Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde


  • This topic is locked This topic is locked
8 replies to this topic

#1 siny

siny

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 06 June 2007 - 06:20 PM

Hello,

My computer is being slowed greatly with a lot of popups and i think it is being caused by virtumonde.

Logfile of HijackThis v1.99.1
Scan saved at 6:13:10 PM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Documents and Settings\All Users\Application Data\uhkxefqh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Documents and Settings\Owner.Protector\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=W6409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W6409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=W6409
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 87.117.202.117 nprotect.roseonlinegame.com
O1 - Hosts: 75.83.188.227 l2authd.lineage2.com
O1 - Hosts: 207.210.93.28 game01.us.segaonline.jp
O1 - Hosts: 207.210.93.28 game01.psobb.segaonline.jp
O1 - Hosts: 207.210.93.28 patch01.us.segaonline.jp
O1 - Hosts: 207.210.93.28 patch01.psobb.segaonline.jp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\awtttur.dll (file missing)
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\histwxhi.dll
O2 - BHO: (no name) - {C25647EF-07E8-4A90-A156-713523579868} - C:\WINDOWS\system32\mljji.dll (file missing)
O2 - BHO: (no name) - {C9905EF0-610F-4404-9030-A3F345D069F5} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: (no name) - {F0E62AFB-7A44-473F-A1C9-331EE31F84F1} - C:\WINDOWS\system32\awvvw.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O2 - BHO: (no name) - {F7883085-28BD-4CE2-AA40-DFCF1B3F8C70} - C:\WINDOWS\system32\awtqn.dll (file missing)
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\jlkgnies.dll",realset
O4 - HKLM\..\Run: [uhkxefqh.exe] C:\Documents and Settings\All Users\Application Data\uhkxefqh.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AVG Anti-Spyware (2).lnk = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winghy32 - winghy32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thank you in advance,
Siny

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:13 AM

Posted 07 June 2007 - 09:07 AM

Hello,

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 siny

siny
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 07 June 2007 - 11:22 AM

Hello and thank you for your help,

Here is my hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 11:17:31 AM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Documents and Settings\All Users\Application Data\uhkxefqh.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner.Protector\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W6409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 87.117.202.117 nprotect.roseonlinegame.com
O1 - Hosts: 75.83.188.227 l2authd.lineage2.com
O1 - Hosts: 207.210.93.28 game01.us.segaonline.jp
O1 - Hosts: 207.210.93.28 game01.psobb.segaonline.jp
O1 - Hosts: 207.210.93.28 patch01.us.segaonline.jp
O1 - Hosts: 207.210.93.28 patch01.psobb.segaonline.jp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\awtttur.dll (file missing)
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\histwxhi.dll
O2 - BHO: (no name) - {C25647EF-07E8-4A90-A156-713523579868} - C:\WINDOWS\system32\mljji.dll (file missing)
O2 - BHO: (no name) - {C9905EF0-610F-4404-9030-A3F345D069F5} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: (no name) - {F0E62AFB-7A44-473F-A1C9-331EE31F84F1} - C:\WINDOWS\system32\awvvw.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O2 - BHO: (no name) - {F7883085-28BD-4CE2-AA40-DFCF1B3F8C70} - C:\WINDOWS\system32\awtqn.dll (file missing)
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [uhkxefqh.exe] C:\Documents and Settings\All Users\Application Data\uhkxefqh.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AVG Anti-Spyware (2).lnk = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winghy32 - winghy32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

and my combofix log

"Owner" - 2007-06-07 11:04:44 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Owner.Protector\Desktop\"


((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))


