Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Do You Know What My Problem Is?


  • This topic is locked This topic is locked
12 replies to this topic

#1 flavor

flavor

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 08 May 2007 - 01:23 AM

This has been killing me for the last 24 hours. Help appreciated.
Logfile of HijackThis v1.99.1
Scan saved at 11:12:40 PM, on 5/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\clcl7.exe
C:\Program Files\Apoint\Apntex.exe
C:\Documents and Settings\Ryan Brindle\Start Menu\Programs\Startup\MSWin-1740099457.exe
C:\WINDOWS\system32\-601201932.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\RYANBR~1\LOCALS~1\Temp\svchots.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\CMPWI.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Documents and Settings\Ryan Brindle\Start Menu\Programs\Startup\MSWin-1740099457.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Ryan Brindle\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
O4 - HKLM\..\Run: [clcl7] C:\WINDOWS\system32\clcl7.exe
O4 - HKLM\..\Run: [RunOnce2Upd] "C:\Documents and Settings\Ryan Brindle\Start Menu\Programs\Startup\MSWin-1740099457.exe"
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\vknukqop.dll",realset
O4 - HKLM\..\Run: [-601201932.exe] C:\WINDOWS\system32\-601201932.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Restore Operation] C:\DOCUME~1\RYANBR~1\LOCALS~1\Temp\svchots.exe
O4 - Startup: MSWin-1740099457.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: CMPWI.exe.LNK = C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\CMPWI.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cfxxqgkxr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cfxxqgkxr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cfxxqgkxr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cfxxqgkxr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cfxxqgkxr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cfxxqgkxr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cfxxqgkxr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cfxxqgkxr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cfxxqgkxr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cfxxqgkxr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cfxxqgkxr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cfxxqgkxr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cfxxqgkxr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cfxxqgkxr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cfxxqgkxr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cfxxqgkxr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cfxxqgkxr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cfxxqgkxr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cfxxqgkxr.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A7F4C23-3F13-4856-AF82-ABCD47146A49}: NameServer = 68.28.50.11 68.28.58.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: eJTjjuuwfb - {986B1A8F-32C1-B025-34DA-E74E95CB9019} - C:\WINDOWS\system32\yzq.dll (file missing)
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pantech Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 08 May 2007 - 02:43 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum flavor :thumbsup:

Create a new folder and place your HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse the line entry deletion if found to be necessary.
If you run Hijackthis from the desktop,the files it removes will not be backed up properly.

How to create a new folder named HJT
1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:
2. From the 'File' menu choose 'New'.
3. From the 'New' menu choose 'Folder'.
4. Type the folder name: HJT
5. Then press Enter.

*************************

Download LSPFix from:
http://www.bleepingcomputer.com/files/spyware/lspfix.zip
Once LSP-Fix is downloaded, extract it to your desktop.
Close all windows on your computer.
Launch/start lspfix.
Put a checkmark in the 'I know what I'm doing' checkbox.
Now move any instances of "cfxxqgkxr.dll" into the remove box using the >> button.
Press the finish button.
Then reboot.

*************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

*************************

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option #1 Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy and paste the contents of that report into your next reply.

*************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Now go to C:\HJT\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 flavor

flavor
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 08 May 2007 - 12:15 PM

Thanks RichieUK!!

Logfile of HijackThis v1.99.1
Scan saved at 10:06:44 AM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\Ryan Brindle\Start Menu\Programs\Startup\MSWin-1740099457.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\CMPWI.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Documents and Settings\Ryan Brindle\Start Menu\Programs\Startup\MSWin-1740099457.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis\abc.bat

