Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow Computer, Constant Ie Popups And Random Dll Files Appearing As Trojans


  • Please log in to reply
7 replies to this topic

#1 muzzle811

muzzle811

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 09 June 2007 - 04:31 PM

Hi I was on a torrent site a while back and left my computer on the site and left. When I came back I was bogged down by spyware and adware. All my efforts to rid my computer of them have failed. It uses a lot of my resources, I keep getting IE popups (I use firefox) I turned off my wuauclt.exe yet the process still runs, when i restart my computer in safe mode explorere keeps crashing, and my compputer takes forever to start up. also, I have AVG and whenever I start my computer I get threat warnings of dll files in the system32 folder with random names that are trojan 11.b Please help!! I am a student and can barely even use my computer for homework. here is my hijackthis file.

Logfile of HijackThis v1.99.1
Scan saved at 12:12:55 AM, on 1/1/2000
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\windows\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\windows\system32\HPZipm12.exe
C:\windows\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\windows\AGRSMMSG.exe
C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\windows\system32\ctfmon.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\windows\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My bleep 2\Other\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection

Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O3 - Toolbar: &Google -

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel

Mouse\5.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program

Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AVG7_CC]

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ApachInc] rundll32.exe

"C:\windows\system32\apxwbyue.dll",realset
O4 - HKLM\..\Run: [j5211834] rundll32

C:\windows\system32\j5211834.dll sook
O4 - HKCU\..\Run: [ctfmon.exe]

C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Controls]

C:\\WINDOWS\\system32\\00THotkey.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program

Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM -

{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP:

c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP:

c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP:

c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP:

c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP:

c:\windows\system32\avgfwafu.dll
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF:

START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: *.sxload.net (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,10

1/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/

en/x86/client/muweb_site.cab?1143698624040
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582}

(ICSScanner Class) -

http://download.zonelabs.com/bin/promotions/spywaredetecto

r/ICSScanner371420.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson

Installation Assistant 2) -

http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.c

ab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09}

(Get_ActiveX Control) -

https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownload

Manager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -

http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/

mcgdmgr.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson

MathXL Player) -

http://asp.mathxl.com/books/_Players/MathPlayer.cab
O21 - SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\windows\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) -

Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Adobe LM Service - Adobe Systems -

C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -

GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT,

s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) -

GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd -

C:\windows\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA

CORPORATION - C:\Program

Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Updater Service (gusvc) - Google -

C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP -

C:\windows\system32\HPZipm12.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program

Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Swupdtmr - Unknown owner -

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 09 June 2007 - 06:54 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum muzzle811 :thumbsup:

First of all please delete:
C:\My bleep 2\Other\HijackThis.exe

Now download and install Hijackthis.
This is a self-extracting version which will automatically install HJT to C:\Program Files\Hijackthis by default.
A desktop shortcut can be created during install under 'Select Additional Tasks'.

**************************

The current formatting of your log makes it difficult to read/evaluate.
Open 'Notepad',click on 'Format' at the top,then uncheck 'Word Wrap' if it's checked.

**************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

**************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


*************************

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 muzzle811

muzzle811
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 26 June 2007 - 12:16 AM

Ok sorry for the delay, here are those logs:


VundoFix V6.5.1

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Scan started at 8:46:52 PM 6/24/2007

Listing files found while scanning....

