these files/folders:

C:\WINNT\SYSTEM32\SLRKDOBD.DLL <--File
C:\WINNT\SYSTEM32\HTHKQMXP.DLL <--File

C:\VundoFix Backups <--Folder
C:\winnt\system32\SBUtils <--Folder

Double click ATF-Cleaner.exe to run the program.
Under Main choose Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

Click Exit on the main menu to close the program.

Copy and paste the following text into Notepad:
sc stop core
sc delete core
Save this as "services.bat" Choose to save as *all files and place it on your Desktop.
Double-click services.bat.

Boot back into Normal Mode and let me know how things seem to be running now.
Thanks,
Charles

Edited by rookie147, 09 May 2007 - 01:36 AM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 colourscan

colourscan
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 10 May 2007 - 12:07 AM

Hi Charles, good to hear we are making progress. After following your last instructions, I ran Spybot S+D again and it picked up another 2 instances of Smitfraud-ctoolbar888 which it was this time able to remove. I then ran the panda scan again which picked up 2 entries as you will see in the log below. These should be easy enough for me to remove in the way that you have described previously, but I thought I would show you the log first incase they mean there is still something malicious running in the background. Thanks again for all your help. HijackThis log follows the Panda log:



Incident Status Location
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Bryn\Local Settings\Temp\IBDTISXS.DLL
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Bryn\Cookies\bryn@atdmt[1].txt



*********************************************************


Logfile of HijackThis v1.99.1
Scan saved at 2:53:56 PM, on 10/05/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\Smtray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\FinePixViewer\FinePixViewer.exe
C:\Program Files\HijackThis\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = selectingsuper
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\ScanSoft\PDF Converter\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = COLOUR
O17 - HKLM\System\CCS\Services\Tcpip\..\{03E0F6A4-F905-4370-B298-B5ABF31E4A52}: NameServer = 192.168.0.222,144.140.70.30,144.140.71.16
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = COLOUR
O17 - HKLM\System\CS1\Services\Tcpip\..\{03E0F6A4-F905-4370-B298-B5ABF31E4A52}: NameServer = 192.168.0.222,144.140.70.30,144.140.71.16
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = COLOUR
O17 - HKLM\System\CS2\Services\Tcpip\..\{03E0F6A4-F905-4370-B298-B5ABF31E4A52}: NameServer = 192.168.0.222,144.140.70.30,144.140.71.16
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 10 May 2007 - 01:31 AM

You can run ATF Cleaner once more if you want to remove those two files found by Panda. Then reboot and let me know how things seem to be running now.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 colourscan

colourscan
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 10 May 2007 - 10:52 PM

Hi Charles, the computer seems to be running fine and there haven't been any unexpected pop-ups as yet today. When I run the Panda scan however, it keeps flagging the file C:\Documents and Settings\Bryn\Local Settings\Temp\IBDTISXS.DLL though I cannot find the file in the windows explorer, even with hidden files shown. There is only one file in that folder, named GlaukaCommDll.log - I'm not sure if it is related. Looking in the Panda Encyclopedia, it claims that the IBDTISXS.DLL file is related to Virtumonde. Is it still present? Thanks again.

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 11 May 2007 - 01:37 AM

It shouldn't matter about that file, it won't do any harm there. :thumbsup:
Great job! Now that you're free from malware, please follow these simple steps to decrease the likelihood of getting re-infected again:

Set your system to not show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

In order to protect yourself against spyware, you should consider installing and running the following free programs:
Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
Thanks and happy computing,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 colourscan

colourscan
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 14 May 2007 - 06:07 PM

Thanks again Charles for all your effort :thumbsup:

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 15 May 2007 - 01:53 AM

You're very welcome :thumbsup:

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 24 May 2007 - 05:12 PM

Since this issue appears to be resolved, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users