Jump to content


Photo

multiple removal and IE fix


  • This topic is locked This topic is locked
20 replies to this topic

#1 cheezebaal

cheezebaal

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 16 May 2007 - 03:28 AM

working on a friends comp.
removed TONS of virii and addware/spyware. I can't for the life of me figure out why I.E. continues to crash when i try and start it. (firefox runs but windows update will not run through it)
i'd like someone to take a look at my logs and see what else i may have missed and any ideas to restore IE to functionality.
when i recieved the comp NO av/spyware progs were running. Installed AVG, Spybot, AVG Anti-Spyware, as well as CCleaner to remove temp files,etc.
turned off system restore,booted into safe mode and multiple scans and removes later the only thing that kept coming back was spy sheriff which following directions appears to now be gone as well.

XP Home with sp1.
(why i need to fix I.E.)

Spybot SnD
no threats found

AVG is set to scan all files
AVG reports clean


AVG Anti-Spyware complete system scan.
AVG Anti-Spyware - Scan Report

---------------------------------------------------------

+ Created at: 2:01:26 AM 5/16/2007

+ Scan result:



C:\Documents and Settings\Owner\Start Menu\Programs\WhenU -> Adware.SaveNow : Cleaned.
C:\WINDOWS\Temp\startdrv.exe -> Dropper.Agent.bie : Cleaned.
:mozilla.14:C:\Documents and Settings\Owner.YOUR-6JNHHU0520.000\Application Data\Mozilla\Firefox\Profiles\s0hnytg9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\Documents and Settings\Owner.YOUR-6JNHHU0520.000\Application Data\Mozilla\Firefox\Profiles\s0hnytg9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.16:C:\Documents and Settings\Owner.YOUR-6JNHHU0520.000\Application Data\Mozilla\Firefox\Profiles\s0hnytg9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.17:C:\Documents and Settings\Owner.YOUR-6JNHHU0520.000\Application Data\Mozilla\Firefox\Profiles\s0hnytg9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.27:C:\Documents and Settings\Owner.YOUR-6JNHHU0520.000\Application Data\Mozilla\Firefox\Profiles\s0hnytg9.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.49:C:\Documents and Settings\Owner.YOUR-6JNHHU0520.000\Application Data\Mozilla\Firefox\Profiles\s0hnytg9.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.50:C:\Documents and Settings\Owner.YOUR-6JNHHU0520.000\Application Data\Mozilla\Firefox\Profiles\s0hnytg9.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Owner.YOUR-6JNHHU0520.000\Cookies\owner@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.35:C:\Documents and Settings\Owner.YOUR-6JNHHU0520.000\Application Data\Mozilla\Firefox\Profiles\s0hnytg9.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.10:C:\Documents and Settings\Owner.YOUR-6JNHHU0520.000\Application Data\Mozilla\Firefox\Profiles\s0hnytg9.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.


::Report end

AVG Anti-Rootkit will NOT run
shuts down immediately

hijackthis has been renamed to hjt_v2.exe

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:03:24 AM, on 5/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner.YOUR-6JNHHU0520.000\Desktop\hijackthis\hjt_v2.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2A0C9465-06D5-C6B0-F589-0355AFFF3D59} - C:\WINDOWS\System32\tinjhvc.dll
O2 - BHO: (no name) - {335AB0BD-0213-4D21-B5D0-1694C88470E6} - \
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5497f96a-9986-4961-8fe1-6f97c69bc7d4} - C:\WINDOWS\system32\ligand.dll (file missing)
O2 - BHO: (no name) - {6B767B3B-82DD-DBE5-E124-058BACAC99CE} - C:\WINDOWS\System32\zvlegmn.dll
O2 - BHO: (no name) - {93A0942B-A1E9-4D09-88BC-B4EE1C612F76} - C:\Program Files\Online Services\hokel.dll (file missing)
O2 - BHO: (no name) - {D198FF9A-4860-495C-ACA8-208A6415D905} - \
O2 - BHO: (no name) - {DE0B3210-B828-475B-96F0-6796FE533E46} - C:\WINDOWS\system32\drivere.dll (file missing)
O2 - BHO: 0 - {FE1CD948-AC89-443C-4B81-F4C02E39F3D0} - C:\Program Files\Messenger\lavufav601.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271 (User 'Default user')
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.driveclea...leanerstart.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spam...ckerutility.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\ieajsaj.dll
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll (file missing)
O20 - Winlogon Notify: ligand - ligand.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\System32\tccpip.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6028 bytes

any help is appreciated.

