Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Generic4.oaw


  • Please log in to reply
17 replies to this topic

#1 dg4004

dg4004

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 30 June 2007 - 01:30 PM

Logfile of HijackThis v1.99.1
Scan saved at 18:27:27, on 30/06/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\EvidenceNuker\enuker.exe
F:\Program Files\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Documents and Settings\Grice\Local Settings\Temp\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wanadoo.co.uk/cd_redirects/st35install.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - C:\PROGRA~1\orange4\orange4.dll
O2 - BHO: (no name) - {51E552E0-6224-4C20-81D9-E72FE1FEDCBC} - c:\windows\system32\gphcgph.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Image Helper - {ABD7C2DD-84DE-28FC-1E72-323394635866} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - C:\PROGRA~1\orange4\orange4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ZoneAlarm Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [EvidenceNuker] C:\Program Files\EvidenceNuker\enuker.exe /hide
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Office\OSA9.EXE
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE4\Cache\SelectedContextSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/30b93ec5e0c058...ip/RdxIE601.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://flashcasino.ladbrokes.com/instant-p...en/FlashAX2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F926C560-D10F-49F8-BC4E-A90C706B1FF1}: NameServer = 85.255.116.73 85.255.112.150
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O20 - Winlogon Notify: wuetlpdn - C:\WINDOWS\SYSTEM32\gphcgph.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SNMP Service (SNMP) - Unknown owner - C:\WINDOWS\System32\snmp.exe (file missing)
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\System32\snmptrap.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:09:13 PM

Posted 09 July 2007 - 01:15 PM

Hello dg4004

Welcome to Bleeping Computer!

Sorry about the delay. We're all volunteers here, and it's been very busy. If you still need help, please post a new HijackThis log to make sure nothing has changed.

Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log <--link

And I'll be happy to take a look at it for you.

I also need to see a different type of log from Hijackthis:
  • Run Hijackthis.
  • Click on "Open the Misc Tools section".
  • Next click on "Open uninstall manager".
  • Press the button 'save list'. It will open a Notepad file.
  • Place the content of that file here in your next reply.
Thanks, for your patience.

Stelios :thumbsup:

#3 dg4004

dg4004
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 09 July 2007 - 03:24 PM

Hi, yes I'm still having major problems with this, I'll do as you say and hope for the best,
Thanks

#4 dg4004

dg4004
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 09 July 2007 - 03:31 PM

Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Reader 8
Adobe® Photoshop® Album Starter Edition 3.0
Adobe® Photoshop® Album Starter Edition 3.0.1
AVG 7.5
AVG Anti-Spyware 7.5
EvidenceNuker (remove only)
FileASSASSIN
Google Earth
Google Toolbar for Internet Explorer
HijackThis 1.99.1
HP Imaging Device Functions 7.0
HP Photosmart, Officejet and Deskjet 7.0.A
HP Solution Center 7.0
HP Update
Intel® 536EP Modem
Microsoft Office PowerPoint Viewer 2003
Microsoft Publisher 98
Microsoft Word 2000 SR-1
Nero
Orange Search Toolbar
RealPlayer
SpeedTouch USB Software
Spybot - Search & Destroy 1.4
SUPERAntiSpyware Free Edition
Windows XP Hotfix - KB822603
ZoneAlarm



Hi, done as you requested, hope this helps in someway
Thanks

#5 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:09:13 PM

Posted 10 July 2007 - 12:13 PM

Hi dg4004

Can you post a new Hijackthis log please!




Stelios

#6 dg4004

dg4004
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 10 July 2007 - 02:06 PM

Logfile of HijackThis v1.99.1
Scan saved at 20:05:32, on 10/07/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\EvidenceNuker\enuker.exe
F:\Program Files\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Outlook Express\MSIMN.EXE
F:\Program Files\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Documents and Settings\Grice\Local Settings\Temp\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wanadoo.co.uk/cd_redirects/st35install.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - C:\PROGRA~1\orange4\orange4.dll
O2 - BHO: (no name) - {51E552E0-6224-4C20-81D9-E72FE1FEDCBC} - c:\windows\system32\gphcgph.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Image Helper - {ABD7C2DD-84DE-28FC-1E72-323394635866} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - C:\PROGRA~1\orange4\orange4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ZoneAlarm Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [EvidenceNuker] C:\Program Files\EvidenceNuker\enuker.exe /hide
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Office\OSA9.EXE
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE4\Cache\SelectedContextSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/30b93ec5e0c058...ip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://flashcasino.ladbrokes.com/instant-p...en/FlashAX2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F926C560-D10F-49F8-BC4E-A90C706B1FF1}: NameServer = 85.255.115.28 85.255.112.130
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O20 - Winlogon Notify: wuetlpdn - C:\WINDOWS\SYSTEM32\gphcgph.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SNMP Service (SNMP) - Unknown owner - C:\WINDOWS\System32\snmp.exe (file missing)
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\System32\snmptrap.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Wireless Zero Configuration WZCSVC Anti-Spyware Guard (WZCSVC Anti-Spyware Guard) - Unknown owner - C:\WINDOWS\System32\a3dapih.exe