C:\windows\system32\aftinweq.dll
C:\windows\system32\alssgqdj.dll
C:\windows\system32\axnvdflo.exe
C:\windows\system32\bhrnaphx.ini
C:\windows\system32\ciyusjop.dll
C:\windows\system32\dflcmcqo.ini
C:\windows\system32\dhbvygli.dll
C:\windows\system32\dlnerslf.ini
C:\windows\system32\dnjxopam.ini
C:\windows\system32\dnouqasn.dll
C:\windows\system32\dtsdslax.dll
C:\windows\system32\ewijanis.ini
C:\windows\system32\fkyfqmkw.ini
C:\windows\system32\flsrenld.dll
C:\windows\system32\furhpvaw.dll
C:\windows\system32\gkdwithn.dll
C:\windows\system32\gqealyqd.dll
C:\windows\system32\grfujfvo.dll
C:\windows\system32\hdrlbcsk.ini
C:\windows\system32\hishhbqw.dll
C:\windows\system32\hsdxajnv.exe
C:\windows\system32\ihbhpmos.dll
C:\windows\system32\iiiig.dll
C:\windows\system32\ijtvrbcq.dll
C:\windows\system32\ilgyvbhd.ini
C:\windows\system32\j5211834.dll
C:\windows\system32\jdqgssla.ini
C:\windows\system32\jdqgssla.tmp
C:\windows\system32\kscblrdh.dll
C:\windows\system32\kwyuthag.exe
C:\windows\system32\kxgtyhmx.ini
C:\windows\system32\ljybthcu.ini
C:\windows\system32\lkwxvejt.ini
C:\windows\system32\mapoxjnd.dll
C:\windows\system32\marviclq.dll
C:\windows\system32\meccsmol.exe
C:\windows\system32\mfatrhvm.ini
C:\windows\system32\mpxqxxqy.dll
C:\windows\system32\mtcusner.ini
C:\windows\system32\mtotqwfy.ini
C:\windows\system32\mvhrtafm.dll
C:\windows\system32\mwsufbmn.dll
C:\windows\system32\nhtiwdkg.ini
C:\windows\system32\nmbfuswm.ini
C:\windows\system32\oqcmclfd.dll
C:\windows\system32\qcbrvtji.ini
C:\windows\system32\qlcivram.ini
C:\windows\system32\rensuctm.dll
C:\windows\system32\roqbtadb.dll
C:\windows\system32\rsugdlym.dll
C:\windows\system32\sinajiwe.dll
C:\windows\system32\tjevxwkl.dll
C:\windows\system32\uchtbyjl.dll
C:\windows\system32\vgticnqi.dll
C:\windows\system32\wbieixit.exe
C:\windows\system32\wkmqfykf.dll
C:\windows\system32\wqbhhsih.ini
C:\windows\system32\xhpanrhb.dll
C:\windows\system32\xmhytgxk.dll
C:\windows\system32\yfwqtotm.dll
C:\windows\system32\yifrgkty.dll
C:\windows\system32\yqxxqxpm.ini
C:\windows\system32\ytkgrfiy.ini
C:\windows\system32\yvmtvkpc.dll
C:\windows\system32\ywldaocy.dll

Beginning removal...

Attempting to delete C:\windows\system32\aftinweq.dll
C:\windows\system32\aftinweq.dll Has been deleted!

Attempting to delete C:\windows\system32\alssgqdj.dll
C:\windows\system32\alssgqdj.dll Has been deleted!

Attempting to delete C:\windows\system32\axnvdflo.exe
C:\windows\system32\axnvdflo.exe Has been deleted!

Attempting to delete C:\windows\system32\bhrnaphx.ini
C:\windows\system32\bhrnaphx.ini Has been deleted!

Attempting to delete C:\windows\system32\ciyusjop.dll
C:\windows\system32\ciyusjop.dll Has been deleted!

Attempting to delete C:\windows\system32\dflcmcqo.ini
C:\windows\system32\dflcmcqo.ini Has been deleted!

Attempting to delete C:\windows\system32\dhbvygli.dll
C:\windows\system32\dhbvygli.dll Has been deleted!

Attempting to delete C:\windows\system32\dlnerslf.ini
C:\windows\system32\dlnerslf.ini Has been deleted!

Attempting to delete C:\windows\system32\dnjxopam.ini
C:\windows\system32\dnjxopam.ini Has been deleted!

Attempting to delete C:\windows\system32\dnouqasn.dll
C:\windows\system32\dnouqasn.dll Has been deleted!

Attempting to delete C:\windows\system32\dtsdslax.dll
C:\windows\system32\dtsdslax.dll Has been deleted!

Attempting to delete C:\windows\system32\ewijanis.ini
C:\windows\system32\ewijanis.ini Has been deleted!

Attempting to delete C:\windows\system32\fkyfqmkw.ini
C:\windows\system32\fkyfqmkw.ini Has been deleted!

Attempting to delete C:\windows\system32\flsrenld.dll
C:\windows\system32\flsrenld.dll Has been deleted!

Attempting to delete C:\windows\system32\furhpvaw.dll
C:\windows\system32\furhpvaw.dll Has been deleted!

Attempting to delete C:\windows\system32\gkdwithn.dll
C:\windows\system32\gkdwithn.dll Has been deleted!

Attempting to delete C:\windows\system32\gqealyqd.dll
C:\windows\system32\gqealyqd.dll Has been deleted!

