WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93124 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] please help

Started by Joecastle , Oct 05 2007 12:21 PM

This topic is locked

124 replies to this topic

#1 Joecastle

Authentic Member

Authentic Member
215 posts

Posted 05 October 2007 - 12:21 PM

This lap top has multiple trojans & spy ware. These are just some that I remember (Trojan.Small, TrojanDownloader.XS, Smitfraud-C., Win32.VB.ahq). The pop ups are unbareable. I could not paste the saved AVG report that I ran in safemode. When I double click the report a small cmd box opens saying it could not find not pad. I am currently running SB in safe mode to see if it helps. It took 3 restarts in order to be able to paste this HJT log. The web page would just disappear & I had to relog on everytime until I was able to paste this log. Logfile of HijackThis v1.99.1 Scan saved at 2:10:21 PM, on 10/5/2007 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\Common Files\AOL\1155247693\ee\AOLSoftware.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\avp.exe C:\WINDOWS\mgrs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\PROGRA~1\YMANTE~1\wuauboot.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Documents and Settings\admin\My Documents\??crosoft\d?xplore.exe C:\Documents and Settings\admin\Application Data\WinTouch\WinTouch.exe C:\Program Files\ISM2\ISMPack5.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\Documents and Settings\admin\Desktop\New Folder\hijackthis.exe O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file) O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {078A5878-DA1D-4AD9-A6CD-63D7F737106A} - C:\WINDOWS\System32\mstlsap.dll O2 - BHO: (no name) - {07e789d7-1024-4b80-95e0-05c37a019991} - C:\WINDOWS\System32\roehxlk.dll O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file) O2 - BHO: 0 - {3F21B1EF-5204-4C3E-0984-BAA1997E92DA} - C:\Program Files\Common Files\lavu.dll (file missing) O2 - BHO: (no name) - {412A8BAA-F626-43A8-A141-9B5459D8680D} - C:\Program Files\MSN Gaming Zone\hokerowo4444.dll O2 - BHO: (no name) - {42DF7F1B-B0A3-E750-A049-E72B2E948CC5} - C:\WINDOWS\System32\txkl.dll O2 - BHO: Flash Module - {43621FA4-9E25-4bcf-A5F4-5934E3838EC1} - btasv.dll (file missing) O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file) O2 - BHO: (no name) - {61AA313D-D651-425F-AFCF-3D5A6A66163C} - C:\Program Files\MSN Gaming Zone\hokerowo83122.dll O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file) O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file) O2 - BHO: (no name) - {9A91A92D-35B0-3C1C-EC5C-4B761C4E069E} - C:\WINDOWS\System32\glxgulu.dll (file missing) O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file) O2 - BHO: (no name) - {BC91129A-A238-49F2-B101-2896DF91A32F} - c:\windows\system32\cagacag.dll O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file) O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file) O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file) O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file) O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file) O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file) O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1155247693\ee\AOLSoftware.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe O4 - HKLM\..\Run: [smgr] mgrs.exe O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [IEFilter] C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\IExpl32d.exe O4 - HKCU\..\Run: [Sets] "C:\PROGRA~1\YMANTE~1\wuauboot.exe" -vt yazb O4 - HKCU\..\Run: [Gtesultq] "C:\Documents and Settings\admin\My Documents\??crosoft\d?xplore.exe" O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\admin\Application Data\WinTouch\WinTouch.exe O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\admin\Application Data\Microsoft\Windows\eckefy.exe O4 - HKCU\..\Run: [ISMPack5] "C:\Program Files\ISM2\ISMPack5.exe" O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Search - ?p=ZCxdm736MGUS O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - file://D:\GAMES\msjavx86_3805.exe O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O20 - Winlogon Notify: bsfrzvci - C:\WINDOWS\SYSTEM32\cagacag.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: WUSB54GSCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe" "WUSB54GSC.exe (file missing)

Edited by Joecastle, 05 October 2007 - 01:01 PM.

Advertisements

Register to Remove

#2 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 05 October 2007 - 01:22 PM

Hi, and Welcome to What The Tech

My name is jpshortstuff. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

As I am still training here, my posts to you will be checked by an Expert member. This will ensure that all advice and instructions I give you are accurate and safe. This may mean that my replies may take a little longer.

I will post back as soon as I can with steps to help get you clean.

jpshortstuff

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

#3 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 06 October 2007 - 02:42 PM

hi Joecastle

You don't appear to have updated your copy of Windows at all, is there any particular reason why you haven't?

You need to upgrade to Windows XP Service Pack 1. Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install Windows XP - Service Pack 1. (NOTE: DO NOT upgrade to Service Pack 2 at this stage.)

Next I'd like you to do an online scan.

Please do an online scan with Kaspersky WebScanner

Follow this link in Internet Explorer (Note: You must use Internet explorer to use Kaspersky): Kaspersky WebScanner

You will be prompted to install an ActiveX component from Kaspersky,
Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
o Scan Options:
Scan Archives Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
o Now click on the Save as Text button:
Save the file to your desktop.

