Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Smitfraud-c.toolbar888 And Others


  • This topic is locked This topic is locked
23 replies to this topic

#1 hastinmw

hastinmw

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 31 May 2007 - 01:14 PM

I have run Adaware and Spybot to get rid of this and other malware. I am running AVG with the latest defs and it keeps "catching" various trojans. The Windows Firewall is disable and I cannot turn it on through Control Panel. If I try to log in as Administrator under normal boot it says the account is restricted. If I try to boot into safe mode. The desktop (explorer.exe) exits and I can only run processes through ctrl alt del and takmanager.

I would appreciate any help with this.

Here is my log -

Logfile of HijackThis v1.99.1
Scan saved at 12:59:41 PM, on 5/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\System32\hphmon06.exe
C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Documents and Settings\Jason\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\System32\hphmon06.exe
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] "C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\bdihwnmi.dll",realset
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119721320499
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179537590030
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

BC AdBot (Login to Remove)

 


#2 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:39 PM

Posted 01 June 2007 - 04:10 AM

Hello hastinmw, and welcome to BleepingComputer. I will be handling your log to help you get cleaned up.

Please take note of the following:
1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.
4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Thanks,

htv8
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:39 PM

Posted 01 June 2007 - 04:53 AM

Please print out or copy this page to Notepad.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1: moving HijackThis
You are running HijackThis from the Desktop. Because HijackThis is both for analysis and repair it is essential that it runs from within its own folder: HijackThis makes backups of the repairs in case there is a need for reversal of the procedure and you are probably more apt to delete the backups if HijackThis is running from the Desktop.
Please move HijackThis.exe into its own directory on the C: drive by following these steps:
1. Navigate to the C: drive using Windows Explorer or My Computer.
2. Right-click in the folder window and select New > Folder.
3. Name the folder to "HijackThis" (without the quotation marks).
4. Move HijackThis.exe from the Desktop into the newly created directory.
NOTE: HijackThis.exe is now located in C:\HijackThis.

Step #2: renaming HijackThis
Navigate to C:\HijackThis.exe using My Computer or Windows Explorer and right-click on the HijackThis.exe file. Select the Rename option from the right-click menu and rename HijackThis.exe to fluffybunny.exe and press Enter.

Step #3: HijackThis scan
Double-click fluffybunny.exe (the HijackThis.exe file) and when the HijackThis window opens, click on the Do a system scan and save a logfile button. HijackThis will perform a system scan, and when the scan is complete, Notepad will open up containing the scan results. The HijackThis log will be automatically saved to the HijackThis folder. Copy the entire contents of the new HijackThis log and post them here.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#4 hastinmw

hastinmw
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 01 June 2007 - 07:34 AM

Thanks for your response. Here is the latest log with FluffyBunny.exe in its own folder.

Logfile of HijackThis v1.99.1
Scan saved at 7:27:29 AM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\System32\hphmon06.exe
C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Documents and Settings\Jason\Application Data\U3\0000060423046200\LaunchPad.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\HiJackThis\FluffyBunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {4596BD6C-6D3A-4327-8F75-81AF18D4316F} - C:\WINDOWS\System32\gebcd.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\gcxmmjho.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\System32\hphmon06.exe
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] "C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\bdihwnmi.dll",realset
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119721320499
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179537590030
O20 - Winlogon Notify: gebcd - C:\WINDOWS\System32\gebcd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

#5 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:39 PM

Posted 01 June 2007 - 12:01 PM

Hello again, hastinmw. Let's continue.
________________________________________________________________________________
Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is NOT available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1: VundoFix
You have a Vundo infection. Download VundoFix.exe to your Desktop to get rid of it.
Download VundoFix.exe

Once downloaded, follow these steps to run VundoFix:
1. Double-click VundoFix.exe to run it.
2. Click the Scan for Vundo button.
3. Once it is done scanning, click the Remove Vundo button.
4. Click the Yes button at the prompt asking you if you want to remove the files.
NOTE: Once you click Yes, your Desktop will go blank as it starts removing Vundo.
5. When completed, it will prompt that it will reboot your computer. Click OK.
6. Post the entire contents of C:\vundofix.txt in your next reply.

NOTE: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from the second step - "2. Click the Scan for Vundo button." - when VundoFix appears upon rebooting.

