Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kbdhci.dll + Vtsqqqp.dll


  • This topic is locked This topic is locked
18 replies to this topic

#1 rick213

rick213

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 05 June 2007 - 05:36 AM

Hello. Ive tried so hard to get rid of these infected files. no luck. im pretty sure they keep loading on start up. I had a bunch of pop up ads that ive been able to surpress by disabling my BHOs. ive used so many different scans that dont detect it. ive used killbot to try to delete them.nothing. ive tried canceling processes too. the only thing left is to edit the registry. i dont want to mess up my computer. ill let an expert look at my log file. by the way way im new here am i posting this right?




Logfile of HijackThis v1.99.1
Scan saved at 6:27:29 AM, on 6/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner.RICK\My Documents\PROGRAMS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bankofamerica.com/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 66.98.136.25 auto.search.msn.com
O1 - Hosts: 66.98.136.25 auto.search.msn.es
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {f1587350-f234-4be7-a1f4-5dd7cb129a01} - C:\WINDOWS\system32\kbdhci.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SunKist] "C:\Program Files\Digital Media Reader\shwicon2k.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O20 - AppInit_DLLs: c:\windows\system32\vtsqqqp.dll
O20 - Winlogon Notify: kbdhci - C:\WINDOWS\SYSTEM32\kbdhci.dll
O20 - Winlogon Notify: MP4nds - MP4nds.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:05 PM

Posted 05 June 2007 - 06:41 AM

Hello,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O1 - Hosts: 66.98.136.25 auto.search.msn.com
O1 - Hosts: 66.98.136.25 auto.search.msn.es
O2 - BHO: (no name) - {f1587350-f234-4be7-a1f4-5dd7cb129a01} - C:\WINDOWS\system32\kbdhci.dll
O20 - AppInit_DLLs: c:\windows\system32\vtsqqqp.dll
O20 - Winlogon Notify: kbdhci - C:\WINDOWS\SYSTEM32\kbdhci.dll
O20 - Winlogon Notify: MP4nds - MP4nds.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!


Don't worry if you receive an error in HijackThis, or some entries won't get fixed yet. Just proceed with my next step..

Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 rick213

rick213
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 05 June 2007 - 11:37 PM

ok i did it. kind of. HTJ gave me an error 5 message for vtsqqqp.dll. so thats still there. than i think combo fix got kbdhci.dll, but it reproduced under dbm11n.dll, i had to disable the BHO again. heres the log:

Logfile of HijackThis v1.99.1
Scan saved at 12:03:58 AM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner.RICK\My Documents\PROGRAMS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O2 - BHO: (no name) - {da370bf6-615f-4e6d-a4a8-344ced387768} - C:\WINDOWS\system32\dbm11N.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SunKist] "C:\Program Files\Digital Media Reader\shwicon2k.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\dbm11N.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\dbm11N.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\dbm11N.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\dbm11N.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O20 - AppInit_DLLs: c:\windows\system32\vtsqqqp.dll
O20 - Winlogon Notify: dbm11N - C:\WINDOWS\SYSTEM32\dbm11N.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

HERS THE COMBO FIX LOG:

"Owner" - 2007-06-05 23:40:08 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Owner.RICK\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\kbdhci.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((( Files Created from 2007-05-06 to 2007-06-06 )))))))))))))))))))))))))))))))