#7 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:09:13 PM

Posted 11 July 2007 - 01:28 PM

Hi dg4004

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply, along with a new Hijackthis log.

Stelios

#8 dg4004

dg4004
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 12 July 2007 - 06:49 AM

As requested, hope this helpsUsername "David Grice" - 12/07/2007 12:35:29 [Fixwareout edited 2007/07/05]

»»»»»Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F926C560-D10F-49F8-BC4E-A90C706B1FF1}
"nameserver"="85.255.115.28" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "3mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}9F8FB5AFB00B-D138-1754-BDF8-3075BF10{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}052AA2414114-6CAB-5414-6159-C4D8C89B{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}82CFEB0F26B2-BA3A-09D4-0B14-4A638988{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}44BBDADCC450-A349-66F4-2788-118222F2{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}AF851E1FE271-C2E9-B764-30EC-DED15660{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}61E935C059E0-8D79-0D64-ADF3-F0EA183D{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}24E92A7685C0-182B-D1E4-7355-702DADF1{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}A2FB3C72890A-BBC9-DEC4-0B46-49DC66A3{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FB331E3B8F50-8229-6C14-3880-1AF400E5{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}55E60E8688C6-B988-7454-46CF-080EFD02{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}19996DC5F944-878A-8874-C4EF-E6928EAC{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}BDCC3F2C13B1-8AD8-B054-1027-0148C410{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}38246624E1FA-70CB-4814-D5F5-77B8B054{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}B5546A9605F1-DF7A-A394-74DD-E1BC9698{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}36B2C91F567C-5A89-BA34-EA58-F9810E90{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}9EAB44E1940C-C4C8-8744-5360-301199E9{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}471D25AC6C72-FA69-7E84-5E29-5A4A87B4{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}8496937B78CE-C969-8024-5369-1190A0B0{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}9D14D160C134-A739-F154-7C6F-3A5C911C{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}38A80B7985D5-9F4A-4374-36E7-29DD15C2{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}1CA4E287EAE8-B8D9-BE84-894A-2CC36532{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}8C4CA453B030-DBDB-5904-AF00-8D50FD1E{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}4E3D84AB983C-29CB-B264-A668-2EE17BE5{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}4E6DB109BBC3-957A-5B64-E479-42B09906{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}075FEE30324E-3BE8-5B84-4E4E-E4E7714C{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}6AB7CB7D8037-8AD9-0DA4-7FBD-D3451141{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}76AA02AC391B-39CB-FD64-9570-CFD9792E{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}1A7D5BD08FF4-BC88-9394-7F69-5B3485A7{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}ED187B05355B-9B69-EFF4-044C-21712781{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}7659CF24A707-F029-0A34-B061-3D68BC81{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}7541C7EC069D-0AA9-7314-A318-C3F46B65{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}A074EDB84978-CBFA-6784-B883-FB26310C{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FAC46A8F3C5E-23E8-30D4-F8F3-764E21A4{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}EE100011BD32-78BB-3AD4-B826-B4C96AB4{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}74911393CAC2-FB18-D994-B6E2-AF779BF4{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}E5148D2F1F59-952A-0DD4-C52A-47252C52{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}245BAB5B9BF9-45A8-6464-8CD2-CC6AEFFC{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}4DE43F0CC50A-837B-1D44-F857-8A4A01E4{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}26010D3F0EED-6729-18D4-8717-9AB781F5{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}253EC3BEFEBE-AE79-1904-35B4-8740AE51{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}02C45CECBD50-01E9-5204-C43D-26EAB080{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}B021120D0B70-D10A-8EF4-AD75-31FF56D8{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}2205B7B8FBE0-A45A-1DD4-6646-6CAC277E{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}8745C420B1A3-76E8-D944-4FB3-08329668{" Deleted
C:\WINDOWS\System32\iiqpp.exe Deleted
....
»»»»» Misc files.
C:\Program Files\SpyVampire Deleted
C:\WINDOWS\SYSTEM32\{0731DCE0-7781-4B6A-92B8-380A1BD6ABFD}.exe Deleted
C:\WINDOWS\System32\kernel32.exe Deleted
....
»»»»» Checking for older varients.
....