Step #2: SmitfraudFix scan
In the topic title of this topic, you stated that you have a Smitfraud infection. Please download SmitfraudFix by S!Ri in order to check if Smitfraud is present.
Download SmitfraudFix (SmitfraudFix.exe)

Once downloaded, double-click SmitfraudFix.exe to run SmitfraudFix.
Select option #1 - Search by typing 1 and press Enter; a text file will appear which lists infected files (if present).
Please copy/paste the entire contents of that report into your next reply.

NOTE: Process.exe is detected by some antivirus programs (AntiVir, Dr.WEB, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Step #3: HijackThis scan
Scan with HijackThis again and post a new HijackThis log.
________________________________________________________________________________
So in your next reply, please post the entire contents of:
- C:\vundofix.txt
- the SmitfraudFix report
- a new HijackThis log
NOTE: Use several posts if necessary to include everything in the logs.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#6 hastinmw

hastinmw
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 01 June 2007 - 12:26 PM

Here is -


VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 12:06:33 PM 6/1/2007

Listing files found while scanning....

C:\WINDOWS\system32\bdihwnmi.dll
C:\WINDOWS\System32\dcbeg.bak1
C:\WINDOWS\System32\dcbeg.bak2
C:\WINDOWS\System32\dcbeg.ini
C:\WINDOWS\System32\dcbeg.ini2
C:\WINDOWS\System32\dcbeg.tmp
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\System32\gebcd.dll
C:\WINDOWS\system32\imnwhidb.ini
C:\WINDOWS\system32\koloaflw.dll
C:\WINDOWS\system32\mlnmp.ini
C:\WINDOWS\system32\mpqss.ini
C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\system32\qttss.ini
C:\WINDOWS\system32\ssqpm.dll
C:\WINDOWS\system32\ssttq.dll
C:\WINDOWS\system32\ssttu.dll
C:\WINDOWS\system32\uttss.ini
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\wlfaolok.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bdihwnmi.dll
C:\WINDOWS\system32\bdihwnmi.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\dcbeg.bak1
C:\WINDOWS\System32\dcbeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\dcbeg.bak2
C:\WINDOWS\System32\dcbeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\dcbeg.ini
C:\WINDOWS\System32\dcbeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\dcbeg.ini2
C:\WINDOWS\System32\dcbeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\dcbeg.tmp
C:\WINDOWS\System32\dcbeg.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\ddcyv.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\gebcd.dll
C:\WINDOWS\System32\gebcd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\imnwhidb.ini
C:\WINDOWS\system32\imnwhidb.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\koloaflw.dll
C:\WINDOWS\system32\koloaflw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlnmp.ini
C:\WINDOWS\system32\mlnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mpqss.ini
C:\WINDOWS\system32\mpqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\system32\pmnlm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qttss.ini
C:\WINDOWS\system32\qttss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqpm.dll
C:\WINDOWS\system32\ssqpm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssttq.dll
C:\WINDOWS\system32\ssttq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssttu.dll
C:\WINDOWS\system32\ssttu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uttss.ini
C:\WINDOWS\system32\uttss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\vycdd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wlfaolok.ini
C:\WINDOWS\system32\wlfaolok.ini Has been deleted!

Performing Repairs to the registry.
Done!




Proceeding with SmitFraudFix. I will post that result next.

#7 hastinmw

hastinmw
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 01 June 2007 - 12:38 PM

Here is SmitFraudFix (I rebooted into safe mode - seems to be working now)

SmitFraudFix v2.189

Scan done at 12:27:23.60, Fri 06/01/2007
Run from C:\Program Files\HiJackThis\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8D5849A2-93F3-429D-FF34-260A2068897C}"="Fdjskie8 jf8e"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\susp.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8D5849A2-93F3-429D-FF34-260A2068897C}"="Fdjskie8 jf8e"



»»»»»»»»»»»»»»»»»»»»»»»» End


I am sorry. I didn't follow instructions. I did a full clean.

Edited by hastinmw, 01 June 2007 - 12:46 PM.


