Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help


  • This topic is locked This topic is locked
31 replies to this topic

#1 sheepish

sheepish

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 23 May 2007 - 10:10 AM

I get an error message that pops up once in a while: Rundll32 / "Error, cannot load viow (all in symbols). The required module cannot be found"

Ran spybot and adaware to no avail.

My internet is very congested and would like to remove this bloody virus.

Help please.

Here's the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 10:43:46 AM, on 5/22/2007
Platform: Windows XP SP2, RC 2.2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1152)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\soundman.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system\msnmsgr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8629A97A-FDCD-459C-9842-DCD8CCF3E2D3}: NameServer = 200.28.4.129 200.28.4.130
O23 - Service: msn msgr 32-bit client process (msnmsgr32) - Unknown owner - C:\WINDOWS\system\msnmsgr32.exe

BC AdBot (Login to Remove)

 


#2 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:50 AM

Posted 24 May 2007 - 10:22 AM

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Greets Jürgenv

Donation: Click me.

#3 sheepish

sheepish
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 25 May 2007 - 02:39 PM

OK.

Ran SDFix, here's the logfile:


SDFix: Version 1.84

Run by ***** - Fri 05/25/2007 - 15:19:06.62

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
msnntlp
msnntlp

ImagePath:
"C:\WINDOWS\system\msnntlp.exe"

msnntlp - Deleted

Killing PID 200 'smss.exe'
Killing PID 276 'winlogon.exe'


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system\msnntlp.exe - Deleted
C:\WINDOWS\system32\crypts.dll - Deleted
C:\WINDOWS\system32\directxclickers.exe - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\TFTP1440 - Deleted
C:\WINDOWS\system32\TFTP2492 - Deleted
C:\WINDOWS\system32\TFTP2504 - Deleted
C:\WINDOWS\system32\TFTP4016 - Deleted
C:\WINDOWS\system32\wbem\wbemstest.exe - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
C:\WINDOWS\SYSTEM32\DLOAD.EXE - Deleted
C:\WINDOWS\system32\svcchosst.exe - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\System32\\wbem\\wbemstest.exe"="C:\\WINDOWS\\System32\\wbem\\wbemstest.exe:*:Enabled:Server Runtime Process"
"C:\\WINDOWS\\System32\\wbem\\wmiadapi.exe"="C:\\WINDOWS\\System32\\wbem\\wmiadapi.exe:*:Enabled: AutoDiscovery/AutoPurge (ADAP) Service"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\WINDOWS\system32\livemsgr.exe
C:\WINDOWS\system32\wbem\wmiadapi.exe

Finished




Followed by the hijackthis logfile:





Logfile of HijackThis v1.99.1
Scan saved at 3:27:02 PM, on 5/25/2007
Platform: Windows XP SP2, RC 2.2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1152)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {27B319AB-B96E-4ADD-9742-94E6AB5465CE} - C:\WINDOWS\System32\pmnlm.dll (file missing)
O2 - BHO: (no name) - {2E65C9EF-D5FA-4321-BB3D-04A382D04655} - C:\WINDOWS\system32\nnnkkig.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\System32\umjfmsga.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180027358750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180026852546
O23 - Service: msn msgr 32-bit client process (msnmsgr32) - Unknown owner - C:\WINDOWS\system\msnmsgr32.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



I also ran vundofix ... hence (i think) the file missing for hte BHO's. The msnmsgr32.exe file i removed from c:/windows/system and deleted since i don't have that program installed.

Awaiting the next step.

Edited by sheepish, 25 May 2007 - 02:40 PM.


#4 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:50 AM

Posted 25 May 2007 - 03:11 PM

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply with a new hijackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Greets Jürgenv

Donation: Click me.

#5 sheepish

sheepish
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 25 May 2007 - 03:40 PM

The active problem seems to have been taken care of, but those .dll and msnmsgr files that come up in hijackthis should be removed, yeah?

