Need Help in removing a Virus/Worm - Free Antivirus Forum

Need Help in removing a Virus/Worm

BullGuard Antivirus Forum > Virus Removal > Removal Help > Need Help in removing a Virus/Worm

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Adan
New Member

Date Joined Oct 2008
Total Posts : 6

Posted 10-14-2008 10:21 (GMT +1)

My computer was infected a few days ago. Here's what it did to my system:
- Removed Task Manager
- Removed shortcuts to Control Panel, Run, My computer, My documents, Help and Support, Search from Start Menu
- Removed 'All Programs' from Start Menu
- Blocks all antivirus sites
- Hence, Unable to update antivirus and antispyware
- Frequent Pop-ups from mozilla to weird sites
- Pop-ups saying that I needed to download anti-virus (phony I think)
- Added shortcut links "Spyware Remover" "Virus remover" etc on desktop but those actually links to attack sites

I kinda created a new windows account to solve the problem of inaccessible task manager control panel etc..
Did a scan with spybot search and destroy and avast and deleted watever that came up
But the virus still persists as my machine is significantly slower and may freeze and sometimes will not shut down properly (freezes at "shutting down windows")
Also, I still cannot access antivirus sites and update my antivirus softwares

Please Help me to remove this virus as I have tons of important school project materials saved on it

MIllion thanx in advance!

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14296

Posted 10-14-2008 12:22 (GMT +1)

Hello Adan smile

Please download Malwarebytes' Anti-Malware:

Or here:

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968

to your desktop. Important -> Save the the file as: mwb exe

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch

Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. Please save it to a convenient location.

Copy and Paste that log into your next reply, and tell how things are running ?

NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Adan
New Member

Date Joined Oct 2008
Total Posts : 6

Posted 10-15-2008 8:35 (GMT +1)

Thank You for the prompt reply :)

I have downloaded the malwarebyte and have installed it.
But when the auto-update runs at the end of the installation, I still cannot update.

So I went to the MBAM official site (with another com) to see if I can download the
latest database and update manually and it directed me to this site
www.gt500.org/malwarebytes/database.jsp

Downloaded the database, installed it and mbam is now performing a fullscan.

Adan
New Member

Date Joined Oct 2008
Total Posts : 6

Posted 10-15-2008 9:39 (GMT +1)

Done the full scan. Rebooted. I think things are better now because:
- Start up time is faster
- I can access anti-virus sites that were previously blocked (Norton, Avast, AVG, MBAM, Spybot)
- I can update my anti-virus software now

But there are still pop-ups here and there leading to funny sites that
does not show anything, just plain blank site.
Here's an example of the type of sites it links to:
http://protectyworkpc.com/2009/1/freescan.php?id=770522166386

I think watever sites it's leading to is bogus and dangerous because after those pop-ups, the just-updated
Norton Trial says that "A recent attempt to attack your computer was blocked"

So, I guess the problem is not fully solved yet.. or maybe it is a separate problem altogether..

Anyway, here's the log:

Malwarebytes' Anti-Malware 1.28
Database version: 1271
Windows 5.1.2600 Service Pack 2

10/15/2008 4:24:10 PM
mbam-log-2008-10-15 (16-24-10).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 83576
Time elapsed: 47 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 30
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 40