2007-06-05 04:45 <DIR> d-------- C:\DOCUME~1\OWNER~1.RIC\.housecall6.6
2007-06-05 03:54 <DIR> d-------- C:\highjack_this
2007-06-05 03:50 106 --a------ C:\delete.bat
2007-06-05 00:47 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-04 23:02 47,907 --a------ C:\WINDOWS\system32\gebcd.exe
2007-06-04 03:27 <DIR> d-------- C:\!KillBox
2007-06-03 20:14 <DIR> d-------- C:\VundoFix Backups
2007-06-03 05:07 <DIR> d-------- C:\HijackThis
2007-06-03 04:50 2,560 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp57.tmp.exe
2007-06-03 04:46 50,970 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp52.tmp.exe
2007-06-03 03:44 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-06-03 03:02 2,560 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp190.tmp.exe
2007-06-02 16:39 233,163 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp119.tmp.exe
2007-06-02 16:38 50,970 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp117.tmp.exe
2007-06-02 10:07 233,315 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp65.tmp.exe
2007-06-02 10:06 50,970 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp61.tmp.exe
2007-06-02 09:40 2,560 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp5F.tmp.exe
2007-06-02 09:38 233,268 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp5E.tmp.exe
2007-06-01 05:28 50,879 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp1BD.tmp.exe
2007-06-01 05:28 233,684 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp1BF.tmp.exe
2007-06-01 04:49 233,684 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp182.tmp.exe
2007-06-01 04:47 50,879 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp180.tmp.exe
2007-06-01 02:49 <DIR> d-------- C:\WINDOWS\system32\drivers\AU_Backup
2007-05-31 22:52 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-05-31 22:52 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-05-31 22:52 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-05-31 22:52 144,448 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-05-31 22:52 <DIR> d-------- C:\Program Files\Webroot
2007-05-31 22:52 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-05-31 22:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-05-31 22:50 <DIR> d-------- C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\Webroot
2007-05-31 21:44 <DIR> d-------- C:\info
2007-05-31 21:42 32,528 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-05-31 21:42 102,800 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-31 21:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-05-31 21:41 <DIR> d-------- C:\Program Files\Trend Micro
2007-05-31 09:17 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-05-31 09:17 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-05-31 09:17 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-31 09:09 2,560 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp66.tmp.exe
2007-05-31 09:09 1,101,623 --a------ C:\WINDOWS\lnoonn.ini.ren
2007-05-31 05:57 50,970 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp5A.tmp.exe
2007-05-31 05:57 233,254 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp5C.tmp.exe
2007-05-31 05:44 233,254 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp58.tmp.exe
2007-05-31 05:42 233,002 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp56.tmp.exe
2007-05-31 05:07 233,254 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp46.tmp.exe
2007-05-31 05:06 50,986 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp41.tmp.exe
2007-05-31 04:40 <DIR> d-------- C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\Lavasoft
2007-05-31 04:39 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-31 04:33 233,254 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp39.tmp.exe
2007-05-31 04:32 50,986 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp37.tmp.exe
2007-05-31 04:18 233,254 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp33.tmp.exe
2007-05-31 04:17 50,986 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp3.tmp.exe
2007-05-31 03:47 233,305 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp71.tmp.exe
2007-05-31 03:30 50,974 --a------ C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp6F.tmp.exe
2007-05-31 03:30 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-05-31 02:59 12,494 --a------ C:\WINDOWS\system32\vtsqqqp.dll
2007-05-30 05:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-05-30 03:34 <DIR> d-------- C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\Azureus
2007-05-30 03:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-05-18 14:53 <DIR> d-------- C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\Opera


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-06 03:47:36 37,437 ----a-w C:\WINDOWS\system32\dbm11N.dll
2007-06-06 03:47:29 47,899 ----a-w C:\WINDOWS\system32\sstqq.exe
2007-05-31 06:44:53 -------- d-----w C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\LimeWire
2007-05-30 09:20:30 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 16:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 05:56]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2006-02-14 21:05]
{da370bf6-615f-4e6d-a4a8-344ced387768}=C:\WINDOWS\system32\dbm11N.dll [2007-06-05 23:47]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-15 01:05]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 11:47]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 11:47]
"@"="" []
"SunKist"="C:\Program Files\Digital Media Reader\shwicon2k.exe" [2004-05-26 21:57]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-12 23:12]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 17:16]
"Trend Micro AntiVirus 2007"="C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" [2007-01-22 01:49]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-01-25 21:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2005-11-15 19:44]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dbm11N]
dbm11N.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\vtsqqqp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-05 23:46:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\dbm11N.dll
C:\WINDOWS\system32\sstqq.exe

scan completed successfully
hidden files: 2

**************************************************************************

Completion time: 2007-06-05 23:50:43 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-05 23:50

--- E O F ---

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:05 PM

Posted 06 June 2007 - 12:27 AM

Hi,

Please don't disable the BHO all the time.. because if you do, it will just place itself under another Internet Explorer extension - and I see it used legit extensions where it added itself now under it.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\gebcd.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp57.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp52.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp190.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp119.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp117.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp65.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp61.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp5F.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp5E.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp1BD.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp1BF.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp182.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp180.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp66.tmp.exe
C:\WINDOWS\lnoonn.ini.ren
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp5A.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp5C.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp58.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp56.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp46.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp41.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp39.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp37.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp33.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp3.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp71.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp6F.tmp.exe
C:\WINDOWS\system32\vtsqqqp.dll
C:\WINDOWS\system32\dbm11N.dll
C:\WINDOWS\system32\sstqq.exe

