Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Compter Infected - Virtumondae And Possibly More


  • Please log in to reply
6 replies to this topic

#1 JakeL

JakeL

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 17 May 2007 - 02:17 PM

I accidentally opened a corrupt .zip file the other day and infected my computer. I managed to fix most of it. But I still get ads while browsing the net, along with new shortcuts on my desktop, and dll file errors. Attached is my HJT Logfille:


Logfile of HijackThis v1.99.1
Scan saved at 3:04:09 PM, on 5/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\MAINDA~1\APPLIC~1\YSTEM3~1\services.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\UPS\UOWS\Messages\WSDMessaging.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT 1.9\Analyser.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dellbiz.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {429BAE4D-63D5-4024-A53D-6EE34D94F3C1} - C:\WINDOWS\system32\fdb.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\PROGRA~1\SOFTOM~1\TOOLBA~1\bin\tbcore3U.dll
O3 - Toolbar: My Toolbar - {38D2A281-0444-433C-9ED6-A2851795F32A} - C:\PROGRA~1\TEXT-R~1\MYTOOL~1\TRReaderBar_.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Deluxe 6.0\ReminderApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [LanTalk.NET] C:\Program Files\CEZEO software\LanTalk NET\LanTalk.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvhon.dll,startup
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\dstgcmcr.dll",realset
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [IECheck] C:\WINDOWS\IECheck.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [HijackThis startup scan] C:\HJT\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\MAINDA~1\APPLIC~1\YSTEM3~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\UOWS\Messages\WSDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: My toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - C:\PROGRA~1\TEXT-R~1\MYTOOL~1\TRReaderBar_.dll
O9 - Extra 'Tools' menuitem: My Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - C:\PROGRA~1\TEXT-R~1\MYTOOL~1\TRReaderBar_.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: www.bettafoods.com
O15 - Trusted Zone: http://www.bettafoods.com
O15 - Trusted Zone: http://00e0439.netsolhost.com
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\iesvnsv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wineil32 - wineil32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


Here are some screenshots, maybe you can tell what it is from them?

Posted Image

Posted Image

Posted Image

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:25 PM

Posted 19 May 2007 - 06:33 AM

Hi JakeL, :flowers:

If you still need help please post a fresh HijackThis log and I'll be happy to look at it for you.

Thanks for your patience. :thumbsup:

#3 JakeL

JakeL
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 21 May 2007 - 04:41 PM

Falu, thank you for your reply. Attached is a fresh HJT log.



Logfile of HijackThis v1.99.1
Scan saved at 7:24:33 PM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\DOCUME~1\MAINDA~1\APPLIC~1\YSTEM3~1\services.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\UPS\UOWS\Messages\WSDMessaging.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cmd.exe
C:\DOCUME~1\MAINDA~1\LOCALS~1\Temp\xpre.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\mshta.exe
C:\WINDOWS\system32\T1QaSQ\T1QaSQ1065.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\mshta.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\HJT 1.9\Analyser.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dellbiz.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {129BAF4B-6580-4173-F63D-6EE34D94A991} - C:\WINDOWS\system32\yyvi.dll (file missing)
O2 - BHO: (no name) - {429BAE4D-63D5-4024-A53D-6EE34D94F3C1} - C:\WINDOWS\system32\fdb.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\PROGRA~1\SOFTOM~1\TOOLBA~1\bin\tbcore3U.dll
O2 - BHO: 0 - {FDF1E23A-93BB-467B-B890-EE30A5379C68} - C:\Program Files\MSN Gaming Zone\lavun.dll (file missing)
O3 - Toolbar: My Toolbar - {38D2A281-0444-433C-9ED6-A2851795F32A} - C:\PROGRA~1\TEXT-R~1\MYTOOL~1\TRReaderBar_.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Deluxe 6.0\ReminderApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [LanTalk.NET] C:\Program Files\CEZEO software\LanTalk NET\LanTalk.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvhon.dll,startup
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\dstgcmcr.dll",realset
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [IECheck] C:\WINDOWS\IECheck.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [HijackThis startup scan] C:\HJT\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\MAINDA~1\APPLIC~1\YSTEM3~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\UOWS\Messages\WSDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: My toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - C:\PROGRA~1\TEXT-R~1\MYTOOL~1\TRReaderBar_.dll
O9 - Extra 'Tools' menuitem: My Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - C:\PROGRA~1\TEXT-R~1\MYTOOL~1\TRReaderBar_.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: www.bettafoods.com
O15 - Trusted Zone: http://www.bettafoods.com
O15 - Trusted Zone: http://00e0439.netsolhost.com
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\iesvnsv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wineil32 - wineil32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe



EDIT: It seems that everytime I remove some of it, it reinstalls itself. Here is a fresh HJT log after it did a 'reinstall'

Edited by JakeL, 21 May 2007 - 06:29 PM.


#4 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:25 PM

Posted 25 May 2007 - 10:11 AM

Hi JakeL, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

Falu, thank you for your reply.



You're very welcome.