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ssqOEWPh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ybzfiv.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5d05a6e9-07f8-4cd8-88e9-6b9922e981fe} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5d05a6e9-07f8-4cd8-88e9-6b9922e981fe} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{afb04656-f7ce-4564-b41d-a2bb16242151} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{afb04656-f7ce-4564-b41d-a2bb16242151} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d8b0363d-ea80-4d43-92b2-155226e0658c} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{cb2c667a-58b6-45cd-bd93-a2df906d0583} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a07db4e8-149c-4a36-b70e-f436a1d71a83} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eef99e87-6f7a-4536-852a-5e58fc776e7e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{00736e64-0171-4c2d-969c-e48555d93e5e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{47e8f211-3262-4019-a2a8-745563e7531d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{76dd2d2c-fdfb-4986-96b6-fa9415eb0fe7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{a3433b72-420b-4074-81aa-bd253532c230} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f19273aa-bd78-4eea-a783-6177f6a1a547} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f9713375-ec34-4638-8176-7884d5cef112} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{beda34fb-740d-4975-95dd-003a068cf999} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\olnmraew.bopq (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\olnmraew.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lpvideo.lpvideoplugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lpvideo.lpvideoplugin.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lpvideo.xmldomdocumenteventssink (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lpvideo.xmldomdocumenteventssink.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\LPVideo.DLL (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ssqoewph -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ssqoewph -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\LPVideoPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ssqOEWPh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hPWEOqss.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hPWEOqss.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pbwsuwax.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xawuswbp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qgwwtwif.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fiwtwwgq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rpyqlalx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xlalqypr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ulxatmjr.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rjmtaxlu.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ybzfiv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\qmafxprs.dll (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\WINDOWS\ekde.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drofedym.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\naplaf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dhlwbpgn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dhmwdlng.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jwbiwk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xzjzii.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ykeyln.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mkqhxgam.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lhubgobc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\1doc2pdf.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\vortsgbqlnb.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\olnmraew.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\qkeftmxn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LPVideo.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSerrors.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSl.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdsslog.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Rootkit.Agent) -> Delete on reboot.

Post Edited (Adan) : 15-10-2008 08:51:54 GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14296

Posted 10-15-2008 9:47 (GMT +1)

Great

You´ll probably have more infections, therefore, please post a combolog -

Please download Combofix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".

Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Post the contents of that log in your next reply

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Adan
New Member

Date Joined Oct 2008
Total Posts : 6

Posted 10-15-2008 10:26 (GMT +1)

Did the ComboFix. When it rebooted my com, there is a RUNDLL window saying
"Error loading C:\WINDOWS\system32\ovnsgrlk.dll
The specified module could not be found"

Dunno what implications it might have though..

Here's the ComboFix.txt:

ComboFix 08-10-14.07 - tu 2008-10-15 17:02:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.209 [GMT 8:00]
Running from: C:\Documents and Settings\tu\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SW_Win2146X32.DLL
C:\WINDOWS\system32\fcccbAqq.dll
C:\WINDOWS\system32\icyqokiv.dll
C:\WINDOWS\system32\klrgsnvo.ini
C:\WINDOWS\system32\klrgsnvo.ini2
C:\WINDOWS\system32\klrgsnvo.tmp
C:\WINDOWS\system32\kmozhr.dll
C:\WINDOWS\system32\kueilume.dll
C:\WINDOWS\system32\ljJCrRiG.dll
C:\WINDOWS\system32\ngxjlk.dll
C:\WINDOWS\system32\ovnsgrlk.dll
C:\WINDOWS\system32\qqAbcccf.ini
C:\WINDOWS\system32\qqAbcccf.ini2
C:\WINDOWS\system32\qvqjkdml.ini
C:\WINDOWS\system32\tuvTKDSI.dll
C:\WINDOWS\system32\windows_update.exe
C:\WINDOWS\temp\perflib_perfdata_1cc.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_TDSSserv

((((((((((((((((((((((((( Files Created from 2008-09-15 to 2008-10-15 )))))))))))))))))))))))))))))))
.