Now, download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded AVG anti-spyware, locate the icon on the desktop
and double-click it to launch the set up program.
Once the setup is complete you will need run AVG and update the definition
files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of
the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then
select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close AVG anti-spyware, DO NOT run a scan just yet, we will shortly.

Reboot your computer into SafeMode. You can do this by restarting
your computer and continually tapping the F8 key until a menu appears.

Use your up arrow key to highlight SafeMode then hit enter.

IMPORTANT: Do not open any other windows or
programs while AVG is scanning, it may interfere with the scanning process.
Launch AVG-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab
then click on "Complete System Scan".
AVG will now begin the scanning process, be patient this may take a little
time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all
actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the
screen and save it to a text file on your system (make sure to remember where
you saved that file, this is important).
Close AVG and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware scan.

In your next reply post:
Kaspersky Results
AVG logfile
A Fresh HijackThis log

Also please describe how your computer is behaving.

Thanks,

jpshortstuff

Proud Graduate of the TC/WTT Classroom

#4 Joecastle

Authentic Member

Authentic Member
215 posts

Posted 07 October 2007 - 04:12 PM

Hi jpshortstuff, This computer does have sp1 installed on it but does not have sp2. I tried a MS update but it stays stuck on searching for uodates for long time and will do nothing. I can not do a kaspersky scan cause this virus shuts down th window. I did an AVG scan in safe mode, saved the report, but when trying to open it to paste it here there is a small window that opens saying that MS windows cannot find NOTEPAD.EXE. ere is what I wrote down that AVG found that is a High Threat, Proxy.Agent.df Downloader.Agent.dpn Downloader.Ani.gen Trojan.Small Adware.Mediapipe concidered a medium threat as well as a bunch of cookies.

#5 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 07 October 2007 - 04:14 PM

can i see a new HijackThis log please?

Thanks,

jpshortstuff

EDIT: and can you try attaching the report to this thread so i can try reading it on my computer please. Thanks.

Edited by jpshortstuff, 07 October 2007 - 04:18 PM.

Proud Graduate of the TC/WTT Classroom

#6 Joecastle

Authentic Member

Authentic Member
215 posts

Posted 07 October 2007 - 05:05 PM

Here is a HJT log. I had to save it on my junk drive and use my pc in order to post it here. The lap top now lost its network connection & AVG report is gone as well. Logfile of HijackThis v1.99.1 Scan saved at 6:51:12 PM, on 10/7/2007 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\Common Files\AOL\1155247693\ee\AOLSoftware.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\TrojanHunter 5.0\THGuard.exe C:\WINDOWS\System32\_svchost.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\PROGRA~1\YMANTE~1\wuauboot.exe C:\Documents and Settings\admin\My Documents\??crosoft\d?xplore.exe C:\Documents and Settings\admin\Application Data\WinTouch\WinTouch.exe C:\Program Files\ISM2\ISMPack5.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe C:\WINDOWS\System32\_svchost.exe C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe C:\Documents and Settings\admin\Desktop\New Folder\hijackthis.exe O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {078A5878-DA1D-4AD9-A6CD-63D7F737106A} - C:\WINDOWS\System32\mstlsap.dll O2 - BHO: (no name) - {07e789d7-1024-4b80-95e0-05c37a019991} - C:\WINDOWS\System32\roehxlk.dll O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file) O2 - BHO: 0 - {3F21B1EF-5204-4C3E-0984-BAA1997E92DA} - C:\Program Files\Common Files\lavu.dll (file missing) O2 - BHO: (no name) - {412A8BAA-F626-43A8-A141-9B5459D8680D} - C:\Program Files\MSN Gaming Zone\hokerowo4444.dll O2 - BHO: (no name) - {42DF7F1B-B0A3-E750-A049-E72B2E948CC5} - C:\WINDOWS\System32\txkl.dll O2 - BHO: Flash Module - {43621FA4-9E25-4bcf-A5F4-5934E3838EC1} - btasv.dll (file missing) O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file) O2 - BHO: (no name) - {61AA313D-D651-425F-AFCF-3D5A6A66163C} - C:\Program Files\MSN Gaming Zone\hokerowo83122.dll O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file) O2 - BHO: (no name) - {9A91A92D-35B0-3C1C-EC5C-4B761C4E069E} - C:\WINDOWS\System32\glxgulu.dll (file missing) O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: (no name) - {BC91129A-A238-49F2-B101-2896DF91A32F} - c:\windows\system32\cagacag.dll O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file) O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file) O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file) O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file) O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file) O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1155247693\ee\AOLSoftware.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe" O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\_svchost.exe O4 - HKLM\..\Run: [QuickTime] C:\WINDOWS\TEMP\kroouhug.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [IEFilter] C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\IExpl32d.exe O4 - HKCU\..\Run: [Sets] "C:\PROGRA~1\YMANTE~1\wuauboot.exe" -vt yazb O4 - HKCU\..\Run: [Gtesultq] "C:\Documents and Settings\admin\My Documents\??crosoft\d?xplore.exe" O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\admin\Application Data\WinTouch\WinTouch.exe O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\admin\Application Data\Microsoft\Windows\eckefy.exe O4 - HKCU\..\Run: [ISMPack5] "C:\Program Files\ISM2\ISMPack5.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Search - ?p=ZCxdm736MGUS O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - file://D:\GAMES\msjavx86_3805.exe O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O20 - Winlogon Notify: bsfrzvci - C:\WINDOWS\SYSTEM32\cagacag.dll O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\WINDOWS\System32\_svchost.exe O23 - Service: WUSB54GSCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe" "WUSB54GSC.exe (file missing) I will do another AVG in Safe Mode & try to save it again...