O2 - BHO: (no name) - {8D5849A2-93F3-429D-FF34-260A2068897C} - (no file)
O2 - BHO: (no name) - {E83CA763-AD77-41EA-912E-667216CEA8E9} - C:\WINDOWS\system32\xxwxv.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [RunOnce2Upd] "C:\Documents and Settings\Ryan Brindle\Start Menu\Programs\Startup\MSWin-1740099457.exe"
O4 - HKLM\..\Run: [-601201932.exe] C:\WINDOWS\system32\-601201932.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: MSWin-1740099457.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: CMPWI.exe.LNK = C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\CMPWI.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\ldkusmq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ldkusmq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ldkusmq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ldkusmq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ldkusmq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ldkusmq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ldkusmq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ldkusmq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ldkusmq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ldkusmq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ldkusmq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ldkusmq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ldkusmq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ldkusmq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ldkusmq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ldkusmq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ldkusmq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ldkusmq.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ldkusmq.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A7F4C23-3F13-4856-AF82-ABCD47146A49}: NameServer = 68.28.50.11 68.28.58.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: eJTjjuuwfb - {986B1A8F-32C1-B025-34DA-E74E95CB9019} - C:\WINDOWS\system32\yzq.dll (file missing)
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pantech Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

******************************************************

SmitFraudFix v2.177

Scan done at 9:45:16.04, Tue 05/08/2007
Run from C:\Documents and Settings\Ryan Brindle\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\svehost.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\clcl7.exe
C:\Documents and Settings\Ryan Brindle\Start Menu\Programs\Startup\MSWin-1740099457.exe
C:\WINDOWS\system32\-601201932.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\RYANBR~1\LOCALS~1\Temp\svchots.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\CMPWI.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Documents and Settings\Ryan Brindle\Start Menu\Programs\Startup\MSWin-1740099457.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Ryan Brindle


C:\Documents and Settings\Ryan Brindle\Application Data


Start Menu


C:\DOCUME~1\RYANBR~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8D5849A2-93F3-429D-FF34-260A2068897C}"="Fdjskie8 jf8e"

[HKEY_CLASSES_ROOT\CLSID\{8D5849A2-93F3-429D-FF34-260A2068897C}\InProcServer32]
@="C:\WINDOWS\system32\fs6ehnf8jd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8D5849A2-93F3-429D-FF34-260A2068897C}\InProcServer32]
@="C:\WINDOWS\system32\fs6ehnf8jd.dll"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"
"LoadAppInit_DLLs"=dword:00000001


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32-huy32



DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 68.28.50.11
DNS Server Search Order: 68.28.58.11

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2A7F4C23-3F13-4856-AF82-ABCD47146A49}: NameServer=68.28.50.11 68.28.58.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2A7F4C23-3F13-4856-AF82-ABCD47146A49}: NameServer=68.28.50.11 68.28.58.11
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2A7F4C23-3F13-4856-AF82-ABCD47146A49}: NameServer=68.28.50.11 68.28.58.11


Scanning for wininet.dll infection


End

*******************************************************

"Ryan Brindle" - 2007-05-08 9:47:57 Service Pack 2
ComboFix 07-05.08.3.V - Running from: "C:\Documents and Settings\Ryan Brindle\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\vknukqop.dll
C:\WINDOWS\system32\poqkunkv.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\4_exception.nls
C:\WINDOWS\system32\RunOnce2.t__
C:\WINDOWS\system32\-601201932.exe
C:\WINDOWS\system32\winupd_KB34216966.exe
C:\WINDOWS\system32\winupd_KB35862658.exe
C:\WINDOWS\system32\winupd_KB55963079.exe
C:\WINDOWS\system32\winupd_KB59112154.exe
C:\WINDOWS\system32\winupd_KB77526596.exe
C:\WINDOWS\system32\winupd_KB92620748.exe
C:\WINDOWS\system32\clcl7.exe
C:\WINDOWS\system32\xgiwuv(2).dll
C:\WINDOWS\system32\xgiwuv.dll
C:\WINDOWS\system32\FS6EHN~1.DLL
C:\Documents and Settings\All Users.WINDOWS.\documents\settings\desktop.ini
C:\WINDOWS\system32\ksys.sys
C:\WINDOWS\new_drv.sys
C:\Documents and Settings\All Users.WINDOWS\..\ie_updater.exe
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\0x57.exe
C:\WINDOWS\system32\cfxxqgkxr.dll
C:\WINDOWS\system32\jekiotemtde.dll
C:\WINDOWS\system32\letacjbtnavhx.dll
C:\WINDOWS\system32\ogxcjwh.dll
C:\Documents and Settings\All Users.WINDOWS.\documents\settings\partnership.dll
C:\WINDOWS\system32\rpcc1.dll
C:\Documents and Settings\All Users.WINDOWS.\documents\settings
C:\WINDOWS\system32\windev-4fc0-4c12.sys
C:\WINDOWS\system32\windev-peers.ini
C:\WINDOWS\system32\kprof
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\poof
C:\cp1041.nls

C:\WINDOWS\system32\drivers\ndis.sys . . . is infected!!