2008-10-15 14:56 . 2008-10-15 14:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-15 14:56 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-15 14:56 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-15 14:46 . 2008-10-15 14:46 <DIR> d-------- C:\Documents and Settings\tu\Application Data\Malwarebytes
2008-10-15 14:46 . 2008-10-15 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-15 14:38 . 2008-10-15 14:40 <DIR> d-------- C:\Documents and Settings\tu\Application Data\Nokia
2008-10-13 21:56 . 2008-10-13 21:57 <DIR> d-------- C:\Program Files\CCleaner
2008-10-13 21:34 . 2008-10-13 21:35 <DIR> d-------- C:\HJT
2008-10-13 19:24 . 2008-10-13 19:24 <DIR> d-------- C:\Program Files\Symantec
2008-10-13 19:24 . 2008-10-13 19:27 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-10-13 19:24 . 2008-10-13 19:24 124,464 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-10-13 19:24 . 2008-10-13 19:24 60,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-10-13 19:24 . 2008-10-13 19:23 35,888 -ra------ C:\WINDOWS\system32\drivers\SymIM.sys
2008-10-13 19:24 . 2008-10-13 19:24 10,635 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-10-13 19:24 . 2008-10-13 19:24 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-10-13 19:23 . 2008-10-13 19:23 <DIR> d-------- C:\WINDOWS\system32\drivers\NAV
2008-10-13 19:22 . 2008-10-13 19:23 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-10-13 19:22 . 2008-10-13 19:23 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-10-13 19:22 . 2008-10-13 19:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Norton
2008-10-13 19:20 . 2008-10-13 19:22 <DIR> d-------- C:\Program Files\NortonInstaller
2008-10-13 19:20 . 2008-10-13 19:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-10-13 16:37 . 2008-10-13 16:37 <DIR> d-------- C:\Program Files\Alwil Software
2008-10-12 19:50 . 2008-10-12 19:50 <DIR> d-------- C:\Documents and Settings\tu\Application Data\Media Player Classic
2008-10-12 15:04 . 2008-10-12 15:04 95 --a------ C:\WINDOWS\wininit.ini
2008-10-11 22:46 . 2008-10-11 22:59 <DIR> d-------- C:\Documents and Settings\tu\Application Data\gtk-2.0
2008-10-11 22:44 . 2008-10-11 22:44 <DIR> d-------- C:\Documents and Settings\tu\.thumbnails
2008-10-11 22:37 . 2008-10-11 23:03 <DIR> d-------- C:\Documents and Settings\tu\.gimp-2.4
2008-10-11 19:54 . 2008-10-11 19:54 <DIR> d-------- C:\Documents and Settings\tu\Application Data\Nexon
2008-10-11 19:31 . 2008-10-11 19:31 <DIR> d-------- C:\Documents and Settings\tu\Contacts
2008-10-11 19:12 . 2008-10-11 19:13 <DIR> d-------- C:\Program Files\Tamagotchi Simulator
2008-10-11 19:09 . 2008-10-15 15:15 <DIR> d-------- C:\Documents and Settings\tu\Application Data\MEGAUPLOADTOOLBAR
2008-10-11 19:09 . 2008-10-11 19:09 <DIR> d-------- C:\Documents and Settings\tu\Application Data\GetRight
2008-10-11 19:05 . 2008-10-15 14:56 <DIR> d-------- C:\Documents and Settings\tu
2008-10-11 19:05 . 2002-12-09 05:37 69,632 --a------ C:\Documents and Settings\tu\MoveEx.exe
2008-10-11 13:42 . 2008-10-15 16:15 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\MEGAUPLOADTOOLBAR
2008-10-02 15:51 . 2008-10-02 15:51 <DIR> d-------- C:\Program Files\DNA
2008-10-01 15:53 . 2008-10-01 15:53 <DIR> d-------- C:\Program Files\softnyx
2008-09-23 18:18 . 2004-02-04 10:27 49,536 --a------ C:\WINDOWS\system32\drivers\tiehdusb.sys
2008-09-23 18:18 . 2004-01-28 15:03 21,456 --a------ C:\WINDOWS\system32\drivers\SilvrLnk.sys
2008-09-23 18:17 . 2008-09-23 18:18 <DIR> d-------- C:\Program Files\TI Education
2008-09-23 18:17 . 2008-09-23 18:17 <DIR> d-------- C:\Program Files\Common Files\TI Shared
2008-09-20 22:53 . 2008-09-20 22:53 <DIR> d-------- C:\Program Files\Haali
2008-09-20 22:51 . 2008-09-20 22:52 <DIR> d-------- C:\Program Files\CoreCodec
2008-09-19 23:39 . 2008-10-11 16:17 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-19 23:39 . 2008-10-15 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-19 23:35 . 2008-09-19 23:35 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-19 23:35 . 2008-09-19 23:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-19 12:02 . 2008-09-19 12:02 259 --a------ C:\WINDOWS\p
2008-09-19 10:07 . 2008-02-01 16:17 138,112 --a------ C:\WINDOWS\system32\drivers\nmwcdnsu.sys
2008-09-19 10:07 . 2008-02-01 16:17 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdnsuc.sys
2008-09-15 19:42 . 2008-09-15 19:42 185,598 --a------ C:\RJ110 SUD.pdf
2008-09-15 19:40 . 2008-09-15 19:40 <DIR> d-------- C:\WINDOWS\system32\psconv
2008-09-15 19:40 . 2001-10-29 01:42 116,224 --a------ C:\WINDOWS\system32\pdfmonnt.dll
2008-09-15 19:40 . 2008-09-15 19:40 164 --a------ C:\WINDOWS\system32\psconv.ini
2008-09-15 19:35 . 2008-10-07 20:12 2,567 --a------ C:\WINDOWS\CD_SearchHistory.INI