Attempting to delete C:\windows\system32\grfujfvo.dll
C:\windows\system32\grfujfvo.dll Has been deleted!

Attempting to delete C:\windows\system32\hdrlbcsk.ini
C:\windows\system32\hdrlbcsk.ini Has been deleted!

Attempting to delete C:\windows\system32\hishhbqw.dll
C:\windows\system32\hishhbqw.dll Has been deleted!

Attempting to delete C:\windows\system32\hsdxajnv.exe
C:\windows\system32\hsdxajnv.exe Has been deleted!

Attempting to delete C:\windows\system32\ihbhpmos.dll
C:\windows\system32\ihbhpmos.dll Has been deleted!

Attempting to delete C:\windows\system32\iiiig.dll
C:\windows\system32\iiiig.dll Has been deleted!

Attempting to delete C:\windows\system32\ijtvrbcq.dll
C:\windows\system32\ijtvrbcq.dll Has been deleted!

Attempting to delete C:\windows\system32\ilgyvbhd.ini
C:\windows\system32\ilgyvbhd.ini Has been deleted!

Attempting to delete C:\windows\system32\j5211834.dll
C:\windows\system32\j5211834.dll Has been deleted!

Attempting to delete C:\windows\system32\jdqgssla.ini
C:\windows\system32\jdqgssla.ini Has been deleted!

Attempting to delete C:\windows\system32\jdqgssla.tmp
C:\windows\system32\jdqgssla.tmp Has been deleted!

Attempting to delete C:\windows\system32\kscblrdh.dll
C:\windows\system32\kscblrdh.dll Has been deleted!

Attempting to delete C:\windows\system32\kwyuthag.exe
C:\windows\system32\kwyuthag.exe Has been deleted!

Attempting to delete C:\windows\system32\kxgtyhmx.ini
C:\windows\system32\kxgtyhmx.ini Has been deleted!

Attempting to delete C:\windows\system32\ljybthcu.ini
C:\windows\system32\ljybthcu.ini Has been deleted!

Attempting to delete C:\windows\system32\lkwxvejt.ini
C:\windows\system32\lkwxvejt.ini Has been deleted!

Attempting to delete C:\windows\system32\mapoxjnd.dll
C:\windows\system32\mapoxjnd.dll Has been deleted!

Attempting to delete C:\windows\system32\marviclq.dll
C:\windows\system32\marviclq.dll Has been deleted!

Attempting to delete C:\windows\system32\meccsmol.exe
C:\windows\system32\meccsmol.exe Has been deleted!

Attempting to delete C:\windows\system32\mfatrhvm.ini
C:\windows\system32\mfatrhvm.ini Has been deleted!

Attempting to delete C:\windows\system32\mpxqxxqy.dll
C:\windows\system32\mpxqxxqy.dll Has been deleted!

Attempting to delete C:\windows\system32\mtcusner.ini
C:\windows\system32\mtcusner.ini Has been deleted!

Attempting to delete C:\windows\system32\mtotqwfy.ini
C:\windows\system32\mtotqwfy.ini Has been deleted!

Attempting to delete C:\windows\system32\mvhrtafm.dll
C:\windows\system32\mvhrtafm.dll Has been deleted!

Attempting to delete C:\windows\system32\mwsufbmn.dll
C:\windows\system32\mwsufbmn.dll Has been deleted!

Attempting to delete C:\windows\system32\nhtiwdkg.ini
C:\windows\system32\nhtiwdkg.ini Has been deleted!

Attempting to delete C:\windows\system32\nmbfuswm.ini
C:\windows\system32\nmbfuswm.ini Has been deleted!

Attempting to delete C:\windows\system32\oqcmclfd.dll
C:\windows\system32\oqcmclfd.dll Has been deleted!

Attempting to delete C:\windows\system32\qcbrvtji.ini
C:\windows\system32\qcbrvtji.ini Has been deleted!

Attempting to delete C:\windows\system32\qlcivram.ini
C:\windows\system32\qlcivram.ini Has been deleted!

Attempting to delete C:\windows\system32\rensuctm.dll
C:\windows\system32\rensuctm.dll Has been deleted!

Attempting to delete C:\windows\system32\roqbtadb.dll
C:\windows\system32\roqbtadb.dll Has been deleted!

Attempting to delete C:\windows\system32\rsugdlym.dll
C:\windows\system32\rsugdlym.dll Has been deleted!