Edited by Joecastle, 07 October 2007 - 05:07 PM.

#7 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 08 October 2007 - 04:16 PM

Hi Joecastle

Don't worry about the AVG scan. If you've already done another one then great, try to post the report if you can. If not, don't worry, we can tackle this one with other tools.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HijackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Thanks,

jpshortstuff

Proud Graduate of the TC/WTT Classroom

#8 Joecastle

Authentic Member

Authentic Member
215 posts

Posted 08 October 2007 - 04:48 PM

Hello jpshortstuff, I did the VundoFix.exe but it did not find any infected files. I had to download the VundoFix.exe from MajorGeeks because for some reason the atribune website seem to be down. Here is a new HJT log.. Logfile of HijackThis v1.99.1 Scan saved at 6:36:14 PM, on 10/8/2007 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\System32\_svchost.exe C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe C:\Program Files\Common Files\AOL\1155247693\ee\aolsoftware.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\TrojanHunter 5.0\THGuard.exe C:\WINDOWS\System32\_svchost.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\PROGRA~1\YMANTE~1\wuauboot.exe C:\Documents and Settings\admin\My Documents\??crosoft\d?xplore.exe C:\Documents and Settings\admin\Application Data\WinTouch\WinTouch.exe C:\Program Files\ISM2\ISMPack5.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\admin\Desktop\New Folder\hijackthis.exe O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {078A5878-DA1D-4AD9-A6CD-63D7F737106A} - C:\WINDOWS\System32\mstlsap.dll O2 - BHO: (no name) - {07e789d7-1024-4b80-95e0-05c37a019991} - C:\WINDOWS\System32\roehxlk.dll O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file) O2 - BHO: 0 - {3F21B1EF-5204-4C3E-0984-BAA1997E92DA} - C:\Program Files\Common Files\lavu.dll (file missing) O2 - BHO: (no name) - {412A8BAA-F626-43A8-A141-9B5459D8680D} - C:\Program Files\MSN Gaming Zone\hokerowo4444.dll O2 - BHO: (no name) - {42DF7F1B-B0A3-E750-A049-E72B2E948CC5} - C:\WINDOWS\System32\txkl.dll O2 - BHO: Flash Module - {43621FA4-9E25-4bcf-A5F4-5934E3838EC1} - btasv.dll (file missing) O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file) O2 - BHO: (no name) - {61AA313D-D651-425F-AFCF-3D5A6A66163C} - C:\Program Files\MSN Gaming Zone\hokerowo83122.dll O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file) O2 - BHO: (no name) - {9A91A92D-35B0-3C1C-EC5C-4B761C4E069E} - C:\WINDOWS\System32\glxgulu.dll (file missing) O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: (no name) - {BC91129A-A238-49F2-B101-2896DF91A32F} - c:\windows\system32\cagacag.dll O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file) O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file) O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file) O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file) O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file) O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1155247693\ee\AOLSoftware.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe" O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\_svchost.exe O4 - HKLM\..\Run: [QuickTime] C:\WINDOWS\TEMP\kroouhug.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [IEFilter] C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\IExpl32d.exe O4 - HKCU\..\Run: [Sets] "C:\PROGRA~1\YMANTE~1\wuauboot.exe" -vt yazb O4 - HKCU\..\Run: [Gtesultq] "C:\Documents and Settings\admin\My Documents\??crosoft\d?xplore.exe" O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\admin\Application Data\WinTouch\WinTouch.exe O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\admin\Application Data\Microsoft\Windows\eckefy.exe O4 - HKCU\..\Run: [ISMPack5] "C:\Program Files\ISM2\ISMPack5.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Search - ?p=ZCxdm736MGUS O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - file://D:\GAMES\msjavx86_3805.exe O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O20 - Winlogon Notify: bsfrzvci - C:\WINDOWS\SYSTEM32\cagacag.dll O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\WINDOWS\System32\_svchost.exe O23 - Service: WUSB54GSCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe" "WUSB54GSC.exe (file missing)