2008-09-15 19:34 . 2008-09-15 19:34 <DIR> d-------- C:\Program Files\Softinterface, Inc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-15 08:54 --------- d-----w C:\Program Files\GetRight
2008-10-13 11:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg8
2008-10-11 11:29 --------- d-----w C:\Program Files\MSN Messenger
2008-09-29 04:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-23 10:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-19 02:07 --------- d-----w C:\Program Files\Nokia
2008-09-19 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-09-19 02:06 --------- d-----w C:\Program Files\Common Files\Nokia
2008-08-27 09:20 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-08-27 09:17 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-08-24 11:19 --------- d-----w C:\Program Files\Orban
2008-08-24 09:54 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-08-20 06:57 1,654,784 ----a-w C:\WINDOWS\system32\beconvlib.dll
2008-08-01 06:36 221,184 ----a-w C:\WINDOWS\system32\SII_PDF.dll
2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-07-25 08:34 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-07-25 08:34 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-07-25 08:34 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-07-25 08:34 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-07-25 08:34 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-07-25 08:34 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-07-25 08:34 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-07-25 08:34 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-07-25 08:34 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-07-25 08:34 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-07-25 08:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-07-25 08:34 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-17 06:02 765,952 ----a-w C:\WINDOWS\system32\tx14.dll
2008-07-15 21:10 667,648 ----a-w C:\WINDOWS\system32\tx14_doc.dll
2008-07-15 17:00 1,056,768 ----a-w C:\WINDOWS\system32\tx14_dox.dll
2002-12-08 21:37 69,632 ----a-w C:\WINDOWS\system32\config\systemprofile\MoveEx.exe
2002-12-08 21:37 69,632 ----a-w C:\Documents and Settings\Default User\MoveEx.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2004-06-24 7932416]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ybzfiv.dll kmozhr.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight.lnk
backup=C:\WINDOWS\pss\GetRight.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Start GetRight.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Start GetRight.lnk
backup=C:\WINDOWS\pss\Start GetRight.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^ImationFlashDetect.lnk]
path=C:\Documents and Settings\User\Start Menu\Programs\Startup\ImationFlashDetect.lnk
backup=C:\WINDOWS\pss\ImationFlashDetect.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]
--a------ 2004-06-24 10:28 7932416 C:\Program Files\VIAudioi\SBADeck\ADeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 06:32 208952 C:\WINDOWS\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 06:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 06:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]
--a------ 2006-08-16 11:10 503808 C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-15 15:56 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 18:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"usnjsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"WinDefend"=2 (0x2)
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 SymEFA;Symantec Extended File Attributes;C:\WINDOWS\system32\drivers\NAV\1000000.07D\SYMEFA.SYS [2008-10-13 309296]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 BHDrvx86;Symantec Heuristics Driver;C:\WINDOWS\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [2008-10-13 254512]
R1 ccHP;Symantec Hash Provider;C:\WINDOWS\system32\drivers\NAV\1000000.07D\ccHPx86.sys [2008-10-13 362544]
R1 IDSxpx86;IDSxpx86;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081014.001\IDSxpx86.sys [2008-10-13 274808]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 Norton AntiVirus;Norton AntiVirus;C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe /s Norton AntiVirus /m C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll [ ]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\WINDOWS\system32\drivers\nmwcdnsu.sys [2008-02-01 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\WINDOWS\system32\drivers\nmwcdnsuc.sys [2008-02-01 8320]
S3 PsSdk30;PsSdk30;C:\WINDOWS\system32\Drivers\PsSdk30.drv [ ]
S3 XDva011;XDva011;C:\WINDOWS\system32\XDva011.sys [ ]
S3 XDva039;XDva039;C:\WINDOWS\system32\XDva039.sys [ ]