Edited by cheezebaal, 16 May 2007 - 01:45 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 18 May 2007 - 05:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 21 May 2007 - 01:32 AM

Hi,

The forums are really busy, that explains why logs get behind. If you still need some help, please start with posting a new hijackthislog in this thread. Don't start with a new thread.
Then I'll take a look. :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#4 cheezebaal

cheezebaal

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 21 May 2007 - 10:46 PM

thanks for the help.
I THINK i know where to start but i thought i'd ask for a review before i started removing things.


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:40:11 AM, on 5/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner.YOUR-6JNHHU0520.000\Desktop\hijackthis\hjt_v2.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2A0C9465-06D5-C6B0-F589-0355AFFF3D59} - C:\WINDOWS\System32\tinjhvc.dll
O2 - BHO: (no name) - {335AB0BD-0213-4D21-B5D0-1694C88470E6} - \
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5497f96a-9986-4961-8fe1-6f97c69bc7d4} - C:\WINDOWS\system32\ligand.dll (file missing)
O2 - BHO: (no name) - {6B767B3B-82DD-DBE5-E124-058BACAC99CE} - C:\WINDOWS\System32\zvlegmn.dll
O2 - BHO: (no name) - {93A0942B-A1E9-4D09-88BC-B4EE1C612F76} - C:\Program Files\Online Services\hokel.dll (file missing)
O2 - BHO: (no name) - {D198FF9A-4860-495C-ACA8-208A6415D905} - \
O2 - BHO: (no name) - {DE0B3210-B828-475B-96F0-6796FE533E46} - C:\WINDOWS\system32\drivere.dll (file missing)
O2 - BHO: 0 - {FE1CD948-AC89-443C-4B81-F4C02E39F3D0} - C:\Program Files\Messenger\lavufav601.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271 (User 'Default user')
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.driveclea...leanerstart.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spam...ckerutility.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\ieajsaj.dll
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll (file missing)
O20 - Winlogon Notify: ligand - ligand.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\System32\tccpip.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

#5 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 21 May 2007 - 11:25 PM

Hello,


One thing is for sure here, your computer is terribly infected and I really hope that the malware didn't damage too much; because not all damage can be restored.
Also, after we are done with this, change all your passwords, because they are currently known since you are also dealing with a passwordstealer.

turned off system restore


First of all... Please enable system restore again and let it create a new System restore point. This in case when something goes wrong - because with the type of malware you are dealing with, Windows is very unstable. It's better to have an infected system restore point than no restore point at all. We can still flush system restore afterwards.

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Download SDFix and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

---------------------------

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
do not use the scan yet

--------------------------

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

---------------------------

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

O2 - BHO: (no name) - {2A0C9465-06D5-C6B0-F589-0355AFFF3D59} - C:\WINDOWS\System32\tinjhvc.dll
O2 - BHO: (no name) - {335AB0BD-0213-4D21-B5D0-1694C88470E6} - \
O2 - BHO: (no name) - {5497f96a-9986-4961-8fe1-6f97c69bc7d4} - C:\WINDOWS\system32\ligand.dll (file missing)
O2 - BHO: (no name) - {6B767B3B-82DD-DBE5-E124-058BACAC99CE} - C:\WINDOWS\System32\zvlegmn.dll
O2 - BHO: (no name) - {93A0942B-A1E9-4D09-88BC-B4EE1C612F76} - C:\Program Files\Online Services\hokel.dll (file missing)
O2 - BHO: (no name) - {D198FF9A-4860-495C-ACA8-208A6415D905} - \
O2 - BHO: (no name) - {DE0B3210-B828-475B-96F0-6796FE533E46} - C:\WINDOWS\system32\drivere.dll (file missing)
O2 - BHO: 0 - {FE1CD948-AC89-443C-4B81-F4C02E39F3D0} - C:\Program Files\Messenger\lavufav601.dll (file missing)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
<== not required
O4 - HKCU\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271 (User 'Default user')
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.driveclea...leanerstart.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spam...ckerutility.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\ieajsaj.dll
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll (file missing)
O20 - Winlogon Notify: ligand - ligand.dll (file missing)
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe (file missing)
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\System32\tccpip.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

--------------------------
  • Doubleclick the drweb-cureit.exe, Click Start and Allow to run the express scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • It could be possible it displays a popup to buy it in between, to buy or 50% discount. Just close that popup again.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Once the scan has finished, i will display a list of the files found and checked by default.
    If the file "process.exe" was found - uncheck it. This because this file is related with SDFix and SDFix needs it. Most scanners do flag this file as a bad tool, but there's nothing wrong with it.
  • Then, Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
-------------------------
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post the following logs in your next reply:

* Log from DrWeb CureIt
* Log from SDFix
* New HijackThislog
* Log from Combofix

you may need more than one reply to post the logs.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#6 cheezebaal

cheezebaal

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 May 2007 - 07:59 AM

cure it log

---------
Process.exe;C:\Documents and Settings\Administrator\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Administrator\Desktop\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
1166984976XWQCa.exe;C:\Documents and Settings\Owner\Local Settings\Temp;Trojan.Fakealert;Deleted.;
gwpc.exe;C:\Documents and Settings\Owner\Local Settings\Temp;Trojan.DownLoader.17544;Deleted.;
installer.exe;C:\Documents and Settings\Owner\Local Settings\Temp;Trojan.DownLoader.17482;Deleted.;
VVSNInst.exe;C:\Documents and Settings\Owner\Local Settings\Temp;Adware.SaveNow;Incurable.Moved.;
~ds39990.tmp;C:\Documents and Settings\Owner.YOUR-6JNHHU0520\Local Settings\Temp;Trojan.Kolweb;Deleted.;
backup-20070522-064406-358.dll;C:\Documents and Settings\Owner.YOUR-6JNHHU0520.000\Desktop\hijackthis\backups;Trojan.DownLoader.based;Deleted.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Moved.;
Terminator.exe;C:\hp\bin;Trojan.KillApp.30208;Deleted.;
EN_CA-ie.reg;C:\hp\region;Trojan.StartPage.1505;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0000010.dll;C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP2;Trojan.DownLoader.based;Deleted.;
A0000011.exe;C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP2;Trojan.Fakealert;Deleted.;
A0000012.exe;C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP2;Trojan.DownLoader.17544;Deleted.;
A0000013.exe;C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP2;Trojan.DownLoader.17482;Deleted.;
A0000014.exe;C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP2;Trojan.KillApp.30208;Deleted.;
A0000015.reg;C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP2;Trojan.StartPage.1505;Deleted.;
bkd.exe;C:\WINDOWS\system32;Adware.Surfside;Incurable.Moved.;
driverd.exe;C:\WINDOWS\system32;Trojan.Kolweb;Deleted.;
ipv6mons.dll;C:\WINDOWS\system32;Trojan.PWS.Tanspy;Deleted.;
monterreyd_olive.exe;C:\WINDOWS\system32;Trojan.Kolweb;Deleted.;
zore2[1].exe;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W1QVMVQX;Trojan.MulDrop.5866;Deleted.;
startdrv.exe;C:\WINDOWS\Temp;BackDoor.Bulknet;Deleted.;


sd fix

--------

SDFix: Version 1.84

Run by Owner - Tue 05/22/2007 - 9:14:39.54

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Client IP-IPX
EXAMPLE
NDnet1
TCP and UDP Supp0rt

ImagePath:
"" -e te-110-12-0000271
\??\C:\WINDOWS\System32\main.sys
\??\C:\WINDOWS\System32\ksys.sys
C:\WINDOWS\System32\tccpip.exe /winnt

Client IP-IPX - Deleted
EXAMPLE - Deleted
NDnet1 - Deleted
TCP and UDP Supp0rt - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Service runtime2 - Deleted after Reboot

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4707A9YZ\RUNNED~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4707A9YZ\RUNNED~2.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4R61QTW1\PING_1~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4R61QTW1\RUF7B2~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4R61QTW1\RUNNED~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4R61QTW1\RUNNED~2.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4R61QTW1\RUNNED~3.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4R61QTW1\RUNNED~4.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\O3092XI5\RUNNED~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\O3092XI5\RUNNED~2.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\O3092XI5\RUNNED~3.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\ALIVE_~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\ICONS_~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\LW_1_~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\RUNNED~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\RUNNED~2.HTM - Deleted
C:\WINDOWS\SYSTEM32\PFB0E0~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\PFCA7F~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\SFXZMT~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\SFXZMT~2.DLL - Deleted
C:\WINDOWS\SYSTEM32\SFXZMT~3.DLL - Deleted
C:\WINDOWS\SYSTEM32\SFXZMT~4.DLL - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4707A9YZ\TASK_1~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\O3092XI5\TASK_1~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\O3092XI5\TASK_2~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\O3092XI5\TASK_3~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\O3092XI5\TASK_4~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\O3092XI5\TASK_5~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\TASK_1~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\TASK_2~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\TASK_3~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\TASK_4~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\TASK_5~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\TASK_6~1.HTM - Deleted
C:\WINDOWS\system32\winlogon.exe.tmp - Deleted
C:\as.txt - Deleted
C:\WINDOWS\system32\8_exception.nls - Deleted
C:\WINDOWS\system32\lzx32.sys - Deleted
C:\WINDOWS\system32\vexg6ame4.exe - Deleted
C:\WINDOWS\system32\drivers\runtime2.sys - Deleted