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"ZoneAlarm Client"="\"F:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"HP Software Update"="F:\\Program Files\\HP Software Update\\HPWuSchd2.exe"
"NeroCheck"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"EvidenceNuker"="C:\\Program Files\\EvidenceNuker\\enuker.exe /hide"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
Logfile of HijackThis v1.99.1
Scan saved at 12:46:40, on 12/07/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\EvidenceNuker\enuker.exe
F:\Program Files\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Documents and Settings\Grice\Local Settings\Temp\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wanadoo.co.uk/cd_redirects/st35install.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - C:\PROGRA~1\orange4\orange4.dll
O2 - BHO: (no name) - {51E552E0-6224-4C20-81D9-E72FE1FEDCBC} - c:\windows\system32\gphcgph.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Image Helper - {ABD7C2DD-84DE-28FC-1E72-323394635866} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - C:\PROGRA~1\orange4\orange4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ZoneAlarm Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [EvidenceNuker] C:\Program Files\EvidenceNuker\enuker.exe /hide
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Office\OSA9.EXE
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE4\Cache\SelectedContextSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/30b93ec5e0c058...ip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://flashcasino.ladbrokes.com/instant-p...en/FlashAX2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F926C560-D10F-49F8-BC4E-A90C706B1FF1}: NameServer = 85.255.115.28 85.255.112.196
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O20 - Winlogon Notify: wuetlpdn - C:\WINDOWS\SYSTEM32\gphcgph.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SNMP Service (SNMP) - Unknown owner - C:\WINDOWS\System32\snmp.exe (file missing)
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\System32\snmptrap.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Wireless Zero Configuration WZCSVC Anti-Spyware Guard (WZCSVC Anti-Spyware Guard) - Unknown owner - C:\WINDOWS\System32\a3dapih.exe (file missing)

#9 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:09:13 PM

Posted 13 July 2007 - 05:18 AM

Hi dg4004


Download win32delfkil.exe: http://users.telenet.be/marcvn/tools/win32delfkil.exe
Save it on your desktop.

Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil
Close all windows open the win32delfkil folder and double click on fix.bat.

The computer will reboot automaticly and after the reboot the infection should be killed.

Reboot & post a fresh HJT log


Stelios

#10 dg4004

dg4004
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 15 July 2007 - 08:47 AM

Sorry Stelios but no luck, I ran win32delfkil but it came up file not found, I've copied the log if it helps and run another hijack

WIN32DELFKIL LOGFILE - by Marckie


version 3.128
15/07/2007 14:38:11.19
running from: "C:\Documents and Settings\David Grice\Desktop"


--- File(s) found in Windows directory ---

--- File(s) found in system32 folder ---

--- Services ---

--- Export SharedTaskScheduler key ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"


--- Notify key ---


--- rebooting the computer ---


--- File(s) found in Windows directory ---

--- File(s) found in system32 folder ---

--- Services ---

--- Export SharedTaskSchedulerkey ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"



--- Notify key ---

Finished!


Logfile of HijackThis v1.99.1
Scan saved at 14:46:57, on 15/07/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\EvidenceNuker\enuker.exe
F:\Program Files\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Documents and Settings\Grice\Local Settings\Temp\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wanadoo.co.uk/cd_redirects/st35install.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - C:\PROGRA~1\orange4\orange4.dll
O2 - BHO: (no name) - {51E552E0-6224-4C20-81D9-E72FE1FEDCBC} - c:\windows\system32\gphcgph.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Image Helper - {ABD7C2DD-84DE-28FC-1E72-323394635866} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - C:\PROGRA~1\orange4\orange4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ZoneAlarm Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [EvidenceNuker] C:\Program Files\EvidenceNuker\enuker.exe /hide
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Office\OSA9.EXE
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE4\Cache\SelectedContextSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/30b93ec5e0c058...ip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://flashcasino.ladbrokes.com/instant-p...en/FlashAX2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F926C560-D10F-49F8-BC4E-A90C706B1FF1}: NameServer = 85.255.115.28 85.255.112.196
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O20 - Winlogon Notify: wuetlpdn - C:\WINDOWS\SYSTEM32\gphcgph.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SNMP Service (SNMP) - Unknown owner - C:\WINDOWS\System32\snmp.exe (file missing)
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\System32\snmptrap.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Wireless Zero Configuration WZCSVC Anti-Spyware Guard (WZCSVC Anti-Spyware Guard) - Unknown owner - C:\WINDOWS\System32\a3dapih.exe (file missing)

Thanks

Dave

#11 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:09:13 PM

Posted 15 July 2007 - 01:44 PM

Hi dg4004

Please download Combofix to your desktop.
  • Doubleclick combo.exe to launch the application.
  • Follow the prompts that will be displayed on the screen.
  • Don't click on the window while the fix is running, because that will cause your system to hang.
  • When finished, it should produce a log, combofix.txt.
  • Post this log in your next reply together with a new hijackthislog.