*Newly Created Service* - HELPSVC
.
Contents of the 'Scheduled Tasks' folder

2008-10-15 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 17:39]

2008-10-15 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
- C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe []

2008-10-13 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1477e7d1-7bd9-446b-b933-164d45e7da61} - C:\WINDOWS\system32\kmozhr.dll
BHO-{724B80DE-D97A-4384-8960-6AF64CE5BBB3} - (no file)
BHO-{786BDEE4-2AB3-4666-A9CC-D72C1C67121A} - C:\WINDOWS\system32\fcccbAqq.dll
BHO-{998DAE3E-7D4F-4952-A71F-467D8FE64407} - C:\WINDOWS\system32\ljJCrRiG.dll
HKLM-Run-948e2292 - C:\WINDOWS\system32\ovnsgrlk.dll
ShellExecuteHooks-{998DAE3E-7D4F-4952-A71F-467D8FE64407} - C:\WINDOWS\system32\ljJCrRiG.dll
MSConfigStartUp-PCSuiteTrayApplication - C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\tu\Application Data\Mozilla\Firefox\Profiles\vf14rc8g.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPGetRt.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-15 17:12:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk30]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\PsSdk30.drv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\Smc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
.
**************************************************************************
.
Completion time: 2008-10-15 17:17:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-15 09:17:28

Pre-Run: 12,263,456,768 bytes free
Post-Run: 12,184,391,680 bytes free

266

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14296

Posted 10-15-2008 11:10 (GMT +1)

Combolog looks clean, and we´ll deal with -"Error loading C:\WINDOWS\system32\ovnsgrlk.dll" in next reply.

Download this version of Hijackthis from http://danborg.org/spy/hjt/alternativ.exe

Save it in a permanent folder of your choice, such as C:\HJT\. To create this specific folder on your hard drive: Double click the 'My Computer' icon on your desktop, then under the category hard disk drives: double click Local Disk:, then select file->New -> Folder and name it HJT

Run hijackthis. (alternativ exe).

Choose the "Do a system scan and save a log file" option to perform your scan.

HijackThis will analyze your system, and automatically open a notepad textfile containing the HijackThis log when the scan is finished.

Open the text files containing the logs with a text editor and click Edit -> Select All, followed by Edit -> Copy.
From within the browser window and with the message body text box selected, click Edit -> Paste.

Post hijackthis log

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Adan
New Member

Date Joined Oct 2008
Total Posts : 6

Posted 10-15-2008 12:25 (GMT +1)

OK Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 19:02, on 10/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\alternativ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ybzfiv.dll kmozhr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Norton AntiVirus - Unknown owner - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton AntiVirus" /m "C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll" /prefetch:1 (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14296

Posted 10-15-2008 1:08 (GMT +1)

Run a scan with HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
O2 - BHO: (no name) - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - (no file)

O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

O20 - AppInit_DLLs: ybzfiv.dll kmozhr.dll

Reboot, post new hijackthis log and tell how things are running ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Adan
New Member

Date Joined Oct 2008
Total Posts : 6

Posted 10-15-2008 4:25 (GMT +1)

Did the scan and removed the 3 things.
I guess everything seems normal now..

I noticed that there is now a backups folder in C:\HJT with some files
created during the process of removal.

Here's the new HJT log after reboot:

Logfile of HijackThis v1.99.1
Scan saved at 23:23, on 10/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\alternativ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Norton AntiVirus - Unknown owner - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton AntiVirus" /m "C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll" /prefetch:1 (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SUGE1 Status Monitor Service (SM_SUGE1_FUService) - Unknown owner - C:\Program.exe (file missing)

Forum Information

Currently it is Wednesday, January 07, 2009 8:55 AM (GMT +1)
There are a total of 65.888 posts in 16.170 threads.
In the last 3 days there were 21 new threads and 93 reply posts. View Active Threads