#9 Joecastle

Authentic Member

Authentic Member
215 posts

Posted 08 October 2007 - 09:11 PM

jpshortstuff, Here is a AVG report that I loaded to my junk drive. I t took almost 3 hours to run... --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 10:26:55 PM 10/8/2007 + Scan result: C:\FOUND.013\FILE0015.CHK -> Downloader.Agent.acl : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0082951.exe -> Downloader.Agent.dpn : Cleaned with backup (quarantined). C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E7C527A7\eaglenew[1].exe -> Downloader.Small.cib : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9E586DC4-442E-4A1A-8977-1272C213B675}\RP44\A0082950.dll -> Proxy.Agent.df : Cleaned with backup (quarantined). C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E7C527A7\packed_installer_cn[1].exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined). C:\WINDOWS\system32\koos.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined). C:\WINDOWS\system32\kprof -> Proxy.Wopla.ag : Cleaned with backup (quarantined). C:\WINDOWS\system32\poof -> Proxy.Wopla.ag : Cleaned with backup (quarantined). C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E7C527A7\2209[1].exe -> Proxy.Xorpix.bt : Cleaned with backup (quarantined). C:\Documents and Settings\admin\Cookies\admin@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned. C:\Documents and Settings\admin\Cookies\admin@media.adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned. C:\Documents and Settings\admin\Cookies\admin@advertising[2].txt -> TrackingCookie.Advertising : Cleaned. C:\Documents and Settings\admin\Cookies\admin@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned. C:\Documents and Settings\admin\Cookies\admin@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned. C:\Documents and Settings\admin\Cookies\admin@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned. C:\Documents and Settings\admin\Cookies\admin@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned. C:\Documents and Settings\admin\Cookies\admin@revsci[2].txt -> TrackingCookie.Revsci : Cleaned. C:\Documents and Settings\admin\Cookies\admin@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned. C:\Documents and Settings\admin\Cookies\admin@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned. C:\Documents and Settings\admin\Cookies\admin@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned. C:\Documents and Settings\admin\Cookies\admin@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned. C:\Documents and Settings\admin\Cookies\admin@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned. C:\Documents and Settings\admin\Cookies\admin@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned. C:\Documents and Settings\admin\Cookies\admin@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned. C:\Documents and Settings\admin\Cookies\admin@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned. C:\Documents and Settings\admin\Cookies\admin@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned. C:\Documents and Settings\admin\Cookies\admin@zedo[2].txt -> TrackingCookie.Zedo : Cleaned. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SLAB89UB\ss4[1].exe -> Trojan.Small.rn : Cleaned with backup (quarantined). ::Report end

#10 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 09 October 2007 - 01:14 PM

Hi Joecastle

Open HijackThis. Hit Do A System Scan Only. Place a check next to the following items (if present):

O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {078A5878-DA1D-4AD9-A6CD-63D7F737106A} - C:\WINDOWS\System32\mstlsap.dll
O2 - BHO: (no name) - {07e789d7-1024-4b80-95e0-05c37a019991} - C:\WINDOWS\System32\roehxlk.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: 0 - {3F21B1EF-5204-4C3E-0984-BAA1997E92DA} - C:\Program Files\Common Files\lavu.dll (file missing)
O2 - BHO: (no name) - {412A8BAA-F626-43A8-A141-9B5459D8680D} - C:\Program Files\MSN Gaming Zone\hokerowo4444.dll
O2 - BHO: (no name) - {42DF7F1B-B0A3-E750-A049-E72B2E948CC5} - C:\WINDOWS\System32\txkl.dll
O2 - BHO: Flash Module - {43621FA4-9E25-4bcf-A5F4-5934E3838EC1} - btasv.dll (file missing)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {61AA313D-D651-425F-AFCF-3D5A6A66163C} - C:\Program Files\MSN Gaming Zone\hokerowo83122.dll
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {9A91A92D-35B0-3C1C-EC5C-4B761C4E069E} - C:\WINDOWS\System32\glxgulu.dll (file missing)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {BC91129A-A238-49F2-B101-2896DF91A32F} - c:\windows\system32\cagacag.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\_svchost.exe
O4 - HKCU\..\Run: [IEFilter] C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\IExpl32d.exe
O4 - HKCU\..\Run: [Sets] "C:\PROGRA~1\YMANTE~1\wuauboot.exe" -vt yazb
O4 - HKCU\..\Run: [Gtesultq] "C:\Documents and Settings\admin\My Documents\??crosoft\d?xplore.exe"
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\admin\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\admin\Application Data\Microsoft\Windows\eckefy.exe
O4 - HKCU\..\Run: [ISMPack5] "C:\Program Files\ISM2\ISMPack5.exe"
O8 - Extra context menu item: &Search - ?p=ZCxdm736MGUS
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - file://D:\GAMES\msjavx86_3805.exe
O20 - Winlogon Notify: bsfrzvci - C:\WINDOWS\SYSTEM32\cagacag.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\WINDOWS\System32\_svchost.exe

Close all browsers and windows except for HijackThis and click Fix Checked.