1. Disable your real-time protection of AVG Anti-Spyware since it may hinder the fixes we want to make:

* Launch AVG Anti-Spyware.
* From the "Status" menu, select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
* Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
* Next, go to Start > Run and type: services.msc
* Press "OK".
* Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
* When you find the guard service, double-click on it.
* In the Properties Window > General Tab that opens, click the "Stop" button.
* From the drop-down menu next to "Startup Type", click on "Manual".
* Now click "Apply", then "OK" and close the Services window.

2. Download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply.

3. Download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

4. Run HijackThis, click Scan and checkmark the following entries:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {129BAF4B-6580-4173-F63D-6EE34D94A991} - C:\WINDOWS\system32\yyvi.dll (file missing)
O2 - BHO: (no name) - {429BAE4D-63D5-4024-A53D-6EE34D94F3C1} - C:\WINDOWS\system32\fdb.dll (file missing)
O2 - BHO: 0 - {FDF1E23A-93BB-467B-B890-EE30A5379C68} - C:\Program Files\MSN Gaming Zone\lavun.dll (file missing)
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvhon.dll,startup
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\dstgcmcr.dll",realset
O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\MAINDA~1\APPLIC~1\YSTEM3~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\iesvnsv.dll
O20 - Winlogon Notify: wineil32 - wineil32.dll (file missing)


Pugi/Softomate toolbar variant. Occasionally a Softomate toolbar will be installed by a legitimate application, but most often they're installed by various non-legitimate means and in such a case they're obviously parasites. If in any doubt, remove that is checkmark it.

O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\PROGRA~1\SOFTOM~1\TOOLBA~1\bin\tbcore3U.dll

I am a big believer in having nothing in your trusted sites. The only advantage to have a domain in your trusted sites, is that it wont prompt you when installing software. This also means, that if a new exploit comes out where a site can spoof their domain to one that matches one in your trusted sites, then you will never know when they install software on your machine.
As these sites will still be able to install the software on your machine, even if you dont have the O15 entries, by just hitting yes to the prompt, I suggest leaving those empty. So please checkmark these as well:

O15 - Trusted Zone: www.bettafoods.com
O15 - Trusted Zone: http://www.bettafoods.com
O15 - Trusted Zone: http://00e0439.netsolhost.com


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

5. Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip (right-click and choose Extract all) the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\smanager.7.exe
C:\WINDOWS\system32\drvhon.dll
C:\WINDOWS\system32\dstgcmcr.dll
C:\DOCUME~1\MAINDA~1\APPLIC~1\YSTEM3~1\services.exe
C:\Program Files\Ipwindows
C:\PROGRA~1\SOFTOM~1\TOOLBA~1\bin\tbcore3U.dll<< If you checkmarked the 02 entry!!


Open 'file' in the killbox menu on top and choose Paste from clipboard
You must use the file menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to reboot now, click "yes".
Click OK at any Pending File Rename Operations prompts, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Please post the Smitfraud report together with the combofix.txt and a fresh HijackThis log.

#5 JakeL

JakeL
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 29 May 2007 - 10:21 AM

Falu, I get a 404 when trying to download combofix. Apart from that, I was able to follow all your instructions. Attached are fresh logs for Hijack this and SmitFraudFix.

Attached Files


Edited by JakeL, 29 May 2007 - 10:24 AM.


#6 JakeL

JakeL
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 30 May 2007 - 11:17 AM

I was able to download combofix. I'm not sure why it wasn't working earlier. Here is the report.

Attached Files



#7 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:25 PM

Posted 01 June 2007 - 03:41 AM

Hi, JakeL

Needed some more time after you posted the Combofix report.

1.

Attached are fresh logs for Hijack this and SmitFraudFix.


Please copy/paste the reports/logs into your post and don't add them as an attachment.

2. Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\WINDOWS\system32\CE442A3590.sys
C:\WINDOWS\system32\90352A44CE.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/flash/index_en.html

3. 2. Run HijackThis, click Scan and checkmark the following entries:

O3 - Toolbar: My Toolbar - {38D2A281-0444-433C-9ED6-A2851795F32A} - C:\PROGRA~1\TEXT-R~1\MYTOOL~1\TRReaderBar_.dll (file missing)

Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

4. In the attachment you see a zipped file. Unzip it to your desktop: right-click it and choose Extract all. Now click the unzipped file: fix.

5. Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T2
C:\WINDOWS\system32\T1QaSQ
C:\WINDOWS\system32\pog
C:\TEMP\0b9
C:\WINDOWS\system32\sstts.dll.vir
C:\WINDOWS\tasks\User_Feed_Synchronization-{D2153B07-F49F-4058-B702-860CF3B49052}.job


Open 'file' in the killbox menu on top and choose Paste from clipboard
You must use the file menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to reboot now, click "yes".
Click OK at any Pending File Rename Operations prompts, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

6. Download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

7. You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 6u1). Older versions have vulnerabilities that malware can use to infect your system. Please update and remove the older versions. Do the following:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:

    Java Runtime Environment (JRE) 6u1
8. Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

Please post the F-Secure report along with a fresh HijackThis log.

Attached Files

  • Attached File  fix.zip   325bytes   1 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users