2007-06-06 18:03 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-06-06 18:03 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-06-06 18:03 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-06-06 18:02 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-06-06 18:02 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-06-06 18:02 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-06-06 17:04 56,832 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\uhkxefqh.exe
2007-06-06 16:13 <DIR> d-------- C:\VundoFix Backups
2007-06-06 15:02 55,316 --a------ C:\WINDOWS\system32\histwxhi.dll
2007-06-06 14:51 59,392 --a------ C:\sgvxeehw.exe
2007-06-06 13:04 <DIR> d-------- C:\DOCUME~1\OWNER~1.PRO\APPLIC~1\VersionTracker Pro
2007-06-06 12:58 <DIR> d-------- C:\ATI
2007-06-03 15:45 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-06-03 15:45 <DIR> dr-h----- C:\DOCUME~1\OWNER~1.PRO\APPLIC~1\SecuROM
2007-06-03 15:29 <DIR> d-------- C:\Program Files\CAPCOM
2007-05-29 15:00 153,925 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-05-21 19:16 <DIR> d-------- C:\Program Files\SEGA
2007-05-16 21:53 <DIR> d-------- C:\Program Files\ATI Technologies
2007-05-16 21:52 <DIR> d-------- C:\pnp
2007-05-16 16:03 <DIR> d-------- C:\DOCUME~1\OWNER~1.PRO\APPLIC~1\CoreCodec
2007-05-16 16:02 <DIR> d-------- C:\Program Files\Haali
2007-05-16 16:02 <DIR> d-------- C:\Program Files\CoreCodec
2007-05-16 11:35 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-05-16 11:21 <DIR> d-------- C:\DOCUME~1\OWNER~1.PRO\APPLIC~1\InstallShield
2007-05-16 11:17 <DIR> d-------- C:\Program Files\DX
2007-05-15 21:16 <DIR> d-------- C:\Program Files\Lineage II
2007-05-13 19:52 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-05-13 19:52 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-05-13 19:52 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-05-13 19:52 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-05-13 19:52 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-05-13 19:52 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-05-13 19:52 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-05-13 19:52 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-05-13 19:52 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-05-13 19:52 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-05-13 19:52 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-05-13 19:52 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-05-13 19:51 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-05-13 00:24 <DIR> d-------- C:\DOCUME~1\OWNER~1.PRO\APPLIC~1\Media Player Classic
2007-05-13 00:18 <DIR> d-------- C:\DOCUME~1\OWNER~1.PRO\Shared
2007-05-13 00:18 <DIR> d-------- C:\DOCUME~1\OWNER~1.PRO\Incomplete
2007-05-13 00:16 <DIR> d-------- C:\Program Files\LimeWire
2007-05-13 00:16 <DIR> d-------- C:\DOCUME~1\OWNER~1.PRO\APPLIC~1\LimeWire
2007-05-13 00:09 <DIR> d-------- C:\DOCUME~1\OWNER~1.PRO\APPLIC~1\Azureus
2007-05-13 00:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-05-13 00:08 <DIR> d-------- C:\Program Files\Azureus


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-06 18:00:19 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-04 21:19:23 -------- d-----w C:\DOCUME~1\OWNER~1.PRO\APPLIC~1\Ruckus Network
2007-06-04 16:47:46 -------- d-----w C:\DOCUME~1\OWNER~1.PRO\APPLIC~1\tunebite
2007-06-04 16:25:30 -------- d-----w C:\Program Files\Real
2007-06-03 22:33:52 -------- d-----w C:\Program Files\Cheat Engine
2007-05-13 20:00:12 -------- d-----w C:\Program Files\FlashGet
2007-05-02 05:39:06 -------- d-----w C:\Program Files\Trillian
2007-04-25 01:20:28 -------- d-----w C:\Program Files\Triggersoft
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-09 20:20:45 -------- d-----w C:\Program Files\e-Games
2007-04-08 05:42:20 684 ----a-w C:\WINDOWS\mozver.dat
2007-04-08 05:42:15 -------- d-----w C:\Program Files\DivX
2007-04-07 16:45:06 -------- d-----w C:\Program Files\MSN Messenger
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 01:23:40 0 ----a-w C:\DOCUME~1\OWNER~1.PRO\APPLIC~1\wklnhst.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 03:56]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=C:\Program Files\FlashGet\jccatch.dll [2007-01-29 04:46]
{8A61098D-612B-4EF2-943D-64E920684061}=C:\WINDOWS\system32\awtttur.dll []
{92A444D2-F945-4dd9-89A1-896A6C2D8D22}=C:\WINDOWS\system32\histwxhi.dll [2007-06-06 15:02]
{C25647EF-07E8-4A90-A156-713523579868}=C:\WINDOWS\system32\mljji.dll []
{CA6319C0-31B7-401E-A518-A07C3DB8F777}=c:\windows\system32\BAE.dll [2006-02-01 05:54]
{F0E62AFB-7A44-473F-A1C9-331EE31F84F1}=C:\WINDOWS\system32\awvvw.dll []
{F156768E-81EF-470C-9057-481BA8380DBA}=C:\Program Files\FlashGet\getflash.dll [2007-01-14 22:40]
{F7883085-28BD-4CE2-AA40-DFCF1B3F8C70}=C:\WINDOWS\system32\awtqn.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 20:44]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 17:34 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 20:43 C:\WINDOWS\Alcmtr.exe]
"CHotkey"="zHotkey.exe" [2004-12-08 19:57 C:\WINDOWS\zHotkey.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-01-15 12:28]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 11:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-02 16:24]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 15:49]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-12 21:05]
"uhkxefqh.exe"="C:\Documents and Settings\All Users\Application Data\uhkxefqh.exe" [2007-06-06 17:04]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 09:13]
"{08C134D3-087C-4139-A98C-3A078358DFDE}"="C:\WINDOWS\system32\xxyyxwt.dll" []
"{8A61098D-612B-4EF2-943D-64E920684061}"="C:\WINDOWS\system32\awtttur.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winghy32]
winghy32.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cdd086d3-3e88-11db-b8e1-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