Still in HijackThis, click Config, then Misc Tools, and then press the Delete an NT service.. button.
When the dialog box opens, enter:
Microsoft Internet Explorer
and press OK.
Close HijackThis.

It would be a good idea if you print out these instructions or write them down, as you wont have access to the internet.

Next, we need to boot into Safe Mode.

Restart the computer.
As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
Use the arrow keys to select the Safe mode menu item
Press Enter.

Please Right Click your Start button, and click Explore.
Next, locate and delete the following files and folders (if present):

C:\WINDOWS\System32\_svchost.exe <<FILE
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\IExpl32d.exe <<FILE
C:\Program Files\Ymante... (folder name begins with this. It will have wuauboot.exe in) <<FOLDER
C:\Documents and Settings\admin\My Documents\??crosoft\ <<FOLDER
C:\Program Files\WinAble\ <<FOLDER
C:\Program Files\Insider\ <<FOLDER
C:\Documents and Settings\admin\Application Data\WinTouch\ <<FOLDER
C:\Documents and Settings\admin\Application Data\Microsoft\Windows\eckefy.exe <<FILE
C:\Program Files\ISM2\ <<FOLDER

If any of them aren't there then don't worry, but if you have a problem deleting one of them then please let me know.

Now you can reboot your computer back into normal mode.

Download ComboFix by sUBs from here or here

**Save it to your desktop**

Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please save that log to post in your next reply along with a fresh HJT log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please describe any changes to your computer's performance.

Thanks,

jpshortstuff

Proud Graduate of the TC/WTT Classroom

Advertisements

Register to Remove

#11 Joecastle

Authentic Member

Authentic Member
215 posts

Posted 09 October 2007 - 06:08 PM

Hello jpshortstuff,

Ok, I did all as instructed and have the reports. The computer seems to log on a liitle quicker but, I still cannot get online. In the middle of the screen it says,

Warning! Spyware threat has been detected on your PC

Your computer has several fatal errors due to spyware activity. Your IP address is xx.xxx.xxx.xx and via this address an unauthorized access was gained by another computer. It is strongly recommended to install an antispyware software to close all security vulnerabilities.

I have connected the ethernet cable & have no connection. Here are the logs...

Logfile of HijackThis v1.99.1
Scan saved at 7:35:10 PM, on 10/9/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1155247693\ee\AOLSoftware.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\admin\Desktop\New Folder\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {078A5878-DA1D-4AD9-A6CD-63D7F737106A} - C:\WINDOWS\System32\mstlsap.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BC91129A-A238-49F2-B101-2896DF91A32F} - c:\windows\system32\cagacag.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1155247693\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: bsfrzvci - C:\WINDOWS\SYSTEM32\cagacag.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WUSB54GSCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe" "WUSB54GSC.exe (file missing)

ComboFix 07-10-09.3 - admin 2007-10-09 19:15:32.1 - FAT32x86
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\6.tmp
C:\7.tmp
C:\Documents and Settings\admin\Application Data\WinTouch
C:\Documents and Settings\admin\Application Data\WinTouch\config.cfg.a469ffea160411a532e00ea2c75f97b4
C:\Documents and Settings\admin\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\admin\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\admin\Local Settings\Application Data\microsoft\internet explorer\filters
C:\Documents and Settings\admin\Local Settings\Application Data\microsoft\internet explorer\filters\filter.drv
C:\Documents and Settings\admin\Local Settings\Application Data\microsoft\internet explorer\filters\prx482b.dll
C:\Documents and Settings\admin\Local Settings\Application Data\microsoft\internet explorer\filters\prx484c.dll
C:\Documents and Settings\admin\Local Settings\Application Data\microsoft\internet explorer\filters\prx487c.dll
C:\Documents and Settings\admin\Local Settings\Application Data\microsoft\internet explorer\filters\prx64c.dll
C:\Documents and Settings\admin\Local Settings\Application Data\microsoft\internet explorer\filters\prx66a.dll
C:\Documents and Settings\admin\Local Settings\Application Data\microsoft\internet explorer\filters\prx66b.dll
C:\Documents and Settings\admin\Local Settings\Application Data\microsoft\internet explorer\filters\prx70c.dll
C:\Documents and Settings\admin\Local Settings\Application Data\microsoft\internet explorer\prndrv.dll
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Documents and Settings\All Users.\documents\settings\partnership.dll
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\ymante~1
C:\Program Files\ymante~1\?ymantec\
C:\Program Files\ymante~1\wuauboot.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\144.exe
C:\WINDOWS\764.exe
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32_exception.nls
C:\WINDOWS\system32\A1
C:\WINDOWS\system32\drivers\bg_bg.gif
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\close_ico.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\hd_dirs.cfg
C:\WINDOWS\system32\drivers\hd_rkeys.cfg
C:\WINDOWS\system32\drivers\hd_rvals.cfg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\icon_warning_big.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\lhfjncwk.sys
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\remove_spyware_header.gif
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\spyware_detected.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_ico.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\yellow_warning_ico.gif
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\explorer.exe
C:\windows\system32\explorer.exe
C:\WINDOWS\system32\f24WtR
C:\WINDOWS\system32\f24WtR\f24WtR2218.exe
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\H2
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\ipv6monr.dll
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\nusrmgr.exe
C:\WINDOWS\system32\Q2
C:\WINDOWS\system32\Q2\mon33dll.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\ystem~1
C:\WINDOWS\system32\ystem3~1
C:\WINDOWS\Temp\772000.exe
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
C:\Documents and Settings\All Users.\documents\settings