Folder C:\Program Files\Ipwindows - Removed

Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\tcpip.exe"="%windir%\\system32\\tcpip.exe:*:Enabled:TCP and UDP Support"
"C:\\WINDOWS\\System32\\vexga3me2.exe"="C:\\WINDOWS\\System32\\vexga3me2.exe:*:Enabled:taskmgr32"
"C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\14.tmp"="C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\14.tmp:*:Enabled:Server"
"C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\11.tmp.exe"="C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\11.tmp.exe:*:Enabled:qwertybot"
"C:\\WINDOWS\\System32\\qwertybot.exe"="C:\\WINDOWS\\System32\\qwertybot.exe:*:Enabled:qwertybot"
"C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\10.tmp.exe"="C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\10.tmp.exe:*:Enabled:qwertybot"
"C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\12.tmp.exe"="C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\12.tmp.exe:*:Enabled:qwertybot"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\14.tmp"="C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\14.tmp:*:Enabled:Server"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Program Files\Common Files\aolshare\shell\us\shellext.dll
C:\Program Files\America Online 7.0\aolphx.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\America Online 7.0\waol.exe
C:\Program Files\America Online 7.0\COMIT\cswitch.exe
C:\Program Files\America Online 7.0a\aolphx.exe
C:\Program Files\America Online 7.0a\aoltray.exe
C:\Program Files\America Online 7.0a\RBM.exe
C:\Program Files\America Online 7.0a\waol.exe
C:\Program Files\America Online 7.0a\COMIT\cswitch.exe
C:\Program Files\America Online 7.0b\aolphx.exe
C:\Program Files\America Online 7.0b\aoltray.exe
C:\Program Files\America Online 7.0b\RBM.exe
C:\Program Files\America Online 7.0b\waol.exe
C:\Program Files\America Online 7.0b\COMIT\cswitch.exe
C:\Program Files\Detto\DettoWeb.exe
C:\Program Files\Detto\IntelliMover Demo.exe
C:\WINDOWS\psvyyb.tmp
C:\WINDOWS\LastGood.Tmp\INF\oem44.inf
C:\WINDOWS\LastGood.Tmp\INF\oem44.PNF

Finished

hijackthis

------------
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:34:49 AM, on 5/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner.YOUR-6JNHHU0520.000\Desktop\hijackthis\hjt_v2.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2A0C9465-06D5-C6B0-F589-0355AFFF3D59} - C:\WINDOWS\System32\tinjhvc.dll
O2 - BHO: (no name) - {335AB0BD-0213-4D21-B5D0-1694C88470E6} - \
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5497f96a-9986-4961-8fe1-6f97c69bc7d4} - C:\WINDOWS\system32\ligand.dll (file missing)
O2 - BHO: (no name) - {6B767B3B-82DD-DBE5-E124-058BACAC99CE} - C:\WINDOWS\System32\zvlegmn.dll
O2 - BHO: (no name) - {93A0942B-A1E9-4D09-88BC-B4EE1C612F76} - C:\Program Files\Online Services\hokel.dll (file missing)
O2 - BHO: (no name) - {D198FF9A-4860-495C-ACA8-208A6415D905} - \
O2 - BHO: (no name) - {DE0B3210-B828-475B-96F0-6796FE533E46} - C:\WINDOWS\system32\drivere.dll (file missing)
O2 - BHO: 0 - {FE1CD948-AC89-443C-4B81-F4C02E39F3D0} - C:\Program Files\Messenger\lavufav601.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271 (User 'Default user')
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.driveclea...leanerstart.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spam...ckerutility.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\ieajsaj.dll
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll (file missing)
O20 - Winlogon Notify: ligand - ligand.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\System32\tccpip.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5462 bytes