Here's the combofix log:

"*****" - 2007-05-25 16:27:32 Service Pack 2, RC 2.2
ComboFix 07-05.26.V - Running from: "C:\Documents and Settings\*****\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-25 ))))))))))))))))))))))))))))))))))


2007-05-25 15:11 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-05-25 13:40 50,745 --a------ C:\WINDOWS\system32\umjfmsga.dll
2007-05-24 10:54 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-05-24 10:54 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-05-24 10:54 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-05-24 10:53 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-05-24 10:53 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-05-24 10:53 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-05-24 10:34 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-05-24 10:26 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2007-05-24 10:26 41,240 --a------ C:\WINDOWS\system32\wups.dll
2007-05-24 10:26 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-05-24 10:26 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-05-24 10:26 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-05-24 10:26 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2007-05-24 10:14 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-05-24 10:02 65,024 --a------ C:\WINDOWS\system32\mswsgs.exe
2007-05-22 12:01 229,376 -r-hs---- C:\WINDOWS\system32\livemsgr.exe
2007-05-22 10:42 <DIR> d-------- C:\hijackthis
2007-05-22 10:17 41,472 --a------ C:\WINDOWS\system32\ge1.exe
2007-05-22 01:02 68,096 --a------ C:\adas.exe
2007-05-21 23:56 155,648 --a------ C:\adsdw.exe
2007-05-21 18:17 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-05-14 07:22 <DIR> d-------- C:\software
2007-05-14 07:07 <DIR> d-------- C:\NeverwinterNights
2007-05-14 07:06 <DIR> d-------- C:\simbackup


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-22 05:34:12 68,096 ----a-w C:\ruhn2.exe
2003-01-10 09:08:00 69,120 --sh--r C:\WINDOWS\system32\wbem\wmiadapi.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{27B319AB-B96E-4ADD-9742-94E6AB5465CE}=C:\WINDOWS\System32\pmnlm.dll []
{2E65C9EF-D5FA-4321-BB3D-04A382D04655}=C:\WINDOWS\system32\nnnkkig.dll []
{4B646AFB-9341-4330-8FD1-C32485AEE619}=C:\WINDOWS\System32\umjfmsga.dll [2007-05-25 13:40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="soundman.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]


and

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 4:33:37 PM, on 5/25/2007
Platform: Windows XP SP2, RC 2.2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1152)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {27B319AB-B96E-4ADD-9742-94E6AB5465CE} - C:\WINDOWS\System32\pmnlm.dll (file missing)
O2 - BHO: (no name) - {2E65C9EF-D5FA-4321-BB3D-04A382D04655} - C:\WINDOWS\system32\nnnkkig.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\System32\umjfmsga.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180027358750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180026852546
O17 - HKLM\System\CCS\Services\Tcpip\..\{8629A97A-FDCD-459C-9842-DCD8CCF3E2D3}: NameServer = 200.28.4.129 200.28.4.130
O23 - Service: msn msgr 32-bit client process (msnmsgr32) - Unknown owner - C:\WINDOWS\system\msnmsgr32.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Thanks again for help so far.

#6 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:50 AM

Posted 25 May 2007 - 03:50 PM

* Download OTMoveIt.exe from here and place it on your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

* Open OTMoveIt.exe.
In the left pane where it says: "Paste List of Files/Folders to be Moved", copy and paste next part:

C:\WINDOWS\system32\mswsgs.exe
C:\WINDOWS\system32\livemsgr.exe
C:\hijackthis
C:\WINDOWS\system32\ge1.exe
C:\adas.exe
C:\adsdw.exe
C:\WINDOWS\system32\wbem\wmiadapi.exe
C:\WINDOWS\System32\umjfmsga.dll


Then click the MoveIt button below.
In case you get a "Bad Image" error, just click OK at the promt. It will move the file anyway.
When done, it will create a log (********_******.log -- * stands for date and time) in next folder: C:\_OTMoveIt\MovedFiles.
Copy and paste this log in your next reply with a new hijackthis log.
Greets Jürgenv

Donation: Click me.

#7 sheepish

sheepish
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 25 May 2007 - 04:05 PM

moveit logfile:

C:\WINDOWS\system32\mswsgs.exe moved successfully.
C:\WINDOWS\system32\livemsgr.exe moved successfully.
Folder move failed. C:\hijackthis\backups\backup-20070525-150911-879 scheduled to be moved on reboot.
Folder move failed. C:\hijackthis\backups\backup-20070525-150708-946 scheduled to be moved on reboot.
Folder move failed. C:\hijackthis\backups\backup-20070525-150457-526 scheduled to be moved on reboot.
Folder move failed. C:\hijackthis\backups\backup-20070525-150303-359 scheduled to be moved on reboot.
Folder move failed. C:\hijackthis\backups\backup-20070525-150303-122 scheduled to be moved on reboot.
Folder move failed. C:\hijackthis\backups\backup-20070525-150229-828 scheduled to be moved on reboot.
Folder move failed. C:\hijackthis\backups\backup-20070525-150229-682 scheduled to be moved on reboot.
Folder move failed. C:\hijackthis\backups\backup-20070525-150229-607 scheduled to be moved on reboot.
Folder move failed. C:\hijackthis\backups\backup-20070525-150229-559 scheduled to be moved on reboot.
Folder move failed. C:\hijackthis\backups\backup-20070525-150229-160 scheduled to be moved on reboot.
Folder move failed. C:\hijackthis\backups\backup-20070524-095420-296 scheduled to be moved on reboot.
Folder move failed. C:\hijackthis\backups\backup-20070523-200243-970 scheduled to be moved on reboot.
Folder move failed. C:\hijackthis\backups\backup-20070523-200243-795 scheduled to be moved on reboot.
Folder move failed. C:\hijackthis\backups\backup-20070523-200243-575 scheduled to be moved on reboot.
Folder move failed. C:\hijackthis\backups\backup-20070523-200243-471 scheduled to be moved on reboot.
C:\hijackthis\backups moved successfully.
C:\hijackthis moved successfully.
C:\WINDOWS\system32\ge1.exe moved successfully.
C:\adas.exe moved successfully.
C:\adsdw.exe moved successfully.
C:\WINDOWS\system32\wbem\wmiadapi.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\umjfmsga.dll
C:\WINDOWS\System32\umjfmsga.dll NOT unregistered.
C:\WINDOWS\System32\umjfmsga.dll moved successfully.

Created on 05/25/2007 16:55:16



hijackthis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 5:01:06 PM, on 5/25/2007
Platform: Windows XP SP2, RC 2.2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1152)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\_OTMoveIt\MovedFiles\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {27B319AB-B96E-4ADD-9742-94E6AB5465CE} - C:\WINDOWS\System32\pmnlm.dll (file missing)
O2 - BHO: (no name) - {2E65C9EF-D5FA-4321-BB3D-04A382D04655} - C:\WINDOWS\system32\nnnkkig.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\System32\umjfmsga.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180027358750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180026852546
O17 - HKLM\System\CCS\Services\Tcpip\..\{8629A97A-FDCD-459C-9842-DCD8CCF3E2D3}: NameServer = 200.28.4.129 200.28.4.130
O23 - Service: msn msgr 32-bit client process (msnmsgr32) - Unknown owner - C:\WINDOWS\system\msnmsgr32.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:50 AM

Posted 25 May 2007 - 04:11 PM

My god I accidently let you remove hijackthis, this was a copy/paste error. I see you've downloaded hijackthis again. :thumbsup:

* Please open hijackthis and put a check next to the following:

O2 - BHO: (no name) - {27B319AB-B96E-4ADD-9742-94E6AB5465CE} - C:\WINDOWS\System32\pmnlm.dll (file missing)
O2 - BHO: (no name) - {2E65C9EF-D5FA-4321-BB3D-04A382D04655} - C:\WINDOWS\system32\nnnkkig.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\System32\umjfmsga.dll (file missing)
O23 - Service: msn msgr 32-bit client process (msnmsgr32) - Unknown owner - C:\WINDOWS\system\msnmsgr32.exe (file missing)


* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

Greets Jürgenv

Donation: Click me.

#9 sheepish

sheepish
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 25 May 2007 - 07:24 PM