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_DRIVER
-------\LEGACY_HFLT_IPF
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_POOF
-------\LEGACY_RUNTIME
-------\Driver
-------\kprof
-------\poof

((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.

2007-10-09 19:13 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 18:28 <DIR> d-------- C:\VundoFix Backups
2007-10-07 18:33 <DIR> d--hs---- C:\FOUND.013
2007-10-07 18:26 113,664 --a------ C:\WINDOWS\system32\update285.exe
2007-10-07 18:26 113,664 --a------ C:\WINDOWS\system32\update176.exe
2007-10-07 18:26 20,992 --a------ C:\WINDOWS\system32\update281.exe
2007-10-07 18:25 7,680 --a------ C:\WINDOWS\system32\_svchost.exe
2007-10-07 18:25 7,680 --a------ C:\Documents and Settings\admin\ie_update3r.exe
2007-10-05 19:52 17,664 C:\WINDOWS\system32\drivers\lhfjncwk.dat
2007-10-05 19:52 5,120 C:\WINDOWS\system32\drivers\iiccncfm.dat
2007-10-05 17:26 <DIR> d-------- C:\Documents and Settings\admin\Application Data\TrojanHunter
2007-10-05 13:57 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-10-05 13:07 1 --a------ C:\WINDOWS\system32\rc.dat
2007-10-05 13:07 1 --a------ C:\WINDOWS\system32\ps1.dat
2007-10-05 13:07 1 --a------ C:\WINDOWS\system32\cookie1.dat
2007-10-05 13:01 53,248 --a------ C:\WINDOWS\system32\btasv.dll
2007-10-05 13:01 1 --a------ C:\WINDOWS\system32\conf.dat
2007-10-05 12:40 9,728 --a------ C:\Program Files\hlpsrv.exe
2007-10-04 21:47 <DIR> d-------- C:\WINDOWS\peernet
2007-10-04 21:46 <DIR> d-------- C:\WINDOWS\provisioning
2007-10-04 21:33 20,480 --a------ C:\WINDOWS\system32\sprecovr.exe
2007-10-04 21:28 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-04 21:19 <DIR> d-------- C:\WINDOWS\EHome
2007-10-04 20:53 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-10-04 17:28 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-10-04 17:28 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-10-04 17:28 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-10-04 17:28 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-10-04 17:28 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-10-04 17:08 <DIR> d--h----- C:\WINDOWS\$xpsp1hfm$
2007-10-04 17:08 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-10-04 02:56 <DIR> d-------- C:\WINDOWS\system32\bits
2007-10-04 00:09 <DIR> d-------- C:\WINDOWS\pss
2007-10-04 00:06 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-04 00:05 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-03 23:49 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-03 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-03 23:17 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-10-03 23:17 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-10-03 23:17 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-10-03 23:17 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-10-03 23:17 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-10-03 23:17 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-10-03 23:08 741,632 --a------ C:\WINDOWS\system32\iljmkkgf.dat
2007-10-03 23:08 118,528 --a------ C:\WINDOWS\system32\jmgqhxtg.dat
2007-10-03 23:08 35,584 --a------ C:\WINDOWS\system32\ngvbwtuz.dat
2007-10-03 23:08 34,560 --a------ C:\WINDOWS\system32\wqsvwyfa.dat
2007-10-02 16:03 35,840 -ra------ C:\WINDOWS\tsitra1000106.exe
2007-09-20 20:40 <DIR> d-------- C:\Program Files\Temporary
2007-09-20 20:37 <DIR> d--hs---- C:\WINDOWS\YWRtaW4
2007-09-20 20:37 <DIR> d-------- C:\WINDOWS\system32\GRB9
2007-09-20 20:37 <DIR> d-------- C:\WINDOWS\system32\DLL2
2007-09-20 20:34 8,717 --a------ C:\WINDOWS\elaah89v.exe
2007-09-20 20:34 6,720 --a------ C:\WINDOWS\system32\syslodr.sys
2007-09-20 19:38 105,591 --a------ C:\WINDOWS\system32\mstlsap.dll
2007-09-20 19:24 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-09-20 19:24 17,992 --a------ C:\WINDOWS\system32\bcm42rly.sys
2007-09-20 19:24 17,801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-09-20 19:23 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-09-20 19:07 <DIR> d-------- C:\Documents and Settings\admin\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 17:22 94,720 ----a-w C:\WINDOWS\system32\cagacag.dll
2007-10-04 03:50 246 ----a-w C:\Program Files\Common Files\lavu
2007-09-28 02:09 73,728 ----a-w C:\WINDOWS\system32\vahnjqck.dll
2007-09-28 02:09 123,904 ----a-w C:\WINDOWS\system32\mcnrbxba.dll
2007-09-08 02:23 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2007-09-08 02:23 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2007-08-20 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2007-08-20 22:09 --------- d-----w C:\Documents and Settings\admin\Application Data\MSN6
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-28 09:06 135 ----a-w C:\Program Files\Common Files\profsy.html
2007-07-25 15:50 412,160 ----a-w C:\WINDOWS\installer.exe
2007-07-15 19:06 202,240 ----a-w C:\WINDOWS\system32\Yamaha 2007 R1.scr
2007-03-25 01:55 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{078A5878-DA1D-4AD9-A6CD-63D7F737106A}]
2001-08-23 12:00 105591 --a------ C:\WINDOWS\System32\mstlsap.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC91129A-A238-49F2-B101-2896DF91A32F}]
2007-10-07 13:22 94720 --a------ c:\windows\system32\cagacag.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50]
"HostManager"="C:\Program Files\Common Files\AOL\1155247693\ee\AOLSoftware.exe" [2006-09-25 20:52]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 17:42]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-08-10 18:10]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-10 18:11]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 17:33]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-26 17:58]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 00:33]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bsfrzvci]
cagacag.dll 2007-10-07 13:22 94720 C:\WINDOWS\system32\cagacag.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