Folder::
C:\!KillBox
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}]
"CLSID"="{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"
"clsidExtension"="{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
"MenuCustomize"="Tools"
"MenuText"="Create Mobile Favorite..."
"MenuStatusBar"="Create Mobile Favorite of this page."
"ButtonText"="Create Mobile Favorite"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\InprocServer32]
@="C:\\PROGRA~1\\MI3AA1~1\\INetRepl.dll"
"ThreadingModel"="Apartment"
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{da370bf6-615f-4e6d-a4a8-344ced387768}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dbm11N]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}"=-


Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

edit.. you said previously you have been deleting entries from the registry. I really hope you didn't delete any legit ones..

Edited by miekiemoes, 06 June 2007 - 12:44 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 rick213

rick213
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 06 June 2007 - 01:50 AM

wow :thumbsup: i think it worked.. you gotta tell me how u got that. do i enable my BHOs now?


Logfile of HijackThis v1.99.1
Scan saved at 2:40:16 AM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner.RICK\My Documents\PROGRAMS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


"Owner" - 2007-06-06 2:28:45 Service Pack 2 NTFS
Command switches used :: ""C:\Documents and Settings\Owner.RICK\My Documents\DOCUMENTS\combofix-do.txt""


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dbm11N.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\!KillBox
C:\!KillBox\Logs\kb.log
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp117.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp119.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp180.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp182.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp190.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp1BD.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp1BF.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp3.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp33.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp37.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp39.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp41.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp46.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp52.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp56.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp57.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp58.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp5A.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp5C.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp5E.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp5F.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp61.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp65.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp66.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp6F.tmp.exe
C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\tmp71.tmp.exe
C:\VundoFix Backups
C:\WINDOWS\lnoonn.ini.ren
C:\WINDOWS\system32\dbm11N.dll
C:\WINDOWS\system32\gebcd.exe
C:\WINDOWS\system32\sstqq.exe
C:\WINDOWS\system32\vtsqqqp.dll


((((((((((((((((((((((((( Files Created from 2007-05-06 to 2007-06-06 )))))))))))))))))))))))))))))))


2007-06-05 23:50 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-05 04:45 <DIR> d-------- C:\DOCUME~1\OWNER~1.RIC\.housecall6.6
2007-06-05 03:54 <DIR> d-------- C:\highjack_this
2007-06-05 03:50 106 --a------ C:\delete.bat
2007-06-05 00:47 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-03 05:07 <DIR> d-------- C:\HijackThis
2007-06-03 03:44 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-06-01 02:49 <DIR> d-------- C:\WINDOWS\system32\drivers\AU_Backup
2007-05-31 22:52 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-05-31 22:52 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-05-31 22:52 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-05-31 22:52 144,448 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-05-31 22:52 <DIR> d-------- C:\Program Files\Webroot
2007-05-31 22:52 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-05-31 22:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-05-31 22:50 <DIR> d-------- C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\Webroot
2007-05-31 21:44 <DIR> d-------- C:\info
2007-05-31 21:42 32,528 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-05-31 21:42 102,800 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-31 21:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-05-31 21:41 <DIR> d-------- C:\Program Files\Trend Micro
2007-05-31 09:17 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-05-31 09:17 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-05-31 09:17 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-31 04:40 <DIR> d-------- C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\Lavasoft
2007-05-31 04:39 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-31 03:30 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-05-30 05:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-05-30 03:34 <DIR> d-------- C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\Azureus
2007-05-30 03:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-05-18 14:53 <DIR> d-------- C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\Opera


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-31 06:44:53 -------- d-----w C:\DOCUME~1\OWNER~1.RIC\APPLIC~1\LimeWire
2007-05-30 09:20:30 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 16:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 05:56]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2006-02-14 21:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-15 01:05]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 11:47]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 11:47]
"@"="" []
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2005-03-14 11:20]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 03:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-12 23:12]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 17:16]
"Trend Micro AntiVirus 2007"="C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" [2007-01-22 01:49]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-01-25 21:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2005-11-15 19:44]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-06 02:34:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-06 2:37:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-06 02:37

--- E O F ---

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:05 PM

Posted 06 June 2007 - 02:13 AM

Hi,

Your logs look clean again..

you gotta tell me how u got that. do i enable my BHOs now?