ok. exhaustingly long scan done. here's the logfile for dr. web

mssysroot.sys;c:\;Trojan.Fuzen;Deleted.;
backup-20030522-172802-388.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20030522-172802-720.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20030522-172802-969.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20030522-173018-321.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20030522-173018-831.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20030522-173120-149.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20030522-173120-797.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20070522-101754-165.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20070522-101754-665.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20070522-101821-448.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20070522-101821-811.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20070522-101834-228.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20070522-101834-643.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20070522-101902-553.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20070522-101902-828.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20070522-101914-915.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20070522-101914-964.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20070522-102332-427.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20070522-102332-443.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20070522-102415-458.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20070522-102415-471.dll;C:\Program Files\hijackthis\backups;Trojan.Virtumod;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
msnntlp.exe;C:\SDFix\backups_old1;BackDoor.IRC.Sdbot.983;Deleted.;
sdrmon.exe;C:\simbackup\Archivos de programa\Archivos comunes\DriveCleaner 2006 Free;Trojan.DownLoader.13909;Deleted.;
iblyvij[1].htm;C:\simbackup\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\092381IZ;BackDoor.Bulknet;Deleted.;
uawkhuhrby[1].htm;C:\simbackup\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\092381IZ;Trojan.Fakealert.257;Deleted.;
axqnnnky[1].htm;C:\simbackup\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\81ABKLA7;Trojan.Anonce;Deleted.;
s5[1].exe;C:\simbackup\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\81ABKLA7;Trojan.Virtumod;Deleted.;
uawkhuhrby[1].htm;C:\simbackup\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\81ABKLA7;Trojan.Fakealert.257;Deleted.;
fagdnnxh[1].htm;C:\simbackup\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\8H6R4PA7;Trojan.DownLoader.19256;Deleted.;
s4[1].exe;C:\simbackup\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\8H6R4PA7;Trojan.DownLoader.20865;Deleted.;
uawkhuhrby[1].htm;C:\simbackup\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\8H6R4PA7;Trojan.Fakealert.257;Deleted.;
uawkhuhrby[3].htm;C:\simbackup\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\8H6R4PA7;Trojan.Fakealert.257;Deleted.;
uawkhuhrby[4].htm;C:\simbackup\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\8H6R4PA7;Trojan.Fakealert.257;Deleted.;
uawkhuhrby[5].htm;C:\simbackup\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\8H6R4PA7;Trojan.Fakealert.257;Deleted.;
npvsftpq[1].txt;C:\simbackup\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\SXIJ8PIN;Trojan.DownLoader.21577;Deleted.;
installdrivecleanerstart_es[1].exe;C:\simbackup\Documents and Settings\user\Configuración local\Archivos temporales de Internet\Content.IE5\89UJC56N;Trojan.DownLoader.20393;Deleted.;
errorsafefreeinstall[1].exe;C:\simbackup\Documents and Settings\user\Datos de programa;Trojan.DownLoader.10963;Deleted.;
errorsafescannerinstall_es[1].exe;C:\simbackup\Documents and Settings\user\Datos de programa;Trojan.DownLoader.10963;Deleted.;
winantispyware2006freeinstall_es[1].exe;C:\simbackup\Documents and Settings\user\Datos de programa;Trojan.DownLoader.10963;Deleted.;
A0008405.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008421.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008422.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008423.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008424.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008425.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008426.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008427.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008428.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008429.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008430.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008431.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008432.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008433.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008434.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008435.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008436.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008437.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008438.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008439.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008440.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008441.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008442.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008565.sys;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Fuzen;Deleted.;
A0008566.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008567.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008568.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008569.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008570.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008571.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008572.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008573.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008574.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008575.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008576.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008577.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008578.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008579.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008580.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008581.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008582.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008583.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008584.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008585.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008586.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008587.exe;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;BackDoor.IRC.Sdbot.983;Deleted.;
A0008588.exe;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.DownLoader.13909;Deleted.;
A0008589.exe;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.Virtumod;Deleted.;
A0008590.exe;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.DownLoader.20865;Deleted.;
A0008591.exe;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.DownLoader.20393;Deleted.;
A0008592.exe;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.DownLoader.10963;Deleted.;
A0008593.exe;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.DownLoader.10963;Deleted.;
A0008594.exe;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP10;Trojan.DownLoader.10963;Deleted.;
A0006312.exe;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP8;BackDoor.IRC.Sdbot.983;Deleted.;
A0006319.exe;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP8;BackDoor.IRC.Sdbot.983;Deleted.;
A0008348.dll;C:\System Volume Information\_restore{7B15359C-6728-46B9-BDE5-E3A6118554FA}\RP9;Trojan.Virtumod;Deleted.;
bcuuhcpd.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
brqmqmni.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
byxwuvv.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
cbxvvwx.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
cbxxywx.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
ddcaaxv.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
efcyyaa.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
fcccaaw.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
gebbbyv.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
hggedde.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
hgggfca.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
hgghfef.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
iifgdda.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
ijlxeilm.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
khfcdcb.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
mljgebb.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
mlljg.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
nnnkkig.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
nnnmjkj.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
nnnmlif.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
opnkjhi.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
opnkjkl.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
opnliff.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
pmnlm.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
urqopom.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
urqqnon.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
urqrstu.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
uxmgektl.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
vturppp.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
wvurpno.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
wvurssp.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
wvuvvts.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
mssysroot.sys;C:\WINDOWS\system32;Trojan.Fuzen;Deleted.;
adsdw.exe;C:\_OTMoveIt\MovedFiles;Trojan.Spambot;Deleted.;
ge1.exe;C:\_OTMoveIt\MovedFiles\WINDOWS\system32;BackDoor.IRC.Sdbot.983;Deleted.;
livemsgr.exe;C:\_OTMoveIt\MovedFiles\WINDOWS\system32;Win32.HLLW.MyBot;Deleted.;
umjfmsga.dll;C:\_OTMoveIt\MovedFiles\WINDOWS\system32;Trojan.Virtumod;Deleted.;