combofix

----------
"Owner" - 2007-05-22 9:38:59 Service Pack 1
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Owner.YOUR-6JNHHU0520.000\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\winsysupd51.dat
C:\WINDOWS\system32\pfxzmtaim.dll
C:\WINDOWS\system32\pfxzmtforum.dll
C:\WINDOWS\system32\pfxzmtgtal.dll
C:\WINDOWS\system32\pfxzmticq.dll
C:\WINDOWS\system32\pfxzmtwbmail.dll
C:\WINDOWS\system32\pfxzmtymsg.dll
C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Install.dat
C:\WINDOWS\system32\driverb.exe
C:\WINDOWS\system32\driverc.exe
C:\Program Files\jalmp\arpf.cfg
C:\WINDOWS\system32\bund1\temp.txt
C:\Program Files\DeskAlerts\basis.xml
C:\Program Files\DeskAlerts\cancel_button.gif
C:\Program Files\DeskAlerts\deskbar.crc
C:\Program Files\DeskAlerts\deskbar.inf
C:\Program Files\DeskAlerts\history.html
C:\Program Files\DeskAlerts\hs_delete.bmp
C:\Program Files\DeskAlerts\hs_search.bmp
C:\Program Files\DeskAlerts\icons.bmp
C:\Program Files\DeskAlerts\mbclose.bmp
C:\Program Files\DeskAlerts\mblogo.bmp
C:\Program Files\DeskAlerts\newversion.txt
C:\Program Files\DeskAlerts\notify.wav
C:\Program Files\DeskAlerts\options.html
C:\Program Files\DeskAlerts\save_button.gif
C:\Program Files\DeskAlerts\title_back.gif
C:\Program Files\DeskAlerts\version.txt
C:\Program Files\DeskAlerts\Cache\045b4f7adac10e512896af2a0470f433.xml
C:\Program Files\Common Files\{30477~1\Bar888.dll
C:\Program Files\Common Files\{30477~1\UnInstall.exe
C:\WINDOWS\system32\mm.ini
C:\Program Files\jalmp
C:\WINDOWS\system32\bund1
C:\Program Files\DeskAlerts
C:\Program Files\Common Files\{30477~1
C:\Program Files\Common Files\{C0477~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-22 ))))))))))))))))))))))))))))))))))


2007-05-22 06:45 <DIR> d-------- C:\DOCUME~1\OWNERY~1.000\DoctorWeb
2007-05-16 04:49 <DIR> d-------- C:\Program Files\RogueRemover
2007-05-15 21:57 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-05-15 21:56 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-05-15 21:56 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files
2007-05-15 21:47 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-15 21:06 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2007-05-15 20:49 <DIR> d-------- C:\WINDOWS\pss
2007-05-15 18:42 <DIR> d-------- C:\WINDOWS\EDCD4CE3DE9249A987F9FE09B2FBA16C.TMP
2007-05-15 10:52 <DIR> d-------- C:\Program Files\CCleaner
2007-05-15 09:43 1,622 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-15 08:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-15 03:27 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-05-15 00:49 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-14 22:28 786,432 --a------ C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\VERITAS
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Share-to-Web Upload Folder
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\MSN6
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Help
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Freedom
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Corel
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Aim
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.limewire


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-16 01:32:43 -------- d-----w C:\Program Files\WildTangent
2007-05-16 01:32:16 -------- d-----w C:\Program Files\Viewpoint
2007-05-16 01:30:47 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-15 16:12:39 -------- d--h--w C:\Program Files\BHO Plugin
2007-05-15 14:49:05 -------- d-----w C:\Program Files\AWS
2007-05-15 09:47:32 -------- d-----w C:\Program Files\SoftwareOnline
2007-05-15 07:15:09 278 ----a-w C:\WINDOWS\teeyu.dll
2007-05-15 07:11:29 1,456,707 --sh--w C:\WINDOWS\psvyyb.ini2
2007-05-02 15:46:04 75,264 ----a-w C:\WINDOWS\system32\ws2_32.dll
2007-04-20 16:13:35 -------- d-----w C:\Program Files\America Online 7.0b
2007-04-12 20:17:22 -------- d-----w C:\Program Files\Common Files\aolshare
2007-04-12 20:17:16 -------- d-----w C:\Program Files\America Online 7.0a
2007-04-12 14:03:15 -------- d-----w C:\Program Files\Online Services
2007-04-12 13:55:52 39,936 ----a-w C:\WINDOWS\system32\ieajsaj.dll
2007-04-12 13:55:51 208 ----a-w C:\WINDOWS\system32\wincrc32ie.dll
2007-04-12 13:52:57 -------- d-----w C:\Program Files\Messenger
2007-04-12 01:14:16 7,342 ----a-w C:\sysxzle.exe
2007-04-10 22:17:18 -------- d-----w C:\Program Files\Common Files\moir
2007-04-04 21:09:25 -------- d-----w C:\DOCUME~1\OWNERY~1.000\APPLIC~1\Aim
2007-04-02 19:38:49 -------- d-----w C:\Program Files\ArcSoft
2007-04-02 15:07:56 -------- d-----w C:\Program Files\Windows NT
2007-04-02 15:07:47 -------- d-----w C:\Program Files\Movie Maker
2007-03-31 18:48:00 25,588 ----a-w C:\WINDOWS\freedom.backup.dat
2007-03-28 13:34:28 96,256 --s-a-w C:\WINDOWS\system32\monterreyc_olive.exe
2007-03-19 12:24:54 96,256 --s-a-w C:\WINDOWS\system32\monterreyb_olive.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 20:02]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BlockTracker"="c:\hp\bin\BlockTracker.exe" []
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" []
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" []
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [2002-10-01 00:39 C:\WINDOWS\system32\nwiz.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 05:20]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-15 03:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll,nViewLoadHook" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk
backup=C:\WINDOWS\pss\hp center UI.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
C:\hp\bin\autotbar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootService]
rundll32.exe "C:\WINDOWS\byyvsp.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\moir]
C:\PROGRA~1\COMMON~1\moir\moirm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070522-064407-854
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\