Stelios

#12 dg4004

dg4004
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 15 July 2007 - 03:51 PM

Stelios,

I've tried to download combofix but I just get a page 404 Not Found, I can't find (and open) combofix anywhere

#13 dg4004

dg4004
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 15 July 2007 - 04:18 PM

Stelios, Forget the last message found it on another site and downloaded it here is the result




"David Grice" - 2007-07-15 22:08:05 - ComboFix 07-07-13.8 - Service Pack 1 NTFS

/wow section - STAGE #6I

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


FINDSTR: Cannot open C:\WINDOWS\system32\gphcgph.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\DAVIDG~1\Desktop.\internet explorer.lnk
C:\WINDOWS\system32\drivers\wndgefra.sys
C:\WINDOWS\system32\gphcgph.dll
C:\WINDOWS\system32\gphcgph.dll.bak


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DTMWCWXR
-------\LEGACY_PDTWTATQ
-------\dtmwcwxr
-------\pdtwtatq


((((((((((((((((((((((((( Files Created from 2007-06-15 to 2007-07-15 )))))))))))))))))))))))))))))))


2007-07-15 22:06 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-15 14:38 <DIR> d-------- C:\_backupD
2007-07-13 21:58 90,112 --a------ C:\WINDOWS\SYSTEM32\regdacl.exe
2007-07-13 21:58 53,248 --a------ C:\WINDOWS\SYSTEM32\process.exe
2007-07-13 21:58 4,096 --a------ C:\WINDOWS\SYSTEM32\reboot.exe
2007-07-13 21:58 280,022 --a------ C:\win32delfkil.exe
2007-07-13 21:58 16,384 --a------ C:\WINDOWS\SYSTEM32\restart.exe
2007-07-13 21:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\regdacl
2007-07-12 12:35 5,047 --a------ C:\dnsbak.reg
2007-07-06 16:41 <DIR> d-------- C:\DOCUME~1\DAVIDG~1\APPLIC~1\Leadertech
2007-07-06 12:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-06 12:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft
2007-07-05 13:53 207 --ahs---- C:\WINDOWS\SYSTEM32\1417120145.dat
2007-06-30 15:21 <DIR> d-------- C:\DOCUME~1\DAVIDG~1\APPLIC~1\AdobeUM
2007-06-30 15:21 <DIR> d-------- C:\DOCUME~1\DAVIDG~1\APPLIC~1\AdobeAUM
2007-06-22 10:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\appmgmt
2007-06-15 10:02 <DIR> d-------- C:\Program Files\EvidenceNuker
2007-06-15 10:02 <DIR> d-------- C:\DOCUME~1\DAVIDG~1\APPLIC~1\EvidenceNuker


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-06 15:40:51 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-06 11:49:00 -------- d-----w C:\DOCUME~1\DAVIDG~1\APPLIC~1\Lavasoft
2007-07-06 11:37:41 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-30 15:59:23 -------- d-----w C:\Program Files\SUPERAntiSpyware
2007-06-06 18:29:18 -------- d-----w C:\Program Files\3B Software
2007-06-04 17:53:20 -------- d-----w C:\Program Files\FileASSASSIN
2007-06-04 14:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 14:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 14:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-01 17:55:38 -------- d-----w C:\DOCUME~1\DAVIDG~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-28 20:10:42 -------- d-----w C:\Program Files\ahead
2007-05-28 15:02:56 -------- d-----w C:\DOCUME~1\DAVIDG~1\APPLIC~1\DeepBurner
2007-05-27 12:12:40 125,952 ----a-w C:\WINDOWS\system32\mgzyxxff(2).dll
2007-05-24 10:44:08 125,952 ----a-w C:\WINDOWS\system32\mgzyxxff.dll
2007-05-22 10:37:10 756,224 ----a-w C:\WINDOWS\system32\wgpbykeo.dll
2007-05-20 10:32:26 684,567 ----a-w C:\WINDOWS\system32\libeay32.dll
2007-05-20 10:32:26 147,729 ----a-w C:\WINDOWS\system32\libssl32.dll
2007-05-19 10:14:56 -------- d-----w C:\Program Files\Google
2007-05-19 10:11:52 -------- d-----w C:\Program Files\Mozilla Firefox(2)
2007-05-19 10:08:30 -------- d-----w C:\Program Files\Messenger
2007-05-17 10:12:58 125,440 ----a-w C:\WINDOWS\system32\mgzyxxff(2)(3).dll
2007-05-14 09:59:49 126,976 ----a-w C:\WINDOWS\system32\mgzyxxff(2)(2).dll
2007-05-13 09:56:41 125,440 ----a-w C:\WINDOWS\system32\mgzyxxff(3)(3).dll
2007-05-11 16:38:19 0 ----a-w C:\WINDOWS\nsreg.dat
2007-04-30 18:08:16 117,082 ----a-w C:\WINDOWS\hpoins11.dat
2007-04-29 20:13:21 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-04-29 17:06:53 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-03-30 17:02:26 266 --sh--w C:\Program Files\desktop.ini
2007-03-30 17:02:26 11,079 ---ha-w C:\Program Files\folder.htt