#8 hastinmw

hastinmw
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 01 June 2007 - 12:44 PM

Last but not least here is HijackThis log -

Logfile of HijackThis v1.99.1
Scan saved at 12:37:06 PM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon06.exe
C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Documents and Settings\Jason\Application Data\U3\0000060423046200\LaunchPad.exe
C:\Program Files\HiJackThis\FluffyBunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {75B1DFEB-8BD6-496C-BE82-AF7E22AC7AE5} - C:\WINDOWS\System32\gebcd.dll (file missing)
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\gcxmmjho.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\System32\hphmon06.exe
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] "C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119721320499
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179537590030
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe





I have still not established an ethernet/internet connection.

#9 hastinmw

hastinmw
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 01 June 2007 - 02:53 PM

Here is just some more information. I think the VundoFix gave me back my Safe Mode usability. I also found a MSKB article on reinstalling the Firewall from SP2 at http://support.microsoft.com/kb/920074/en-us. It seems to be working now.

Edited by hastinmw, 01 June 2007 - 02:58 PM.


#10 hastinmw

hastinmw
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 01 June 2007 - 03:27 PM

Something new. I was curious (usally a bad thing) and ran Spybot again as a normal user. It found the SmitFraud-C.Toolbar888 again. I reran SmitFraudFix in search mode. Here is the report.

SmitFraudFix v2.189

Scan done at 15:14:50.89, Fri 06/01/2007
Run from C:\Program Files\HiJackThis\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon06.exe
C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jason


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jason\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Jason\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8D5849A2-93F3-429D-FF34-260A2068897C}"="Fdjskie8 jf8e"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32-xpdt



»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#11 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:39 PM

Posted 01 June 2007 - 03:33 PM

Hello again, hastinmw.

I am sorry. I didn't follow instructions. I did a full clean.

OK. There is nothing to worry about now, but please make sure from now on that you follow the instructions exactly as written. Also work through the fixes in the exact order in which they are mentioned. This is important. :flowers:

[...] I also found a MSKB article on reinstalling the Firewall from SP2 at http://support.microsoft.com/kb/920074/en-us. It seems to be working now.

Your HijackThis log shows that you are using Sygate Personal Firewall and that is good! :thumbsup: This software firewall is a way more powerful firewall than the Windows Firewall. Windows Firewall blocks unsolicited incoming traffic. However, you cannot configure Windows Firewall to block outgoing traffic. Therefore, in order to prevent unauthorised traffic both out of and into your computer, having installed and running another firewall (like the Sygate Personal Firewall) is really recommended. It is important that you use a good software firewall in order to keep your computer safe and secure on the Internet.
If you are already using the Sygate Personal Firewall, it is best to disable the Windows Firewall. You don't need two firewalls, and having two firewalls enabled at the same time can even cause (instability) problems. Often when you install a third-party security suite that includes a software firewall, the setup program for that software even disables the Windows Firewall for the reason mentioned above.

Now please continue with the instructions below. We are not done yet.
________________________________________________________________________________
Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is NOT available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1: UploadMalware.com malware submission
Please go to UploadMalware.com and follow these steps to submit malware to UploadMalware.com for analysis:
1. In the Name: field, please enter the display name you use on this forum.
2. In the Email or Topic: field, please copy/paste the entire link to this topic.
3. Click the first Browse… button (located next to File(s) To Submit:).
4. Navigate to this file that I want you to submit (if it is present): C:\WINDOWS\system32\gcxmmjho.dll
5. In the Comments and Further Info: field, please mention that I asked you to upload this file.
6. Click the Send File(s) button to submit the file(s) found.

Step #2: VundoFix
If not already downloaded, please download VundoFix.exe to your Desktop.
Download VundoFix.exe

Now please follow these steps:
1. Double-click VundoFix.exe to run VundoFix.
2. Click the Scan for Vundo button.
3. Once it is done scanning, click the Remove Vundo button.
4. If it says: "No infected files were found.", right-click inside the list box (white box) in the main VundoFix window.
5. Select the option labelled "Add more files?" from the menu that comes up. This will open a new VundoFix window.
6. In that window, copy the entire file path inside the CODE box below and paste it into the first (top) field:
C:\WINDOWS\system32\gcxmmjho.dll
7. Click the Add File(s) button.
8. Click the Close Window button.
9. Click the Remove Vundo button.
10. Click the Yes button at the prompt asking you if you want to remove the files.
NOTE: Once you click Yes, your Desktop will go blank as it starts removing Vundo.
11. When completed, it will prompt that it will shut down your computer. Click OK.
12. Turn your computer back on.
13. Post the entire contents of C:\vundofix.txt in your next reply.