gpejsjbq

*Newly Created Service* - GTNDIS5
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-09 19:26:25
Windows 5.1.2600 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-09 19:30:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-09 19:30
.
--- E O F ---

#12 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 11 October 2007 - 10:00 AM

Hi Joecastle

Sorry about the delays

Open HijackThis. Hit Do A System Scan Only. Place a check next to the following items (if present):

O2 - BHO: (no name) - {078A5878-DA1D-4AD9-A6CD-63D7F737106A} - C:\WINDOWS\System32\mstlsap.dll
O2 - BHO: (no name) - {BC91129A-A238-49F2-B101-2896DF91A32F} - c:\windows\system32\cagacag.dll
O20 - Winlogon Notify: bsfrzvci - C:\WINDOWS\SYSTEM32\cagacag.dll

Close all browsers and windows except for HijackThis and click Fix Checked.
Close HijackThis.

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\FOUND.013
C:\WINDOWS\system32\_svchost.exe
C:\Program Files\hlpsrv.exe
C:\WINDOWS\system32\vahnjqck.dll
C:\WINDOWS\system32\mcnrbxba.dll
C:\WINDOWS\system32\iljmkkgf.dat
C:\WINDOWS\system32\jmgqhxtg.dat
C:\WINDOWS\system32\ngvbwtuz.dat
C:\WINDOWS\system32\wqsvwyfa.dat
C:\WINDOWS\elaah89v.exe
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\tsitra1000106.exe
C:\WINDOWS\system32\mstlsap.dll
C:\WINDOWS\system32\cagacag.dll
C:\WINDOWS\system32\update285.exe
C:\WINDOWS\system32\update176.exe
C:\WINDOWS\system32\update281.exe
C:\Documents and Settings\admin\ie_update3r.exe
C:\WINDOWS\system32\drivers\lhfjncwk.dat
C:\WINDOWS\system32\drivers\iiccncfm.dat
C:\WINDOWS\system32\rc.dat
C:\WINDOWS\system32\ps1.dat
C:\WINDOWS\system32\cookie1.dat
C:\WINDOWS\system32\btasv.dll
C:\WINDOWS\system32\conf.dat
C:\Program Files\Common Files\profsy.html

Folder::
C:\VundoFix Backups
C:\WINDOWS\YWRtaW4
C:\WINDOWS\system32\GRB9
C:\WINDOWS\system32\DLL2
C:\WINDOWS\system32\acespy
C:\Program Files\Temporary

Driver::

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{078A5878-DA1D-4AD9-A6CD-63D7F737106A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC91129A-A238-49F2-B101-2896DF91A32F}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bsfrzvci]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

Thanks,

jpshortstuff

Proud Graduate of the TC/WTT Classroom

#13 Joecastle

Authentic Member

Authentic Member
215 posts

Posted 11 October 2007 - 04:53 PM

Hi jpshortstuff,

Here are the logs...