C:\WINDOWS\system32\winlogon.exe . . . is infected!!


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_EXAMPLE
-------\LEGACY_NDNET1
-------\LEGACY_NEW_DRV
-------\LEGACY_NTLDR.SYS
-------\LEGACY_POOF
-------\LEGACY_RUNTIME
-------\NDnet1
-------\ntldr.sys
-------\Runtime
-------\windev-4fc0-4c12


((((((((((((((((((((((((((((((( Files Created from 2007-04-08 to 2007-05-08 ))))))))))))))))))))))))))))))))))


2007-05-08 09:45 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-05-08 09:45 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-05-08 09:45 3,070 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-08 09:45 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-05-08 09:27 <DIR> d-------- C:\VundoFix Backups
2007-05-08 09:19 <DIR> d-------- C:\HJT
2007-05-07 14:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2007-05-07 13:01 <DIR> d-------- C:\WINDOWS\pss
2007-05-07 10:17 <DIR> d-------- C:\DOCUME~1\RYANBR~1\APPLIC~1\Lavasoft
2007-05-07 10:13 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-07 10:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-06 19:58 21,504 --a------ C:\WINDOWS\system32\wsys(2).dll
2007-05-02 21:56 <DIR> d--h----- C:\DOCUME~1\RYANBR~1\APPLIC~1\Move Networks
2007-05-02 16:23 <DIR> d-------- C:\DOCUME~1\RYANBR~1\.Multivalent
2007-04-27 00:38 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-26 23:45 135,432 --a------ C:\WINDOWS\system32\abcdefgh.dll
2007-04-26 15:06 91,717 --a------ C:\WINDOWS\system32\cent.exe
2007-04-26 15:02 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\TEMP
2007-04-26 14:59 9,797 --a------ C:\xx1232255.exe
2007-04-20 14:31 <DIR> d-------- C:\DOCUME~1\RYANBR~1\APPLIC~1\gtk-2.0
2007-04-20 14:31 <DIR> d-------- C:\DOCUME~1\RYANBR~1\.thumbnails
2007-04-20 14:29 <DIR> d-------- C:\DOCUME~1\RYANBR~1\.gimp-2.2
2007-04-20 14:28 <DIR> d-------- C:\Program Files\GIMP-2.0
2007-04-20 14:27 <DIR> d-------- C:\Program Files\Common Files\GTK
2007-04-20 10:31 176,235 --a------ C:\WINDOWS\system32\Primomonnt.dll
2007-04-20 10:31 <DIR> d-------- C:\WINDOWS\PrimoPDF
2007-04-20 10:31 <DIR> d-------- C:\Program Files\activePDF
2007-04-13 11:10 <DIR> d-------- C:\Program Files\VeryPDF PDF Editor v2.2
2007-04-11 17:09 <DIR> d-------- C:\DOCUME~1\RYANBR~1\APPLIC~1\Help
2007-04-10 14:44 37,888 --------- C:\WINDOWS\system32\kuwxpppm.dll
2007-04-10 14:44 <DIR> d-------- C:\Program Files\Common Files\KIP
2007-04-10 14:43 <DIR> d-------- C:\Program Files\KIP
2007-04-10 14:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Downloaded Installations
2007-04-09 22:08 <DIR> d-------- C:\Program Files\Virtools