NOTE: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from the second step - "2. Click the Scan for Vundo button." - when VundoFix appears upon rebooting.

Step #3: HijackThis scan
Scan again with HijackThis. Put a checkmark by these entries if they are present, double-checking to be sure that only these entries are checked:
O2 - BHO: (no name) - {75B1DFEB-8BD6-496C-BE82-AF7E22AC7AE5} - C:\WINDOWS\System32\gebcd.dll (file missing)
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\gcxmmjho.dll


Close all other windows - you should only see HijackThis on your Desktop - and then click the Fix checked button.

Step #4: files removal
First enable the viewing of hidden files in Windows XP by following these steps:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Remove the checkmark from the checkbox labelled "Hide file extensions for known file types".
6. Remove the checkmark from the checkbox labelled "Hide protected operating system files".
7. Select the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Your computer is now configured to show all hidden system files and folders.

Reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.


Using Windows Explorer (to get there, right-click your Start button and go to Explore), please delete these files (if present):
C:\WINDOWS\System32\gebcd.dll
C:\WINDOWS\system32\gcxmmjho.dll

Reboot your computer to boot back into normal mode.

Step #5: registry backup & fix
I want you to back up the registry, because we are going to make a few changes to it. Please follow these steps to export the registry key we want to back up to a .reg file:
1. Close all programs so that you have nothing open and are at the Desktop.
2. Go to Start > Run.
3. In the Open: field copy/paste the entire contents inside the QUOTE box below and press the OK button.

regedit /e registry.reg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler"

Now a secure backup copy has been made, I want you to download and run the attached file called regfix.reg. Please download it and save the file to your Desktop.
Attached File  regfix.reg   147bytes   13 downloads
Now go to the Desktop and double-click regfix.reg. When prompted to merge its contents to the registry, click the Yes button.
WARNING: The above file (registry script) was created specifically for this user. If you are not this user, do NOT download and run this reg script as it could damage the workings of your system.

Step #6: SmitfraudFix scan
If not already downloaded, please download SmitfraudFix by S!Ri
Download SmitfraudFix (SmitfraudFix.exe)

Once downloaded, double-click SmitfraudFix.exe to run SmitfraudFix.
Select option #1 - Search by typing 1 and press Enter; a text file will appear which lists infected files (if present).
Please copy/paste the entire contents of that report into your next reply.

NOTE: Process.exe is detected by some antivirus programs (AntiVir, Dr.WEB, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Step #7: ComboFix scan
Please download ComboFix and save it to your Desktop.
Download ComboFix (ComboFix.exe)

When the file has finished downloading double-click ComboFix.exe to launch the application and follow the on-screen prompts.
When finished, it shall produce a log for you: ComboFix.txt. Post that log in your next reply.

NOTE: Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang!

Step #8: HijackThis scan
Scan with HijackThis again and post a new HijackThis log.
________________________________________________________________________________
So in your next reply, please post the entire contents of:
- C:\vundofix.txt
- the SmitfraudFix report
- ComboFix.txt
- a new HijackThis log
NOTE: Use several posts if necessary to include everything in the logs.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#12 hastinmw

hastinmw
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 01 June 2007 - 04:28 PM

I will be away from this system for the weekend. Thanks for all of your help. I will get back here on Monday.

#13 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:39 PM

Posted 01 June 2007 - 04:34 PM

No problem. I'm looking forward to your reply. :thumbsup:
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#14 hastinmw

hastinmw
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 04 June 2007 - 10:42 AM

Well I am back at it on Monday. Here are the log files you requested.


VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 12:06:33 PM 6/1/2007

Listing files found while scanning....