Contents of the 'Scheduled Tasks' folder
2007-06-06 00:09:14 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 11:09:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-07 11:11:15

--- E O F ---

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:13 AM

Posted 07 June 2007 - 12:14 PM

Hello,

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\histwxhi.dll
C:\sgvxeehw.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\uhkxefqh.exe

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A61098D-612B-4EF2-943D-64E920684061}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92A444D2-F945-4dd9-89A1-896A6C2D8D22}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C25647EF-07E8-4A90-A156-713523579868}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0E62AFB-7A44-473F-A1C9-331EE31F84F1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F7883085-28BD-4CE2-AA40-DFCF1B3F8C70}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9905EF0-610F-4404-9030-A3F345D069F5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uhkxefqh.exe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{08C134D3-087C-4139-A98C-3A078358DFDE}"=-
"{8A61098D-612B-4EF2-943D-64E920684061}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winghy32]


Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 siny

siny
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 07 June 2007 - 12:41 PM

Hello,

Thank you again for your time, here are my new logs.


Logfile of HijackThis v1.99.1
Scan saved at 12:36:33 PM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Documents and Settings\All Users\Application Data\uhkxefqh.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner.Protector\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W6409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 87.117.202.117 nprotect.roseonlinegame.com
O1 - Hosts: 75.83.188.227 l2authd.lineage2.com
O1 - Hosts: 207.210.93.28 game01.us.segaonline.jp
O1 - Hosts: 207.210.93.28 game01.psobb.segaonline.jp
O1 - Hosts: 207.210.93.28 patch01.us.segaonline.jp
O1 - Hosts: 207.210.93.28 patch01.psobb.segaonline.jp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AVG Anti-Spyware (2).lnk = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


"Owner" - 2007-06-07 12:24:27 Service Pack 2 NTFS
Command switches used :: ""C:\Documents and Settings\Owner.Protector\Desktop\ComboFix-Do.txt""


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1\uhkxefqh.exe
C:\sgvxeehw.exe
C:\VundoFix Backups
C:\VundoFix Backups\awtqn.dll.bad
C:\VundoFix Backups\awtsq.dll.bad
C:\VundoFix Backups\awtttur.dll.bad
C:\VundoFix Backups\awvvw.dll.bad
C:\VundoFix Backups\gebxwxv.dll.bad
C:\VundoFix Backups\ijjlm.bak1.bad
C:\VundoFix Backups\ijjlm.ini.bad
C:\VundoFix Backups\jlkgnies.dll.bad
C:\VundoFix Backups\mljji.dll.bad
C:\VundoFix Backups\nqtwa.bak1.bad
C:\VundoFix Backups\nqtwa.ini.bad
C:\VundoFix Backups\qstwa.ini.bad
C:\VundoFix Backups\seingklj.ini.bad
C:\VundoFix Backups\wvvwa.bak1.bad
C:\VundoFix Backups\wvvwa.ini.bad
C:\VundoFix Backups\xxyyxwt.dll.bad
C:\WINDOWS\system32\histwxhi.dll


((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))