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-08 02:46:41 -------- d-----w C:\Program Files\IrfanView
2007-05-07 03:16:46 502,272 ----a-w C:\WINDOWS\system32\winlogon(2).exe
2007-05-07 02:33:40 281,348 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2007-05-02 20:53:39 -------- d-----w C:\DOCUME~1\RYANBR~1\APPLIC~1\Skype
2007-04-27 06:30:18 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2007-04-27 06:30:18 502,272 ----a-w C:\WINDOWS\system32\winlogon(3).exe
2007-04-27 00:10:27 -------- d-----w C:\Program Files\Google
2007-04-26 23:01:34 82,944 ----a-w C:\WINDOWS\system32\ws2_32.dll
2007-04-04 00:55:07 -------- d-----w C:\Program Files\Sprint
2007-04-04 00:54:44 9,360 ----a-w C:\WINDOWS\system32\drivers\pxfhmdfl.sys
2007-04-04 00:54:44 79,184 ----a-w C:\WINDOWS\system32\drivers\pxfhserd.sys
2007-04-04 00:54:44 66,704 ----a-w C:\WINDOWS\system32\drivers\pxfhbus.sys
2007-04-04 00:54:44 6,240 ----a-w C:\WINDOWS\system32\drivers\pxfhcmnt.sys
2007-04-04 00:54:44 6,240 ----a-w C:\WINDOWS\system32\drivers\pxfhcm.sys
2007-04-04 00:54:44 5,904 ----a-w C:\WINDOWS\system32\drivers\pxfhwhnt.sys
2007-04-04 00:54:44 5,904 ----a-w C:\WINDOWS\system32\drivers\pxfhwh.sys
2007-04-04 00:54:44 36,352 ----a-w C:\WINDOWS\system32\pxfhwmcp.dll
2007-04-04 00:54:44 100,240 ----a-w C:\WINDOWS\system32\drivers\pxfhmdm.sys
2007-04-03 00:13:39 -------- d-----w C:\Program Files\Palm
2007-03-29 21:11:12 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-26 16:47:53 -------- d-----w C:\Program Files\QuickTime
2007-03-22 07:38:41 -------- d-----w C:\Program Files\MSECache
2007-03-21 19:55:38 -------- d-----w C:\DOCUME~1\RYANBR~1\APPLIC~1\HotSync
2007-03-21 19:55:21 16,694 ----a-w C:\WINDOWS\system32\drivers\PalmUSBD.sys
2007-03-21 19:55:20 53,248 ----a-w C:\WINDOWS\PalmDevC.dll
2007-03-15 21:00:15 -------- d-----w C:\Program Files\AutoDWG
2007-03-15 04:32:07 -------- d-----w C:\Program Files\Dell Printers
2007-03-14 21:26:35 -------- d-----w C:\Program Files\Bluebeam Software
2007-03-09 04:16:50 -------- d-----w C:\Program Files\Skype
2007-03-09 04:16:50 -------- d-----w C:\Program Files\Common Files\Skype
2007-02-26 23:05:45 15,360 ----a-w C:\WINDOWS\system32\XPLNMon.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{E83CA763-AD77-41EA-912E-667216CEA8E9}"="C:\WINDOWS\system32\xxwxv.dll" [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SigmaTel StacMon"="C:\\Program Files\\SigmaTel\\SigmaTel AC97 Audio Drivers\\stacmon.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"eFax 4.2"="\"C:\\Program Files\\eFax Messenger 4.2\\J2GDllCmd.exe\" /R"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"RunOnce2Upd"="\"C:\\Documents and Settings\\Ryan Brindle\\Start Menu\\Programs\\Startup\\MSWin-1740099457.exe\""
"-601201932.exe"="C:\\WINDOWS\\system32\\-601201932.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{986B1A8F-32C1-B025-34DA-E74E95CB9019}"="C:\WINDOWS\system32\yzq.dll" [x]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1af64523-c5cf-11db-a914-0014a54d0d65}]
Shell\AutoRun\command rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_POOF

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-08 09:56:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-08 9:58:00 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-08 09:58
C:\ComboFix2.txt ... 2007-04-27 00:38


*********************************************************************
VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 9:27:31 AM 5/8/2007

Listing files found while scanning....

C:\WINDOWS\system32\hggecby.dll
C:\WINDOWS\system32\vxwxx.bak1
C:\WINDOWS\system32\vxwxx.ini
C:\WINDOWS\system32\wahayosc.dll
C:\WINDOWS\system32\xxwxv.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\hggecby.dll
C:\WINDOWS\system32\hggecby.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\vxwxx.bak1
C:\WINDOWS\system32\vxwxx.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vxwxx.ini
C:\WINDOWS\system32\vxwxx.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wahayosc.dll
C:\WINDOWS\system32\wahayosc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxwxv.dll
C:\WINDOWS\system32\xxwxv.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\hggecby.dll
C:\WINDOWS\system32\hggecby.dll Has been deleted!