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-23 00:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-A6FB-F862B587B57D}]
2006-02-13 14:49 1369600 --a------ C:\PROGRA~1\orange4\orange4.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51E552E0-6224-4C20-81D9-E72FE1FEDCBC}]
c:\windows\system32\gphcgph.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-20 00:55 2403392 -ra------ c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABD7C2DD-84DE-28FC-1E72-323394635866}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2007-07-14 19:22 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38]
"ZoneAlarm Client"="F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-03 18:44]
"HP Software Update"="F:\Program Files\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-25 10:13]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-28 11:34]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2006-12-23 16:21]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 19:22]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-27 08:29]
"EvidenceNuker"="C:\Program Files\EvidenceNuker\enuker.exe" [2006-06-30 04:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-06-28 11:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll --a------ 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-15 22:12:39
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-15 22:14:16 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-15 22:14

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 22:18:36, on 15/07/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\EvidenceNuker\enuker.exe
F:\Program Files\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Documents and Settings\Grice\Local Settings\Temp\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wanadoo.co.uk/cd_redirects/st35install.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - C:\PROGRA~1\orange4\orange4.dll
O2 - BHO: (no name) - {51E552E0-6224-4C20-81D9-E72FE1FEDCBC} - c:\windows\system32\gphcgph.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Image Helper - {ABD7C2DD-84DE-28FC-1E72-323394635866} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - C:\PROGRA~1\orange4\orange4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ZoneAlarm Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [EvidenceNuker] C:\Program Files\EvidenceNuker\enuker.exe /hide
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Office\OSA9.EXE
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE4\Cache\SelectedContextSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/30b93ec5e0c058...ip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://flashcasino.ladbrokes.com/instant-p...en/FlashAX2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F926C560-D10F-49F8-BC4E-A90C706B1FF1}: NameServer = 85.255.115.28 85.255.112.196
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SNMP Service (SNMP) - Unknown owner - C:\WINDOWS\System32\snmp.exe (file missing)
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\System32\snmptrap.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Wireless Zero Configuration WZCSVC Anti-Spyware Guard (WZCSVC Anti-Spyware Guard) - Unknown owner - C:\WINDOWS\System32\a3dapih.exe (file missing)

#14 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:09:13 PM

Posted 16 July 2007 - 03:05 PM

Hi dg4004

Sorry for the bad link!

Due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately. Disconnect the infected computer from the internet until the computer can be cleaned. From a clean computer, change all your online passwords-- for email, for banks, eBay, forums etc.... Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information.
=====

Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\gphcgph.dll
C:\WINDOWS\system32\mgzyxxff(2)(3).dll
C:\WINDOWS\system32\mgzyxxff(2).dll
C:\WINDOWS\system32\mgzyxxff(2)(2).dll
C:\WINDOWS\system32\mgzyxxff(3)(3).dll
C:\WINDOWS\system32\mgzyxxff.dll
C:\WINDOWS\system32\wgpbykeo.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51E552E0-6224-4C20-81D9-E72FE1FEDCBC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABD7C2DD-84DE-28FC-1E72-323394635866}]


Save this as "CFScript"
Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log

Stelios

#15 dg4004

dg4004
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 17 July 2007 - 03:33 PM

Stelios,

Thanks for all that but what do you mean by "CLEAN" my computer, do you mean reformat my hard drive and if so do you know the best way to do it with windows XP.

Thanks

Dave




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users