and the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:18:55 PM, on 5/25/2007
Platform: Windows XP SP2, RC 2.2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1152)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\_OTMoveIt\MovedFiles\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180027358750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180026852546
O17 - HKLM\System\CCS\Services\Tcpip\..\{8629A97A-FDCD-459C-9842-DCD8CCF3E2D3}: NameServer = 200.28.4.129 200.28.4.130
O23 - Service: msn msgr 32-bit client process (msnmsgr32) - Unknown owner - C:\WINDOWS\system\msnmsgr32.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#10 sheepish

sheepish
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 25 May 2007 - 07:25 PM

and about that deleting hijackthis deal:

shows how much i trust you, huh? probably a bad thing on my part.

no worries anyway.

#11 sheepish

sheepish
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 29 May 2007 - 11:47 AM

we still going here?

#12 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:50 AM

Posted 29 May 2007 - 11:55 AM

* Please open hijackthis and put a check next to the following:

O23 - Service: msn msgr 32-bit client process (msnmsgr32) - Unknown owner - C:\WINDOWS\system\msnmsgr32.exe (file missing)

* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

* After that, redo a scan with SDfix and combofix and post the reports here.
Greets Jürgenv

Donation: Click me.

#13 sheepish

sheepish
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 30 May 2007 - 10:38 AM

SDFix log:


SDFix: Version 1.84

Run by ********* - Wed 05/30/2007 - 11:18:24.21

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\TFTP2004 - Deleted
C:\WINDOWS\system32\TFTP2464 - Deleted
C:\WINDOWS\system32\TFTP3856 - Deleted
C:\WINDOWS\system32\wbem\wbemstest.exe - Deleted
C:\WINDOWS\system32\WinDLCT.exe - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.


Combofix log:


"*******" - 2007-05-30 11:25:31 Service Pack 2, RC 2.2
ComboFix 07-05.26.V - Running from: "C:\Documents and Settings\*******\Desktop\Anti-virus\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-30 ))))))))))))))))))))))))))))))))))


2007-05-29 17:01 81,821 -ra------ C:\WINDOWS\system32\wbemstest.exe
2007-05-29 15:29 <DIR> d-------- C:\DOCUME~1\*******\APPLIC~1\Apple Computer
2007-05-28 11:12 <DIR> d-------- C:\*******
2007-05-27 17:46 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-05-27 17:46 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-05-27 17:46 43,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-05-27 17:46 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-05-27 17:42 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-05-27 17:32 <DIR> d-------- C:\Program Files\Winamp
2007-05-27 15:01 <DIR> d-------- C:\Program Files\QuickTime
2007-05-27 15:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-05-27 14:48 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-05-27 14:48 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-05-27 14:48 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-05-25 17:19 <DIR> d-------- C:\DOCUME~1\*******\DoctorWeb
2007-05-25 16:30 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-25 15:11 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-05-24 10:54 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-05-24 10:54 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-05-24 10:54 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-05-24 10:53 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-05-24 10:53 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-05-24 10:53 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-05-24 10:34 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-05-24 10:26 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2007-05-24 10:26 41,240 --a------ C:\WINDOWS\system32\wups.dll
2007-05-24 10:26 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-05-24 10:26 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-05-24 10:26 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-05-24 10:26 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2007-05-24 10:14 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-05-21 18:17 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-05-14 07:22 <DIR> d-------- C:\software
2007-05-14 07:12 <DIR> d-------- C:\Program Files\MSN Messenger
2007-05-14 07:09 <DIR> d-------- C:\mp3
2007-05-14 07:07 <DIR> d-------- C:\NeverwinterNights
2007-05-14 07:06 <DIR> dr------- C:\Photos
2007-05-14 07:06 <DIR> d-------- C:\simbackup