Performing Repairs to the registry.
Done!
***************************************************************

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 08 May 2007 - 12:47 PM

You've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Active Virus Shield
There's a nice setup tutorial Here:
http://www.activevirusshield.com/antivirus/freeav/

***************************

Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip
Please then reboot your computer into Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode, right click the SDFix.zip folder and choose Extract All,
* Open the extracted folder and double click RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.
* Also post a new Hijackthis log please.

Posted Image
Posted Image

#5 flavor

flavor
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 08 May 2007 - 02:08 PM

Thanks again. Here is where I am at now.

Logfile of HijackThis v1.99.1
Scan saved at 12:04:13 PM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Documents and Settings\Ryan Brindle\Start Menu\Programs\Startup\MSWin-1740099457.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\CMPWI.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Documents and Settings\Ryan Brindle\Start Menu\Programs\Startup\MSWin-1740099457.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\HijackThis\abc.bat

O2 - BHO: (no name) - {26FAFD75-1005-41F6-978D-178C00165C0B} - C:\WINDOWS\system32\cbxwvsq.dll
O2 - BHO: (no name) - {8D5849A2-93F3-429D-FF34-260A2068897C} - (no file)
O2 - BHO: (no name) - {D70944E4-7F15-4F3A-8F8C-CA2EC1372552} - C:\WINDOWS\system32\yayab.dll
O2 - BHO: (no name) - {E83CA763-AD77-41EA-912E-667216CEA8E9} - C:\WINDOWS\system32\xxwxv.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RunOnce2Upd] "C:\Documents and Settings\Ryan Brindle\Start Menu\Programs\Startup\MSWin-1740099457.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: MSWin-1740099457.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: CMPWI.exe.LNK = C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\CMPWI.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A7F4C23-3F13-4856-AF82-ABCD47146A49}: NameServer = 68.28.50.11 68.28.58.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: cbxwvsq - C:\WINDOWS\SYSTEM32\cbxwvsq.dll
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\system32\rpcc1.dll
O20 - Winlogon Notify: yayab - C:\WINDOWS\system32\yayab.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: eJTjjuuwfb - {986B1A8F-32C1-B025-34DA-E74E95CB9019} - C:\WINDOWS\system32\yzq.dll (file missing)
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pantech Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

***************************************************************************


SDFix: Version 1.83

Run by Ryan Brindle - Tue 05/08/2007 - 11:43:32.89

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
EXAMPLE
kprof
NDnet1
ntldr.sys
poof
Runtime

ImagePath:
\??\C:\WINDOWS\system32\main.sys
\??\C:\WINDOWS\system32\kprof
\??\C:\WINDOWS\system32\ksys.sys
\??\C:\ntldr.sys
\??\C:\WINDOWS\system32\poof
\??\C:\WINDOWS\System32\drivers\runtime.sys

EXAMPLE - Deleted
kprof - Deleted
NDnet1 - Deleted
ntldr.sys - Deleted
poof - Deleted

Killing PID 164 'smss.exe'
Killing PID 236 'winlogon.exe'

ndis.sys Infected!

Patched File copied to Backups Folder
Attempting to replace ndis.sys with original version...

Original ndis.sys Restored


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\CP1041.NLS - Deleted
C:\DOCUME~1\RYANBR~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\7VQ0GUC4\TPKTSK~2.HTM - Deleted
C:\DOCUME~1\RYANBR~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\D818GA6Y\TPKTSK~1.HTM - Deleted
C:\DOCUME~1\RYANBR~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\NGOH1EWK\TPKTSK~1.HTM - Deleted
C:\DOCUME~1\RYANBR~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\NGOH1EWK\TPKTSK~2.HTM - Deleted
C:\DOCUME~1\RYANBR~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\7VQ0GUC4\IS6734~1 - Deleted
C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\partnership.dll - Deleted
C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\system32\5_exception.nls - Deleted
C:\WINDOWS\system32\koos.exe - Deleted
C:\WINDOWS\system32\kprof - Deleted
C:\WINDOWS\system32\ksys.sys - Deleted
C:\WINDOWS\system32\poof - Deleted
C:\WINDOWS\system32\RunOnce2.t__ - Deleted
C:\WINDOWS\system32\wsys.dll - Deleted
C:\WINDOWS\Temp\svchost.exe - Deleted



Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
:lzx32.sys 71608
Total size: 71608 bytes.

system32: deleted 71608 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Documents and Settings\Ryan Brindle\NetHood\heitechmarketing.com\Desktop.ini
C:\Documents and Settings\Ryan Brindle\NetHood\reprorocket.com\Desktop.ini
C:\WINDOWS\system32\yayab.dll
C:\WINDOWS\system32\dllcache\cryptnet32.dll
C:\Documents and Settings\All Users.WINDOWS\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\Ryan Brindle\Application Data\Microsoft\Word\~WRL1287.tmp
C:\Documents and Settings\Ryan Brindle\Application Data\Microsoft\Word\~WRL1546.tmp
C:\Documents and Settings\Ryan Brindle\Application Data\Microsoft\Word\~WRL1976.tmp
C:\Documents and Settings\Ryan Brindle\Application Data\Microsoft\Word\~WRL2034.tmp
C:\Documents and Settings\Ryan Brindle\My Documents\~WRL0744.tmp
C:\Documents and Settings\Ryan Brindle\My Documents\~WRL1620.tmp
C:\Documents and Settings\Ryan Brindle\My Documents\Billed Invoices\~WRL1706.tmp
C:\Documents and Settings\Ryan Brindle\My Documents\HeiTechMarketing\~WRL0811.tmp
C:\Documents and Settings\Ryan Brindle\My Documents\HeiTechMarketing\~WRL2938.tmp
C:\Documents and Settings\Ryan Brindle\My Documents\HeiTechMarketing\Seimsicom\Sandisk\~WRL1932.tmp
C:\Documents and Settings\Ryan Brindle\My Documents\HeiTechMarketing\Seimsicom\Sandisk\~WRL2220.tmp
C:\Documents and Settings\Ryan Brindle\My Documents\Personal\~WRL1511.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG
C:\WINNT\Temp\OLD119.tmp
C:\WINNT\Temp\OLD11A.tmp
C:\WINNT\Temp\OLD81.tmp
C:\WINNT\Temp\OLD82.tmp
C:\WINNT\Temp\OLD87.tmp
C:\WINNT\Temp\OLD88.tmp

Finished

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 08 May 2007 - 02:49 PM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\yayab.dll
C:\WINDOWS\system32\cbxwvsq.dll
C:\WINDOWS\system32\rpcc1.dll

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Also post a new Hijackthis log please.
Posted Image
Posted Image

#7 flavor

flavor
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 08 May 2007 - 03:26 PM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ibttrihq

*******************

Script file located at: \??\C:\WINDOWS\system32\jevdsscf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\yayab.dll deleted successfully.
File C:\WINDOWS\system32\cbxwvsq.dll deleted successfully.
File C:\WINDOWS\system32\rpcc1.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminat

*******************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 1:22:23 PM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Documents and Settings\Ryan Brindle\Start Menu\Programs\Startup\MSWin-1740099457.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\CMPWI.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Documents and Settings\Ryan Brindle\Start Menu\Programs\Startup\MSWin-1740099457.exe
C:\WINDOWS\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis\abc.bat