C:\WINDOWS\system32\bdihwnmi.dll
C:\WINDOWS\System32\dcbeg.bak1
C:\WINDOWS\System32\dcbeg.bak2
C:\WINDOWS\System32\dcbeg.ini
C:\WINDOWS\System32\dcbeg.ini2
C:\WINDOWS\System32\dcbeg.tmp
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\System32\gebcd.dll
C:\WINDOWS\system32\imnwhidb.ini
C:\WINDOWS\system32\koloaflw.dll
C:\WINDOWS\system32\mlnmp.ini
C:\WINDOWS\system32\mpqss.ini
C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\system32\qttss.ini
C:\WINDOWS\system32\ssqpm.dll
C:\WINDOWS\system32\ssttq.dll
C:\WINDOWS\system32\ssttu.dll
C:\WINDOWS\system32\uttss.ini
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\wlfaolok.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bdihwnmi.dll
C:\WINDOWS\system32\bdihwnmi.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\dcbeg.bak1
C:\WINDOWS\System32\dcbeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\dcbeg.bak2
C:\WINDOWS\System32\dcbeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\dcbeg.ini
C:\WINDOWS\System32\dcbeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\dcbeg.ini2
C:\WINDOWS\System32\dcbeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\dcbeg.tmp
C:\WINDOWS\System32\dcbeg.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\ddcyv.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\gebcd.dll
C:\WINDOWS\System32\gebcd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\imnwhidb.ini
C:\WINDOWS\system32\imnwhidb.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\koloaflw.dll
C:\WINDOWS\system32\koloaflw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlnmp.ini
C:\WINDOWS\system32\mlnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mpqss.ini
C:\WINDOWS\system32\mpqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\system32\pmnlm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qttss.ini
C:\WINDOWS\system32\qttss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqpm.dll
C:\WINDOWS\system32\ssqpm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssttq.dll
C:\WINDOWS\system32\ssttq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssttu.dll
C:\WINDOWS\system32\ssttu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uttss.ini
C:\WINDOWS\system32\uttss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\vycdd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wlfaolok.ini
C:\WINDOWS\system32\wlfaolok.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 3:55:04 PM 6/1/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\gcxmmjho.dll
C:\WINDOWS\system32\gcxmmjho.dll Has been deleted!

Performing Repairs to the registry.
Done!



SmitFraudFix v2.189

Scan done at 10:20:15.00, Mon 06/04/2007
Run from H:\Documents\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon06.exe
C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Documents and Settings\Jason\Application Data\U3\0000060423046200\LaunchPad.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jason


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jason\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Jason\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32-xpdt



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 190.1.1.15

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3DF28017-8F70-4339-B3DC-EE3BD23CA6A0}: DhcpNameServer=190.1.1.15
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3DF28017-8F70-4339-B3DC-EE3BD23CA6A0}: DhcpNameServer=190.1.1.15
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3DF28017-8F70-4339-B3DC-EE3BD23CA6A0}: DhcpNameServer=190.1.1.15
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=190.1.1.15
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=190.1.1.15
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=190.1.1.15


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



Next -

"Jason" - 2007-06-04 10:25:23 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Program Files\HiJackThis\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\gkcdufwa.dll
C:\WINDOWS\system32\kxlyylel.dll
C:\WINDOWS\system32\ysnlukwk.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe"
"C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe"
"C:\WINDOWS\system32\1_exception.nls"
"C:\WINDOWS\system32\AlxRes070429.exe"
"C:\WINDOWS\system32\scrsys070429.scr"
"C:\WINDOWS\system32\winsys32_070429.dll"
"C:\WINDOWS\n.exe"
"C:\WINDOWS\system32\RunOnce2.tm_"
"C:\WINDOWS\system32\RunOnce2.t__"
"C:\Documents and Settings\Jason\ie_updater.exe"
"C:\WINDOWS\system32\winupd_KB33674268.exe"
"C:\WINDOWS\system32\winupd_KB55521495.exe"
"C:\WINDOWS\system32\wnscpiit.exe"
"C:\WINDOWS\764.exe"
"C:\Documents and Settings\All Users.\documents\settings\desktop.ini"
"C:\Program Files\outerinfo\Terms.rtf"
"C:\Temp\17O7\tmpTF.log"
"C:\Program Files\install.log"
"C:\WINDOWS\system32\mywebhit.ini"
"C:\WINDOWS\system32\mywebhit.ini.tmp"
"C:\WINDOWS\installreg.exe"
"C:\WINDOWS\mydown_tmp.txt"
"C:\WINDOWS\mywinsys.ini"
"C:\WINDOWS\sysdn.ini"
"C:\WINDOWS\system32\wmvds32.dll"
"C:\Documents and Settings\All Users.\documents\settings"
"C:\Program Files\outerinfo"
"C:\WINDOWS\system32\wsnpoem"
"C:\WINDOWS\system32\smpi1"
"C:\Temp\17O7"