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-22 05:34:12 68,096 ----a-w C:\ruhn2.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="soundman.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 15:22]
"Distributed Link Client Tracking"="WinDLCT.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-01-10 02:07]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08]
"Distributed Link Client Tracking"="WinDLCT.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Distributed Link Client Tracking"=WinDLCT.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Server Runtime Process"=C:\WINDOWS\System32\wbem\wbemstest.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Live Messanger"=livemsgr.exe
"Server Runtime Process"=C:\WINDOWS\System32\wbem\wbemstest.exe
"Distributed Link Client Tracking"=WinDLCT.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
AutoDiscovery/AutoPurge (ADAP) Service C:\WINDOWS\System32\wbem\wmiadapi.exe


********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-30 11:26:56
Windows 5.1.2600 Service Pack 2, RC 2.2 NTFS

scanning hidden processes ...

cmd.exe [6876]


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-30 11:27:38
C:\ComboFix2.txt ... 2007-05-25 16:31

--- E O F ---


and Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:32:34 AM, on 5/30/2007
Platform: Windows XP SP2, RC 2.2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1152)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\_OTMoveIt\MovedFiles\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Distributed Link Client Tracking] WinDLCT.exe
O4 - HKLM\..\RunServices: [Distributed Link Client Tracking] WinDLCT.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Distributed Link Client Tracking] WinDLCT.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180027358750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180026852546
O17 - HKLM\System\CCS\Services\Tcpip\..\{8629A97A-FDCD-459C-9842-DCD8CCF3E2D3}: NameServer = 200.28.4.129 200.28.4.130
O23 - Service: msn msgr 32-bit client process (msnmsgr32) - Unknown owner - C:\WINDOWS\system\msnmsgr32.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#14 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:50 AM

Posted 30 May 2007 - 11:02 AM

* Please run Notepad and paste the following text into a new file:

REGEDIT4


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Distributed Link Client Tracking"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Distributed Link Client Tracking"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Live Messanger"=-
"Server Runtime Process"=-
"Distributed Link Client Tracking"=-


Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

* Download OTMoveIt.exe from here and place it on your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

* Open OTMoveIt.exe.
In the left pane where it says: "Paste List of Files/Folders to be Moved", copy and paste next part:

C:\WINDOWS\system32\wbemstest.exe
C:\ruhn2.exe
C:\WINDOWS\system32\WinDLCT.exe
C:\WINDOWS\System32\wbem\wmiadapi.exe


Then click the MoveIt button below.
In case you get a "Bad Image" error, just click OK at the promt. It will move the file anyway.
When done, it will create a log (********_******.log -- * stands for date and time) in next folder: C:\_OTMoveIt\MovedFiles.
Copy and paste this log in your next reply with a new hijackthis log.
Greets Jürgenv

Donation: Click me.

#15 sheepish

sheepish
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 30 May 2007 - 02:53 PM

otmoveit log:

C:\WINDOWS\system32\wbemstest.exe moved successfully.
C:\ruhn2.exe moved successfully.
File/Folder C:\WINDOWS\system32\WinDLCT.exe not found.
File/Folder C:\WINDOWS\System32\wbem\wmiadapi.exe not found.

Created on 05/30/2007 15:46:24


hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:48:52 PM, on 5/30/2007
Platform: Windows XP SP2, RC 2.2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1152)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\_OTMoveIt\MovedFiles\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Distributed Link Client Tracking] WinDLCT.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180027358750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180026852546
O17 - HKLM\System\CCS\Services\Tcpip\..\{8629A97A-FDCD-459C-9842-DCD8CCF3E2D3}: NameServer = 200.28.4.129 200.28.4.130
O23 - Service: msn msgr 32-bit client process (msnmsgr32) - Unknown owner - C:\WINDOWS\system\msnmsgr32.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users