Attempting to delete C:\windows\system32\sinajiwe.dll
C:\windows\system32\sinajiwe.dll Has been deleted!

Attempting to delete C:\windows\system32\tjevxwkl.dll
C:\windows\system32\tjevxwkl.dll Has been deleted!

Attempting to delete C:\windows\system32\uchtbyjl.dll
C:\windows\system32\uchtbyjl.dll Could not be deleted.

Attempting to delete C:\windows\system32\vgticnqi.dll
C:\windows\system32\vgticnqi.dll Has been deleted!

Attempting to delete C:\windows\system32\wbieixit.exe
C:\windows\system32\wbieixit.exe Has been deleted!

Attempting to delete C:\windows\system32\wkmqfykf.dll
C:\windows\system32\wkmqfykf.dll Has been deleted!

Attempting to delete C:\windows\system32\wqbhhsih.ini
C:\windows\system32\wqbhhsih.ini Has been deleted!

Attempting to delete C:\windows\system32\xhpanrhb.dll
C:\windows\system32\xhpanrhb.dll Has been deleted!

Attempting to delete C:\windows\system32\xmhytgxk.dll
C:\windows\system32\xmhytgxk.dll Has been deleted!

Attempting to delete C:\windows\system32\yfwqtotm.dll
C:\windows\system32\yfwqtotm.dll Has been deleted!

Attempting to delete C:\windows\system32\yifrgkty.dll
C:\windows\system32\yifrgkty.dll Has been deleted!

Attempting to delete C:\windows\system32\yqxxqxpm.ini
C:\windows\system32\yqxxqxpm.ini Has been deleted!

Attempting to delete C:\windows\system32\ytkgrfiy.ini
C:\windows\system32\ytkgrfiy.ini Has been deleted!

Attempting to delete C:\windows\system32\yvmtvkpc.dll
C:\windows\system32\yvmtvkpc.dll Has been deleted!

Attempting to delete C:\windows\system32\ywldaocy.dll
C:\windows\system32\ywldaocy.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\uchtbyjl.dll
C:\windows\system32\uchtbyjl.dll Has been deleted!

Performing Repairs to the registry.
Done!
-----------------------------------------------------------

"Shaya" - 2007-06-24 21:06:20 - ComboFix 07-06-26.4 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\windows\system32\jkhfd.dll
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\giiii.bak1
C:\WINDOWS\system32\giiii.bak2
C:\WINDOWS\system32\giiii.ini
C:\WINDOWS\system32\giiii.ini2
C:\WINDOWS\system32\giiii.tmp
C:\WINDOWS\system32\giiii.bak1
C:\WINDOWS\system32\giiii.bak2
C:\WINDOWS\system32\giiii.ini
C:\WINDOWS\system32\giiii.ini2
C:\WINDOWS\system32\giiii.tmp


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Shaya\APPLIC~1.\macromedia\Flash Player\#SharedObjects\XZ9XV6UL\www.broadcaster.com
C:\DOCUME~1\Shaya\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Shaya\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\Shaya\MYDOCU~1.\racle~1
C:\DOCUME~1\Shaya\MYDOCU~1.\racle~1\w?auboot.exe
C:\DOCUME~1\Shaya\MYDOCU~1.\ymante~1
C:\Program Files\crosof~1.net
C:\Program Files\eqadvice
C:\Program Files\eqadvice\hf.txt
C:\Program Files\eqadvice\sf.txt
C:\Program Files\xloadnet
C:\windows\emdat.tm
C:\windows\ms0453517512162006.exe
C:\windows\ms0535175121652006.exe
C:\windows\system32\drivers\sfsync02.sys
C:\windows\timessquare1.dat
C:\windows\win320717512165352006.exe
C:\windows\win320951216535172006.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_SFSYNC02
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\DomainService
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 )))))))))))))))))))))))))))))))