backup-20070522-064407-687
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\System32\tccpip.exe (file missing)

backup-20070522-064407-848
O20 - Winlogon Notify: ligand - ligand.dll (file missing)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ligand]
"Asynchronous"=dword:00000000
"Dllname"="ligand.dll"
"Impersonate"=dword:00000000
"Startup"="NotifyStartup"
"Shutdown"="NotifyShutdown"



backup-20070522-064407-805
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe (file missing)

backup-20070522-064407-724
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll (file missing)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\A3dxq]
"DllName"="C:\\WINDOWS\\System32\\a3dxq.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Startup"="Startup"



backup-20070522-064407-645
O20 - AppInit_DLLs: C:\WINDOWS\System32\ieajsaj.dll

backup-20070522-064407-919
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spam...ckerutility.cab

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070522-064407-949
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.driveclea...leanerstart.cab

??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=??????????????????

backup-20070522-064407-685
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

???????????????????????????????????????????4??????????????????????????????????4???=??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070522-064406-621
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

???????????????????????????????????????????4??????????????????????????????????4???=??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070522-064406-950
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271 (User 'SYSTEM')

backup-20070522-064406-942
O2 - BHO: (no name) - {DE0B3210-B828-475B-96F0-6796FE533E46} - C:\WINDOWS\system32\drivere.dll (file missing)

backup-20070522-064406-426
O4 - HKCU\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271

backup-20070522-064406-689
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

backup-20070522-064406-807
O2 - BHO: (no name) - {93A0942B-A1E9-4D09-88BC-B4EE1C612F76} - C:\Program Files\Online Services\hokel.dll (file missing)

backup-20070522-064406-380
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271 (User 'Default user')

backup-20070522-064406-358
O2 - BHO: (no name) - {6B767B3B-82DD-DBE5-E124-058BACAC99CE} - C:\WINDOWS\System32\zvlegmn.dll

backup-20070522-064406-935
O2 - BHO: 0 - {FE1CD948-AC89-443C-4B81-F4C02E39F3D0} - C:\Program Files\Messenger\lavufav601.dll (file missing)

backup-20070522-064406-273
O2 - BHO: (no name) - {D198FF9A-4860-495C-ACA8-208A6415D905} - \

backup-20070522-064406-404
O2 - BHO: (no name) - {335AB0BD-0213-4D21-B5D0-1694C88470E6} - \

backup-20070522-064406-544
O2 - BHO: (no name) - {5497f96a-9986-4961-8fe1-6f97c69bc7d4} - C:\WINDOWS\system32\ligand.dll (file missing)

backup-20070522-064406-998
O2 - BHO: (no name) - {2A0C9465-06D5-C6B0-F589-0355AFFF3D59} - C:\WINDOWS\System32\tinjhvc.dll
********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-22 09:44:34
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NNServ]
"ImagePath"="\"C:\Program Files\NewDotNet\nnrun.exe\" \"C:\Program Files\NewDotNet\nncore.dll\" ServiceStart"

Completion time: 2007-05-22 9:48:55 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-22 09:48

--- E O F ---

#7 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 22 May 2007 - 08:30 AM

Hi,

Can you post your HijackThislog made in normal mode? Because above log is a HijackThislog made from Safe mode before the removal attempts.

So in normal mode, scan with HijackThis and post the log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#8 cheezebaal

cheezebaal

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 May 2007 - 08:39 AM

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:36:18 AM, on 5/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Documents and Settings\Owner.YOUR-6JNHHU0520.000\Desktop\hijackthis\hjt_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 3609 bytes

#9 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 22 May 2007 - 08:48 AM

As a sidenote, your system is worse infected than I thought. The malware you are dealing with already caused a lot of damage.

Do next steps in the right order..

* Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Where it says: "Paste List of Files/Folders to be Moved", copy and paste next bold part into that Window:

    C:\WINDOWS\system32\tmp.reg
    C:\Program Files\WildTangent
    C:\Program Files\Viewpoint
    C:\Program Files\BHO Plugin
    C:\WINDOWS\teeyu.dll
    C:\WINDOWS\psvyyb.ini2
    C:\WINDOWS\psvyyb.tmp
    C:\WINDOWS\system32\ieajsaj.dll
    C:\WINDOWS\system32\wincrc32ie.dll
    C:\sysxzle.exe
    C:\Program Files\Common Files\moir
    C:\WINDOWS\system32\monterreyc_olive.exe
    C:\WINDOWS\system32\monterreyb_olive.exe
    C:\Qoobox
    C:\SDFix



  • Then click the red Moveit! button below.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.. Then it will reboot your computer.
Even though OTMoveIT didn't ask to reboot your computer - reboot anyway, this since moved files may still be in use.

Then, after reboot, Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\tcpip.exe"=-
"C:\\WINDOWS\\System32\\vexga3me2.exe"=-
"C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\14.tmp"=-
"C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\11.tmp.exe"=-
"C:\\WINDOWS\\System32\\qwertybot.exe"=-
"C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\10.tmp.exe"=-
"C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\12.tmp.exe"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\14.tmp"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootService]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\moir]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

* Go to start > run and copy and paste next command in the field:

sc delete NNServ

Hit enter.

Then, * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Go to next site:
http://www.virustota.../en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\ws2_32.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

Also do next... Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-sec...light/try.shtml
(fsbl.exe - graphical user interface)
Double-click fsbl.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply as well.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#10 cheezebaal

cheezebaal

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 May 2007 - 09:02 AM

2 errors
the application or DLL C:\WINDOWS\teeyu.dll is not a valid windows image. please check this against your installation diskette.
same thing for C:\WINDOWS\system32\wincrc32ie.dll

others moved and rebooting to follow the next steps

Edited by cheezebaal, 22 May 2007 - 09:03 AM.


#11 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 22 May 2007 - 09:06 AM

I guess you most probably received that error when you hit the MoveIt button in OTMoveIT. This is because OTMoveIt tries to unregister the dlls first.

Just proceed with next steps.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#12 cheezebaal

cheezebaal

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 May 2007 - 09:28 AM

queued for the vt scan, 90 minutes.
i'll post the results from that scan and the blacklight scan as soon as they're finished.
thanks for the help. ;)

#13 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 22 May 2007 - 09:51 AM

Well, you can already perform the blacklight scan and post the log - it will only take one minute or so.. ;)

Also, since you were dealing with so many very nasty infections, backdoors, keyloggers, collecting all your passwords, mailbots, and a lot of other nasty infections, it would be irresponsible from me not telling you in what state your system is. Even though we removed malware - there's an important thing you should know: You may never trust this system anymore.
And - as I already told you - a lot of damage may be present and cannot always be restored. You may still receive a lot of errors, because malware caused an unstable system and even though it's gone, your system will always be unstable, especially with such nasty infections present.
Imho, if that was my computer, I wouldn't even bother with trying to remove it manually, but perform a format and reinstall immediately. This not because I throw in the towel, but rather because then I can be sure that malware is gone, no errors will be present anymore, everything will work again and I can trust my system again... and that's the most important thing... especially with these very nasty infections present.
This also because, the infections you were dealing with infect a lot of other computers as well - so you are actually responsible for this.
Anyway, this is how I would do it - but everyone is different. If people want to deal with such nasty infections manually, then they also have to accept the consequences afterwards. The fact that you already removed a lot of malware previously from this computer before you started a thread here, it didn't really show what was really present in your first HijackThislog. If I had seen this from the first log with what you were dealing with, I would have posted above already.

Also, you said that you 'received' this computer - so are you fixing this for someone else? Or are you the owner now?
If you're not the owner, please make the owner aware of the state this system is in - And that's my responsability to tell you this, because I want to make you aware of the consequences and make you aware of with what you, or the owner were dealing with.

Please don't forget to change all passwords afterwards - because they are currently known.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#14 cheezebaal

cheezebaal

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 May 2007 - 10:31 AM

it's actually a friends parents computer.
when i originally took a look at it my advice was a format and reinstall.