O2 - BHO: (no name) - {26FAFD75-1005-41F6-978D-178C00165C0B} - C:\WINDOWS\system32\cbxwvsq.dll (file missing)
O2 - BHO: (no name) - {8D5849A2-93F3-429D-FF34-260A2068897C} - (no file)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\pfwjffgy.dll
O2 - BHO: (no name) - {D70944E4-7F15-4F3A-8F8C-CA2EC1372552} - C:\WINDOWS\system32\yayab.dll (file missing)
O2 - BHO: (no name) - {E83CA763-AD77-41EA-912E-667216CEA8E9} - C:\WINDOWS\system32\xxwxv.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RunOnce2Upd] "C:\Documents and Settings\Ryan Brindle\Start Menu\Programs\Startup\MSWin-1740099457.exe"
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\dhhqhgix.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: MSWin-1740099457.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: CMPWI.exe.LNK = C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\CMPWI.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A7F4C23-3F13-4856-AF82-ABCD47146A49}: NameServer = 68.28.50.11 68.28.58.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: cbxwvsq - cbxwvsq.dll (file missing)
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\system32\rpcc1.dll (file missing)
O20 - Winlogon Notify: yayab - C:\WINDOWS\system32\yayab.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: eJTjjuuwfb - {986B1A8F-32C1-B025-34DA-E74E95CB9019} - C:\WINDOWS\system32\yzq.dll (file missing)
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pantech Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#8 flavor

flavor
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 08 May 2007 - 03:38 PM

PS I still have alot of items picked up by AVG antivirus, but no matter which I click, heal or virus vault (and even if I delete the vault) AVG still keeps repeatedly warning me about them over and over....

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 08 May 2007 - 03:45 PM

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\pfwjffgy.dll
C:\WINDOWS\system32\dhhqhgix.dll
C:\Documents and Settings\Ryan Brindle\Start Menu\Programs\Startup\MSWin-1740099457.exe

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

*******************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {26FAFD75-1005-41F6-978D-178C00165C0B} - C:\WINDOWS\system32\cbxwvsq.dll (file missing)
O2 - BHO: (no name) - {8D5849A2-93F3-429D-FF34-260A2068897C} - (no file)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\pfwjffgy.dll
O2 - BHO: (no name) - {D70944E4-7F15-4F3A-8F8C-CA2EC1372552} - C:\WINDOWS\system32\yayab.dll (file missing)
O2 - BHO: (no name) - {E83CA763-AD77-41EA-912E-667216CEA8E9} - C:\WINDOWS\system32\xxwxv.dll (file missing)
O4 - HKLM\..\Run: [RunOnce2Upd] "C:\Documents and Settings\Ryan Brindle\Start Menu\Programs\Startup\MSWin-1740099457.exe"
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\dhhqhgix.dll",realset
O4 - Startup: MSWin-1740099457.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O20 - Winlogon Notify: cbxwvsq - cbxwvsq.dll (file missing)
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\system32\rpcc1.dll (file missing)
O20 - Winlogon Notify: yayab - C:\WINDOWS\system32\yayab.dll (file missing)
O21 - SSODL: eJTjjuuwfb - {986B1A8F-32C1-B025-34DA-E74E95CB9019} - C:\WINDOWS\system32\yzq.dll (file missing)


Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
[b]Reboot normally.


Post the Avenger output.txt,the AVG Anti Spyware report and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.

Edited by RichieUK, 08 May 2007 - 03:46 PM.

Posted Image
Posted Image

#10 flavor

flavor
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 09 May 2007 - 01:58 AM

there is no report log present in my avg antispy; my computer is running great now. thanks.
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ciryvqhx

*******************

Script file located at: \??\C:\WINDOWS\system32\ibunxkxb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\pfwjffgy.dll deleted successfully.
File C:\WINDOWS\system32\dhhqhgix.dll deleted successfully.
File C:\Documents and Settings\Ryan Brindle\Start Menu\Programs\Startup\MSWin-1740099457.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 11:55:05 PM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\CMPWI.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\DOCUME~1\RYANBR~1\LOCALS~1\Temp\Temporary Directory 3 for avenger.zip\avenger.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis\abc.bat

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: CMPWI.exe.LNK = C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\CMPWI.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A7F4C23-3F13-4856-AF82-ABCD47146A49}: NameServer = 68.28.50.11 68.28.58.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pantech Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 09 May 2007 - 03:34 AM

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

*****************************

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
C:\Vundofix Backups
C:\QooBox
C:\Smitfraudfix
C:\SDFix
C:\Avenger
C:\ComboFix

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#12 flavor

flavor
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 09 May 2007 - 08:13 PM

thanks, you rock!!!!!!!!!!!!!!!!!!!!!!!!!

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 10 May 2007 - 05:27 AM

You're most welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users