2007-06-24 21:09 0 --a------ C:\WINDOWS\system32\sfsync02.dll
2007-06-24 21:05 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-24 20:46 <DIR> d-------- C:\VundoFix Backups
2007-06-24 16:47 122,900 --a------ C:\WINDOWS\system32\nstvahls.exe
2007-06-24 03:38 122,900 --a------ C:\WINDOWS\system32\cvdwwhuf.exe
2007-06-23 03:38 122,900 --a------ C:\WINDOWS\system32\cxovkdsm.exe
2007-06-23 03:30 122,900 --a------ C:\WINDOWS\system32\pwfruhvn.exe
2007-06-23 00:42 122,900 --a------ C:\WINDOWS\system32\cdayhiib.exe
2007-06-22 00:42 122,900 --a------ C:\WINDOWS\system32\bmeswrof.exe
2007-06-21 13:10 4,628 --a------ C:\WINDOWS\system32\gidhutxb.exe
2007-06-21 13:09 122,900 --a------ C:\WINDOWS\system32\mcqrxrdu.exe
2007-06-09 02:50 <DIR> d-------- C:\!KillBox
2007-05-31 17:14 <DIR> d-------- C:\DOCUME~1\Shaya\APPLIC~1\Snapfish
2007-05-25 12:42 <DIR> d-------- C:\Program Files\Scriptocean


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-01 00:14:06 4,412 ----a-w C:\windows\mozver.dat
2007-05-30 19:08:44 -------- d-----w C:\Program Files\Dtab
2007-05-20 02:47:37 76,560 ----a-w C:\windows\system32\drivers\tmcomm.sys
2007-05-15 07:15:45 -------- d-----w C:\Program Files\Total Video Converter
2007-05-15 07:08:15 -------- d-----w C:\Program Files\FileZilla
2007-05-15 06:31:11 -------- d-----w C:\DOCUME~1\Shaya\APPLIC~1\BitTorrent
2007-05-13 00:12:38 -------- d-----w C:\DOCUME~1\Shaya\APPLIC~1\TVU Networks
2007-05-12 12:55:50 -------- d-----w C:\DOCUME~1\Shaya\APPLIC~1\Uniblue
2007-05-07 09:43:08 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-04-30 09:29:28 -------- d-----w C:\Program Files\DivX
2007-04-25 08:44:48 9,216 ----a-w C:\windows\system32\avgwlntf.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{13358729-9199-4704-BF4C-04DC5FF75219}=C:\windows\system32\ywldaocy.dll []
{507D7718-D143-4B3B-86F9-90F16A5825A0}=C:\windows\system32\iiiig.dll []
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-19 23:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 15:00 C:\WINDOWS\agrsmmsg.exe]
"LWBMOUSE"="C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE" [2002-05-24 05:54]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 16:46]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-01-20 19:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 05:00]
"Controls"="C:\\WINDOWS\\system32\\00THotkey.exe" [2004-06-28 17:24]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2005-11-17 10:57]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSecurityTab"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSecurityTab"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\windows\system32\ad.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnkh]
awtqnkh.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\winm32.sys]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\winm64.sys]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InfoData]
rundll32.exe "C:\windows\system32\eenoisgv.dll",realset


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4b218e3e-bc98-4770-93d3-2731b9329278}
%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89820200-ECBD-11cf-8B85-00AA005B4383}
%SystemRoot%\system32\ie4uinit.exe

Contents of the 'Scheduled Tasks' folder
2007-04-18 01:00:09 C:\windows\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-24 21:38:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-24 21:41:44 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-24 21:41

--- E O F ---
------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:59:03 PM, on 6/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\ACS.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\windows\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\windows\system32\HPZipm12.exe
C:\windows\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\windows\Explorer.EXE
C:\windows\AGRSMMSG.exe
C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\windows\system32\ctfmon.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\abc.bat

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O2 - BHO: (no name) - {13358729-9199-4704-BF4C-04DC5FF75219} - C:\windows\system32\ywldaocy.dll (file missing)
O2 - BHO: (no name) - {14EAA111-1984-485A-A338-1EE34895F993} - (no file)
O2 - BHO: (no name) - {507D7718-D143-4B3B-86F9-90F16A5825A0} - C:\windows\system32\iiiig.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Controls] C:\\WINDOWS\\system32\\00THotkey.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143698624040
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...anner371420.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - Winlogon Notify: avgwlntf - C:\windows\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: awtqnkh - awtqnkh.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\windows\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\windows\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\windows\system32\HPZipm12.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 26 June 2007 - 04:24 AM

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: ComboFix-Do.txt to your desktop.