-- Purity Folders:

C:\WINDOWS\CURITY~1
C:\WINDOWS\PPPATC~1
C:\DOCUME~1\Jason\APPLIC~1\PPPATC~1



((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_RUNTIME
-------\RpcApi


((((((((((((((((((((((((((((((( Files Created from 2007-05-04 to 2007-06-04 ))))))))))))))))))))))))))))))))))


2007-06-04 10:18 670 --a------ C:\Documents and Settings\Jason\registry.reg
2007-06-04 10:18 670 --a------ C:\DOCUME~1\Jason\registry.reg
2007-06-01 14:19 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Google
2007-06-01 12:27 2,236 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-01 12:06 <DIR> d-------- C:\VundoFix Backups
2007-05-31 12:47 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-05-31 12:47 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-05-31 12:47 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-05-31 12:47 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-05-31 12:47 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-05-31 12:47 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-05-31 12:47 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-05-31 12:47 <DIR> d-------- C:\Program Files\Sygate
2007-05-31 11:12 <DIR> d-------- C:\WINDOWS\Prefetch
2007-05-31 10:03 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys
2007-05-31 10:03 <DIR> d-------- C:\Program Files\CONEXANT
2007-05-31 08:09 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-05-30 10:41 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-05-30 10:40 <DIR> d-------- C:\WINDOWS\peernet
2007-05-30 10:33 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2007-05-30 10:33 <DIR> d-------- C:\WINDOWS\EHome
2007-05-30 10:01 524,288 --a------ C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-25 19:48 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-05-23 16:35 12 --a------ C:\WINDOWS\system32\gtv_sd.bin
2007-05-21 21:06 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-05-18 20:51 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-18 20:36 <DIR> d-------- C:\WINDOWS\provisioning
2007-05-18 20:34 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-05-18 20:28 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-05-18 20:10 69,632 --a------ C:\WINDOWS\system32\MCCDevice.dll
2007-05-18 20:10 6,048 --a------ C:\WINDOWS\system32\MCC16.dll
2007-05-18 20:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-18 16:01 12,965 --a------ C:\WINDOWS\system32\KB_963493.exe
2007-05-17 19:02 <DIR> d-------- C:\DOCUME~1\Jason\APPLIC~1\ErrorProtector Free
2007-05-17 18:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-05-17 18:45 <DIR> d-------- C:\Program Files\Yahoo!
2007-05-17 18:44 <DIR> d-------- C:\Program Files\CCleaner
2007-05-17 18:36 <DIR> d-------- C:\Program Files\Common Files\ErrorProtector Free
2007-05-17 18:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ErrorProtector Free
2007-05-17 18:29 <DIR> d-------- C:\Program Files\Common Files\Companion Wizard
2007-05-17 18:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-05-16 16:14 <DIR> d-------- C:\WINDOWS\system32\SBO
2007-05-16 16:14 <DIR> d-------- C:\Temp
2007-05-15 15:54 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-01 19:11:53 -------- d-----w C:\DOCUME~1\Jason\APPLIC~1\U3
2007-05-30 15:41:38 -------- d-----w C:\Program Files\Common Files\Motive
2007-05-30 15:24:57 -------- d-----w C:\Program Files\Windows NT
2007-05-30 15:24:43 -------- d-----w C:\Program Files\Movie Maker
2007-05-30 15:23:44 -------- d-----w C:\Program Files\Messenger
2007-05-30 15:21:04 -------- d-----w C:\Program Files\SpamBlockerUtility
2007-05-30 15:20:23 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-23 21:38:46 4 ----a-w C:\WINDOWS\system32\stfv.bin
2007-05-02 19:16:18 7,680 ----a-w C:\WINDOWS\system32\nwizwmgjs.dll
2007-05-01 01:54:35 20 ----a-w C:\WINDOWS\hosts.dat
2007-05-01 01:31:37 -------- d-----w C:\Program Files\Google
2007-05-01 01:31:14 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-30 20:45:14 -------- d-----w C:\DOCUME~1\Jason\APPLIC~1\Starware343
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 03:43:40 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-12 16:45:49 -------- d-----w C:\Program Files\Play65
2007-04-02 22:30:54 4,096 ----a-w C:\WINDOWS\d3dx.dat
2007-03-19 18:30:06 60,928 ----a-w C:\WINDOWS\system32\upt.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2003-04-02 14:40 C:\WINDOWS\system32\nwiz.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 13:41]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-06-19 10:50]
"HPHUPD06"="C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-06 23:53]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 14:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 16:18]
"BellSouthAlertManager.exe"="C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" [2007-01-28 13:14]
"tgcmd"="C:\Program Files\Support.com\BellSouth\hcenter.exe" [2005-08-31 15:14]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-31 08:31]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-03-30 17:24]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-01 20:49:00 C:\WINDOWS\tasks\HP Usg Daily FY04.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-04 10:27:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-06-04 10:29:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-04 10:29