logs

Complete scanning result of "ws2_32.dll", received in VirusTotal at 05.22.2007, 17:17:35 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.21.1 05.22.2007 no virus found
AntiVir 7.4.0.23 05.22.2007 no virus found
Authentium 4.93.8 05.21.2007 no virus found
Avast 4.7.997.0 05.22.2007 no virus found
AVG 7.5.0.467 05.21.2007 no virus found
BitDefender 7.2 05.22.2007 no virus found
CAT-QuickHeal 9.00 05.22.2007 no virus found
ClamAV devel-20070416 05.22.2007 no virus found
DrWeb 4.33 05.22.2007 no virus found
eSafe 7.0.15.0 05.21.2007 no virus found
eTrust-Vet 30.7.3652 05.22.2007 no virus found
Ewido 4.0 05.22.2007 no virus found
FileAdvisor 1 05.22.2007 No threat detected
Fortinet 2.85.0.0 05.22.2007 no virus found
F-Prot 4.3.2.48 05.21.2007 no virus found
F-Secure 6.70.13030.0 05.22.2007 no virus found
Ikarus T3.1.1.8 05.22.2007 no virus found
Kaspersky 4.0.2.24 05.22.2007 no virus found
McAfee 5036 05.22.2007 no virus found
Microsoft 1.2503 05.22.2007 no virus found
NOD32v2 2284 05.22.2007 no virus found
Norman 5.80.02 05.22.2007 no virus found
Panda 9.0.0.4 05.22.2007 no virus found
Prevx1 V2 05.22.2007 no virus found
Sophos 4.17.0 05.21.2007 no virus found
Sunbelt 2.2.907.0 05.17.2007 no virus found
Symantec 10 05.22.2007 no virus found
TheHacker 6.1.6.120 05.21.2007 no virus found
VBA32 3.12.0 05.21.2007 no virus found
VirusBuster 4.3.23:9 05.22.2007 no virus found
Webwasher-Gateway 6.0.1 05.22.2007 no virus found

Aditional Information
File size: 75264 bytes
MD5: 8529c295df59b564d37a73b5629162b1
SHA1: 8c7b0f13162ab1f195e5fa3c5fbd214884ac96a3
Bit9 info: http://fileadvisor.b...37a73b5629162b1

no log from blacklight,shows clean.
0 found

05/22/07 12:26:10 [Info]: BlackLight Engine 1.0.61 initialized
05/22/07 12:26:10 [Info]: OS: 5.1 build 2600 (Service Pack 1)
05/22/07 12:26:11 [Note]: 7019 4
05/22/07 12:26:11 [Note]: 7005 0
05/22/07 12:26:55 [Note]: 7006 0
05/22/07 12:26:55 [Note]: 7011 1160
05/22/07 12:26:55 [Note]: 7026 0
05/22/07 12:26:55 [Note]: 7026 0
05/22/07 12:27:06 [Note]: FSRAW library version 1.7.1021
05/22/07 12:30:09 [Note]: 7007 0

Edited by cheezebaal, 22 May 2007 - 11:01 AM.


#15 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 22 May 2007 - 11:02 AM

when i originally took a look at it my advice was a format and reinstall.

Yes, but if they rather prefer not to format and reinstall, that's their choice ofcourse :)
Just don't forget to tell them the notes I posted.

The ws2_32.dll is ok - MD5 hash is ok as well. Guess it was because Alternate datastreams that were injected into the file that it showed as recently modified in the Combofixlog.

How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#16 cheezebaal

cheezebaal

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 May 2007 - 11:12 AM

slow chip, low on memory with an onboard graphics chip so you know how that goes. :gah:
i'm going to reboot and rescan all. IE is running so i can update it for them as well.
thanks for all the help. i'm going to stress it a bit if all shows clear then update "winderz".
i'll also be sure to stress the fact that all their passwords MUST change and a format/reinstall should be done asap.
again, thanks for all the help. forum posting was going fast enough it was almost a chat room. :lol:

#17 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 22 May 2007 - 11:34 AM

and a format/reinstall should be done asap

It may be safer - but since we already cleaned this manually and you're going to update anyway, you are actually loosing your time if you recommend them to format and reinstall anyway, since that will erase everything again, so they have to start from scratch :)
So, it's better to discuss this with them - you can leave it up and running as it is now, and in case they are having too much problems with it afterwards, then it may be better to format and reinstall. Also, tell them not to do online banking or whatever if they not decide to reinstall.

Glad I could help. :)

Let the computer owner read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#18 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 22 May 2007 - 11:37 AM

Oops, I almost forgot..

* Open OTMoveIt and click the CleanUp! button on top.
In the left pane, it will display a list of tools and other related files which you may have downloaded/used during our cleanup + backup folders that were created with the bad files present. They are not needed anymore, so OtMoveIt will delete them.
Do not edit anything in that Window!
Don't worry if it displays some tools you didn't download/use.
Click Yes when it asks to Begin cleanup process.
Then reboot your computer.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#19 cheezebaal

cheezebaal

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 24 May 2007 - 01:38 PM

resolved.
thanks for the help.

#20 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 24 May 2007 - 01:46 PM

You're most welcome. Now keep it that way and don't forget to read my prevention page I posted previously :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#21 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 03 June 2007 - 03:34 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please tell the moderating team by replying here
This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




Member of UNITE
Support SpywareInfo Forum - click the button