File::
C:\WINDOWS\system32\sfsync02.dll
C:\WINDOWS\system32\nstvahls.exe
C:\WINDOWS\system32\cvdwwhuf.exe
C:\WINDOWS\system32\cxovkdsm.exe
C:\WINDOWS\system32\pwfruhvn.exe
C:\WINDOWS\system32\bmeswrof.exe
C:\WINDOWS\system32\gidhutxb.exe
C:\WINDOWS\system32\mcqrxrdu.exe
C:\windows\system32\ad.html

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{13358729-9199-4704-BF4C-04DC5FF75219}=-
{507D7718-D143-4B3B-86F9-90F16A5825A0}=-
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\winm32.sys]
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\winm64.sys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InfoData]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnkh]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSecurityTab"=0 (0x0)

Now drag then drop the ComboFix-Do.txt file onto ComboFix.exe as you see in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 muzzle811

muzzle811
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 26 June 2007 - 05:47 AM

"Shaya" - 2007-06-25 3:27:43 - ComboFix 07-06-26.4 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Shaya\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 )))))))))))))))))))))))))))))))


2007-06-24 21:09 0 --a------ C:\WINDOWS\system32\sfsync02.dll
2007-06-24 21:05 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-24 20:46 <DIR> d-------- C:\VundoFix Backups
2007-06-24 16:47 122,900 --a------ C:\WINDOWS\system32\nstvahls.exe
2007-06-24 03:38 122,900 --a------ C:\WINDOWS\system32\cvdwwhuf.exe
2007-06-23 03:38 122,900 --a------ C:\WINDOWS\system32\cxovkdsm.exe
2007-06-23 03:30 122,900 --a------ C:\WINDOWS\system32\pwfruhvn.exe
2007-06-23 00:42 122,900 --a------ C:\WINDOWS\system32\cdayhiib.exe
2007-06-22 00:42 122,900 --a------ C:\WINDOWS\system32\bmeswrof.exe
2007-06-21 13:10 4,628 --a------ C:\WINDOWS\system32\gidhutxb.exe
2007-06-21 13:09 122,900 --a------ C:\WINDOWS\system32\mcqrxrdu.exe
2007-06-09 02:50 <DIR> d-------- C:\!KillBox
2007-05-31 17:14 <DIR> d-------- C:\DOCUME~1\Shaya\APPLIC~1\Snapfish
2007-05-25 12:42 <DIR> d-------- C:\Program Files\Scriptocean


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-01 00:14:06 4,412 ----a-w C:\windows\mozver.dat
2007-05-30 19:08:44 -------- d-----w C:\Program Files\Dtab
2007-05-20 02:47:37 76,560 ----a-w C:\windows\system32\drivers\tmcomm.sys
2007-05-15 07:15:45 -------- d-----w C:\Program Files\Total Video Converter
2007-05-15 07:08:15 -------- d-----w C:\Program Files\FileZilla
2007-05-15 06:31:11 -------- d-----w C:\DOCUME~1\Shaya\APPLIC~1\BitTorrent
2007-05-13 00:12:38 -------- d-----w C:\DOCUME~1\Shaya\APPLIC~1\TVU Networks
2007-05-12 12:55:50 -------- d-----w C:\DOCUME~1\Shaya\APPLIC~1\Uniblue
2007-05-07 09:43:08 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-04-30 09:29:28 -------- d-----w C:\Program Files\DivX
2007-04-25 08:44:48 9,216 ----a-w C:\windows\system32\avgwlntf.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{13358729-9199-4704-BF4C-04DC5FF75219}=C:\windows\system32\ywldaocy.dll []
{507D7718-D143-4B3B-86F9-90F16A5825A0}=C:\windows\system32\iiiig.dll []
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-19 23:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 15:00 C:\WINDOWS\agrsmmsg.exe]
"LWBMOUSE"="C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE" [2002-05-24 05:54]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 16:46]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-01-20 19:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 05:00]
"Controls"="C:\\WINDOWS\\system32\\00THotkey.exe" [2004-06-28 17:24]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2005-11-17 10:57]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSecurityTab"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSecurityTab"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\windows\system32\ad.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnkh]
awtqnkh.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\winm32.sys]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\winm64.sys]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InfoData]
rundll32.exe "C:\windows\system32\eenoisgv.dll",realset


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4b218e3e-bc98-4770-93d3-2731b9329278}
%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89820200-ECBD-11cf-8B85-00AA005B4383}
%SystemRoot%\system32\ie4uinit.exe

Contents of the 'Scheduled Tasks' folder
2007-04-18 01:00:09 C:\windows\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-25 03:34:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-25 3:36:39
C:\ComboFix-quarantined-files.txt ... 2007-06-25 03:36
C:\ComboFix2.txt ... 2007-06-24 21:41