2007-06-07 11:11 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-06 18:03 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-06-06 18:03 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-06-06 18:03 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-06-06 18:02 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-06-06 18:02 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-06-06 18:02 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-06-06 13:04 <DIR> d-------- C:\DOCUME~1\OWNER~1.PRO\APPLIC~1\VersionTracker Pro
2007-06-06 12:58 <DIR> d-------- C:\ATI
2007-06-03 15:45 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-06-03 15:45 <DIR> dr-h----- C:\DOCUME~1\OWNER~1.PRO\APPLIC~1\SecuROM
2007-06-03 15:29 <DIR> d-------- C:\Program Files\CAPCOM
2007-05-29 15:00 153,925 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-05-21 19:16 <DIR> d-------- C:\Program Files\SEGA
2007-05-16 21:53 <DIR> d-------- C:\Program Files\ATI Technologies
2007-05-16 21:52 <DIR> d-------- C:\pnp
2007-05-16 16:03 <DIR> d-------- C:\DOCUME~1\OWNER~1.PRO\APPLIC~1\CoreCodec
2007-05-16 16:02 <DIR> d-------- C:\Program Files\Haali
2007-05-16 16:02 <DIR> d-------- C:\Program Files\CoreCodec
2007-05-16 11:35 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-05-16 11:21 <DIR> d-------- C:\DOCUME~1\OWNER~1.PRO\APPLIC~1\InstallShield
2007-05-16 11:17 <DIR> d-------- C:\Program Files\DX
2007-05-15 21:16 <DIR> d-------- C:\Program Files\Lineage II
2007-05-13 19:52 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-05-13 19:52 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-05-13 19:52 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-05-13 19:52 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-05-13 19:52 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-05-13 19:52 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-05-13 19:52 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-05-13 19:52 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-05-13 19:52 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-05-13 19:52 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-05-13 19:52 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-05-13 19:52 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-05-13 19:51 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-05-13 00:24 <DIR> d-------- C:\DOCUME~1\OWNER~1.PRO\APPLIC~1\Media Player Classic
2007-05-13 00:18 <DIR> d-------- C:\DOCUME~1\OWNER~1.PRO\Shared
2007-05-13 00:18 <DIR> d-------- C:\DOCUME~1\OWNER~1.PRO\Incomplete
2007-05-13 00:16 <DIR> d-------- C:\Program Files\LimeWire
2007-05-13 00:16 <DIR> d-------- C:\DOCUME~1\OWNER~1.PRO\APPLIC~1\LimeWire
2007-05-13 00:09 <DIR> d-------- C:\DOCUME~1\OWNER~1.PRO\APPLIC~1\Azureus
2007-05-13 00:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-05-13 00:08 <DIR> d-------- C:\Program Files\Azureus


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-06 18:00:19 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-04 21:19:23 -------- d-----w C:\DOCUME~1\OWNER~1.PRO\APPLIC~1\Ruckus Network
2007-06-04 16:47:46 -------- d-----w C:\DOCUME~1\OWNER~1.PRO\APPLIC~1\tunebite
2007-06-04 16:25:30 -------- d-----w C:\Program Files\Real
2007-06-03 22:33:52 -------- d-----w C:\Program Files\Cheat Engine
2007-05-13 20:00:12 -------- d-----w C:\Program Files\FlashGet
2007-05-02 05:39:06 -------- d-----w C:\Program Files\Trillian
2007-04-25 01:20:28 -------- d-----w C:\Program Files\Triggersoft
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-09 20:20:45 -------- d-----w C:\Program Files\e-Games
2007-04-08 05:42:20 684 ----a-w C:\WINDOWS\mozver.dat
2007-04-08 05:42:15 -------- d-----w C:\Program Files\DivX
2007-04-07 16:45:06 -------- d-----w C:\Program Files\MSN Messenger
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 01:23:40 0 ----a-w C:\DOCUME~1\OWNER~1.PRO\APPLIC~1\wklnhst.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 03:56]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=C:\Program Files\FlashGet\jccatch.dll [2007-01-29 04:46]
{CA6319C0-31B7-401E-A518-A07C3DB8F777}=c:\windows\system32\BAE.dll [2006-02-01 05:54]
{F156768E-81EF-470C-9057-481BA8380DBA}=C:\Program Files\FlashGet\getflash.dll [2007-01-14 22:40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 20:44]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 17:34 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 20:43 C:\WINDOWS\Alcmtr.exe]
"CHotkey"="zHotkey.exe" [2004-12-08 19:57 C:\WINDOWS\zHotkey.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-01-15 12:28]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 11:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-02 16:24]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 15:49]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-12 21:05]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 09:13]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cdd086d3-3e88-11db-b8e1-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


Contents of the 'Scheduled Tasks' folder
2007-06-06 00:09:14 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 12:32:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-07 12:34:39
C:\ComboFix-quarantined-files.txt ... 2007-06-07 12:34
C:\ComboFix2.txt ... 2007-06-07 11:11

--- E O F ---

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:13 AM

Posted 07 June 2007 - 12:51 PM

Hi,

Your logs look clean again.

Delete next folder: C:\Qoobox

Check and fix next entries in HijackThis if you don't recognise them and didn't add them to your hosts file:

O1 - Hosts: 87.117.202.117 nprotect.roseonlinegame.com
O1 - Hosts: 75.83.188.227 l2authd.lineage2.com
O1 - Hosts: 207.210.93.28 game01.us.segaonline.jp
O1 - Hosts: 207.210.93.28 game01.psobb.segaonline.jp
O1 - Hosts: 207.210.93.28 patch01.us.segaonline.jp
O1 - Hosts: 207.210.93.28 patch01.psobb.segaonline.jp

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 siny

siny
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 07 June 2007 - 01:08 PM

Hello,


Everything seems to be fine now thank you again. :thumbsup:

Siny

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:13 AM

Posted 07 June 2007 - 01:10 PM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:13 AM

Posted 08 June 2007 - 01:51 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users