--- E O F ---

Last one -

Logfile of HijackThis v1.99.1
Scan saved at 10:32:36 AM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJackThis\FluffyBunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] "C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119721320499
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179537590030
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe



Thanks again for looking at this headache.

#15 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:39 PM

Posted 05 June 2007 - 12:16 PM

Hello again, hastinmw.
________________________________________________________________________________
Due to the status of some of the files you have/had on your computer, I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer from the Internet until the computer can be cleaned. Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable--for email, banks, eBay, forums, etc. Do not change passwords or do any financial transactions while using the infected computer because the attacker may get the new passwords and transaction information. It would be wise to contact your financial institutions to apprise them of your situation. To protect your information that may have been compromised, I recommend reading this reference: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?.


Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is NOT available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1: SDFix
Download SDFix by clicking the download link below and save it to your Desktop.
Download SDFix (SDFix.exe)

Once downloaded, double-click SDFix.exe and it will extract the files to %systemdrive%, the drive that contains the Windows directory (typically C:\SDFix). Do NOT use SDFix yet.

Reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.


When in Safe Mode, please follow these steps:
1. Open the SDFix folder and double-click RunThis.bat to start the script.
2. Type Y to begin the cleanup process.
SDFix will remove any trojan services or registry entries that it finds and prompt you to press any key to reboot.
3. Press any key and it will restart the PC.
When the PC restarts, the fixtool will run again and complete the removal process.
4. When it then displays "Finished!", press any key to end the script and load your Desktop icons.
Once the Desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to the clipboard ready for posting back on the forum.)
5. Please copy and paste the entire contents of the results file (Report.txt) in your next reply.

Step #2: ComboFix
Please download the latest version of ComboFix to your Desktop. Delete any copies of ComboFix.exe that you have saved.
Download ComboFix (ComboFix.exe)

When the file has finished downloading double-click ComboFix.exe to launch the application and follow the on-screen prompts.
When finished, it shall produce a log for you: ComboFix.txt. Post that log in your next reply.

NOTE: Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang!

Step #3: exportRpcApi.bat execution
I have attached a file called exportRpcApi.bat.
Please download it and save the file to your Desktop.
Attached File  exportRpcApi.bat   122bytes   2 downloads
Now go to the Desktop and double-click exportRpcApi.bat. Notepad will now open up with the results (some text and numbers). Copy the entire contents of that file and post them here as a reply to this post.

Step #4: uninstall list creation
We need to use HijackThis to create an uninstall list. Please provide me an uninstall list by performing these steps:
1. Open HijackThis.
2. Click once on the Config... button.
3. Go to the Misc Tools section by clicking on the Misc Tools button on top of the screen.
4. Click on the Open Uninstall Manager... button. You'll see a list of currently installed programs.
5. Click on the Save list... button and specify where you would like to save the uninstall list.
6. Click Save.
Notepad will open up with the contents of that file.
7. Copy and paste the contents of that Notepad file (uninstall_list.txt) as a reply to this topic.

Step #5: HijackThis scan
Scan with HijackThis again and post a new HijackThis log.
________________________________________________________________________________
So in your next reply, please post the entire contents of:
- the SDFix report (Report.txt)
- the newly created ComboFix log
- the exportRpcApi.bat execution results
- the created uninstall list (uninstall_list.txt)
- a new HijackThis log
NOTE: Use several posts if necessary to include everything in the logs.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users