I don't know if you disabled legit BHO's as well, so in that case, enable them again.
The bad BHO's are already gone, since I created a regfix previously in the ComboFix-Do.txt to delete the bad ones... and restored the proper extension for your ActiveSync Favorite Synchronization, since it was "Hijacked" as well.

How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 rick213

rick213
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 06 June 2007 - 02:29 AM

i did a scan with spysweeper which had only been picking up spy/tracking cookies. but know it found trojan-downloader-ruin something like that. i quarantined it. im doing a virus scan now with trend micro.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:05 PM

Posted 06 June 2007 - 02:31 AM

Scanners will still find leftovers though - this is normal. But this time they should be able to delete it.
Don't worry about the tracking cookies, everyone has them and they will always return - this all depends what sites you visit.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 rick213

rick213
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 06 June 2007 - 02:39 AM

how come it can pick it up now and not before? so what caused all those files to get infected? my scanners did not pick them up. how were u able to tell?

#10 rick213

rick213
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 06 June 2007 - 02:42 AM

ok i deleted it. trojan-downloader-ruin how bad is that?

Edited by rick213, 06 June 2007 - 02:49 AM.


#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:05 PM

Posted 06 June 2007 - 02:50 AM

Previously, malware was locked/in use, so that's why scanners won't be able to remove it.
I am analyzing more than 20 different HijackThislogs everyday, so for me, it's quite easy to recognise what malware is present and what steps should be done to get rid of it.
The reason why you got infected is most probably because you have been downloading/installing pirated software via p2p or via an illegal website... but I suspect p2p (Azureus or Limewire here). In 90% of the cases, what you download via p2p is bundled with malware.
So when you run the application, it installs malware and downloads more malware again and again.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!

trojan-downloader-ruin how bad is that?

It's not that bad - it just hijacks your search engines.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 rick213

rick213
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 06 June 2007 - 03:07 AM

You're right. i tried to down an antivirus of Limewire.its incredible how you new that. if i see anything else ill post it right away.... can you tell me why i wasnt able to delete vtsqqqp.dll? was it virtumonde?

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:05 PM

Posted 06 June 2007 - 03:29 AM

I can see everything in Combofix logs - I see when malware was created and I can see what happened previously because of that.
Actually, to be honest - isn't that silly? You want an Antivirus and get it from where you know you can get infected... :thumbsup:
If you can't pay for an Antivirus - or don't want to pay for it, why not installing a free alternative instead? Keep in mind, some free Antivirus and Spyware are better than the ones you have to purchase.
You may want to read these latest tests: http://www.pcmag.com/article2/0,1895,2135092,00.asp
Full results: http://www.sunbelt-software.com/ihs/alex/m...ions_2007q2.htm
Also another trustworthy test: http://www.av-comparatives.org/

As you see Avira is highly rated for both tests and... Avira is for free: http://www.free-av.com/
I am using it as well, but the premium version (which is not for free).

Not sure if your version of Spysweeper is also a pirated version or not, but I assume it is since the trial version doesn't remove anything and I actually don't think you bought that one, since you're not afraid of using pirated software anyway.
Just to let you know that Spysweeper is a resource hog and to be honest, I don't recommend it anymore eihter, because of this:
http://sunbeltblog.blogspot.com/2007/04/th...just-weird.html
I don't like their tactics - because that's the same as rogue so called spywarescanners would do. But then again, that's my personal opinion.

can you tell me why i wasnt able to delete vtsqqqp.dll? was it virtumonde?

I rather think it was ConHook, but many target it as virtumundo/Vundo since it acts the same and hooks under the Winlogon Notify and Explorer (BHO) and that's why it is difficult to delete. This since the Winlogon.exe and explorer.exe is always in use, so files are locked under it. You can end the explorer.exe process, but you cannot end the winlogon.exe process by default, because you would get an alert/bsod.
Anyway, combofix uses special methods to deal with them :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 rick213

rick213
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 06 June 2007 - 03:44 AM

ok thanks again. i actually bought this spysweeper software and i bought trend micro for viruses. they recommended them to me at best buy. so i thought they must of been good. im going to check out those links you left me. oh yea ,lol, deleted the trojan after quarantine. really thank you for your help.

#15 rick213

rick213
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 06 June 2007 - 04:33 AM

also do you know if after the combofix it should put the internet explorer icon on my desktop?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users