--- E O F ---
-------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:46:51 AM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\ACS.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\windows\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\windows\system32\HPZipm12.exe
C:\windows\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\windows\AGRSMMSG.exe
C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\windows\system32\ctfmon.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\explorer.exe
C:\windows\system32\notepad.exe
C:\Program Files\Hijackthis\abc.bat

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O2 - BHO: (no name) - {13358729-9199-4704-BF4C-04DC5FF75219} - C:\windows\system32\ywldaocy.dll (file missing)
O2 - BHO: (no name) - {14EAA111-1984-485A-A338-1EE34895F993} - (no file)
O2 - BHO: (no name) - {507D7718-D143-4B3B-86F9-90F16A5825A0} - C:\windows\system32\iiiig.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Controls] C:\\WINDOWS\\system32\\00THotkey.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143698624040
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...anner371420.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - Winlogon Notify: avgwlntf - C:\windows\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: awtqnkh - awtqnkh.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\windows\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\windows\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\windows\system32\HPZipm12.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 26 June 2007 - 06:00 AM

Well that did'nt work,please do the following:

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then restart your pc.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{13358729-9199-4704-BF4C-04DC5FF75219}=-
{507D7718-D143-4B3B-86F9-90F16A5825A0}=-
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\winm32.sys]
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\winm64.sys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InfoData]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnkh]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSecurityTab"=0 (0x0)


Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\sfsync02.dll
C:\WINDOWS\system32\nstvahls.exe
C:\WINDOWS\system32\cvdwwhuf.exe
C:\WINDOWS\system32\cxovkdsm.exe
C:\WINDOWS\system32\pwfruhvn.exe
C:\WINDOWS\system32\bmeswrof.exe
C:\WINDOWS\system32\gidhutxb.exe
C:\WINDOWS\system32\mcqrxrdu.exe
C:\windows\system32\ad.html

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Also post a new Hijackthis log please.

Posted Image
Posted Image

#7 muzzle811

muzzle811
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 26 June 2007 - 03:19 PM

ok here we go:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\dwgsjkup

*******************

Script file located at: \??\C:\windows\gvvtctcw.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\sfsync02.dll deleted successfully.
File C:\WINDOWS\system32\nstvahls.exe deleted successfully.
File C:\WINDOWS\system32\cvdwwhuf.exe deleted successfully.
File C:\WINDOWS\system32\cxovkdsm.exe deleted successfully.
File C:\WINDOWS\system32\pwfruhvn.exe deleted successfully.
File C:\WINDOWS\system32\bmeswrof.exe deleted successfully.
File C:\WINDOWS\system32\gidhutxb.exe deleted successfully.
File C:\WINDOWS\system32\mcqrxrdu.exe deleted successfully.


File C:\windows\system32\ad.html not found!
Deletion of file C:\windows\system32\ad.html failed!

Could not process line:
C:\windows\system32\ad.html
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.
-------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 1:17:44 PM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\ACS.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\windows\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\windows\system32\HPZipm12.exe
C:\windows\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\windows\AGRSMMSG.exe
C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\00THotkey.exe
C:\windows\system32\notepad.exe
C:\windows\system32\wuauclt.exe
C:\windows\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\abc.bat

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O2 - BHO: (no name) - {13358729-9199-4704-BF4C-04DC5FF75219} - C:\windows\system32\ywldaocy.dll (file missing)
O2 - BHO: (no name) - {14EAA111-1984-485A-A338-1EE34895F993} - (no file)
O2 - BHO: (no name) - {507D7718-D143-4B3B-86F9-90F16A5825A0} - C:\windows\system32\iiiig.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Controls] C:\\WINDOWS\\system32\\00THotkey.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143698624040
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...anner371420.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - Winlogon Notify: avgwlntf - C:\windows\SYSTEM32\avgwlntf.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\windows\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\windows\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\windows\system32\HPZipm12.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 26 June 2007 - 03:40 PM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {13358729-9199-4704-BF4C-04DC5FF75219} - C:\windows\system32\ywldaocy.dll (file missing)
O2 - BHO: (no name) - {14EAA111-1984-485A-A338-1EE34895F993} - (no file)
O2 - BHO: (no name) - {507D7718-D143-4B3B-86F9-90F16A5825A0} - C:\windows\system32\iiiig.dll (file missing)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

********************************

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u1'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users