ComboFix 07-10-09.3 - admin 2007-10-11 18:27:35.2 - FAT32x86
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\admin\Desktop\CFScript.txt

FILE::
C:\Documents and Settings\admin\ie_update3r.exe
C:\FOUND.013
C:\Program Files\Common Files\profsy.html
C:\Program Files\hlpsrv.exe
C:\WINDOWS\elaah89v.exe
C:\WINDOWS\system32\_svchost.exe
C:\WINDOWS\system32\btasv.dll
C:\WINDOWS\system32\cagacag.dll
C:\WINDOWS\system32\conf.dat
C:\WINDOWS\system32\cookie1.dat
C:\WINDOWS\system32\drivers\iiccncfm.dat
C:\WINDOWS\system32\drivers\lhfjncwk.dat
C:\WINDOWS\system32\iljmkkgf.dat
C:\WINDOWS\system32\jmgqhxtg.dat
C:\WINDOWS\system32\mcnrbxba.dll
C:\WINDOWS\system32\mstlsap.dll
C:\WINDOWS\system32\ngvbwtuz.dat
C:\WINDOWS\system32\ps1.dat
C:\WINDOWS\system32\rc.dat
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\update176.exe
C:\WINDOWS\system32\update281.exe
C:\WINDOWS\system32\update285.exe
C:\WINDOWS\system32\vahnjqck.dll
C:\WINDOWS\system32\wqsvwyfa.dat
C:\WINDOWS\tsitra1000106.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\admin\ie_update3r.exe
C:\Program Files\Common Files\profsy.html
C:\Program Files\hlpsrv.exe
C:\Program Files\Temporary
C:\VundoFix Backups
C:\WINDOWS\elaah89v.exe
C:\WINDOWS\system32\_svchost.exe
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\btasv.dll
C:\WINDOWS\system32\conf.dat
C:\WINDOWS\system32\cookie1.dat
C:\WINDOWS\system32\DLL2
C:\WINDOWS\system32\GRB9
C:\WINDOWS\system32\GRB9\wrdll22919.exe
C:\WINDOWS\system32\iljmkkgf.dat
C:\WINDOWS\system32\jmgqhxtg.dat
C:\WINDOWS\system32\mcnrbxba.dll
C:\WINDOWS\system32\ngvbwtuz.dat
C:\WINDOWS\system32\ps1.dat
C:\WINDOWS\system32\rc.dat
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\update176.exe
C:\WINDOWS\system32\update281.exe
C:\WINDOWS\system32\update285.exe
C:\WINDOWS\system32\vahnjqck.dll
C:\WINDOWS\system32\wqsvwyfa.dat
C:\WINDOWS\tsitra1000106.exe
C:\WINDOWS\YWRtaW4
C:\WINDOWS\system32\cagacag.dll . . . . failed to delete
C:\WINDOWS\system32\drivers\iiccncfm.dat . . . . failed to delete
C:\WINDOWS\system32\drivers\lhfjncwk.dat . . . . failed to delete
C:\WINDOWS\system32\mstlsap.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-09-11 to 2007-10-11 )))))))))))))))))))))))))))))))
.

2007-10-09 19:13 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-07 18:33 <DIR> d--hs---- C:\FOUND.013
2007-10-05 19:52 17,664 C:\WINDOWS\system32\drivers\lhfjncwk.dat
2007-10-05 19:52 5,120 C:\WINDOWS\system32\drivers\iiccncfm.dat
2007-10-05 17:26 <DIR> d-------- C:\Documents and Settings\admin\Application Data\TrojanHunter
2007-10-05 13:57 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-10-04 21:47 <DIR> d-------- C:\WINDOWS\peernet
2007-10-04 21:46 <DIR> d-------- C:\WINDOWS\provisioning
2007-10-04 21:33 20,480 --a------ C:\WINDOWS\system32\sprecovr.exe
2007-10-04 21:28 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-04 21:19 <DIR> d-------- C:\WINDOWS\EHome
2007-10-04 20:53 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-10-04 17:28 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-10-04 17:28 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-10-04 17:28 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-10-04 17:28 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-10-04 17:28 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-10-04 17:08 <DIR> d--h----- C:\WINDOWS\$xpsp1hfm$
2007-10-04 17:08 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-10-04 02:56 <DIR> d-------- C:\WINDOWS\system32\bits
2007-10-04 00:09 <DIR> d-------- C:\WINDOWS\pss
2007-10-03 23:49 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-03 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-03 23:17 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-10-03 23:17 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-10-03 23:17 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-10-03 23:17 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-10-03 23:17 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-10-03 23:17 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-09-20 20:34 6,720 --a------ C:\WINDOWS\system32\syslodr.sys
2007-09-20 19:38 105,591 --a------ C:\WINDOWS\system32\mstlsap.dll
2007-09-20 19:24 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-09-20 19:24 17,992 --a------ C:\WINDOWS\system32\bcm42rly.sys
2007-09-20 19:24 17,801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-09-20 19:23 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-09-20 19:07 <DIR> d-------- C:\Documents and Settings\admin\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 17:22 94,720 ----a-w C:\WINDOWS\system32\cagacag.dll
2007-10-04 03:50 246 ----a-w C:\Program Files\Common Files\lavu
2007-09-08 02:23 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2007-09-08 02:23 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2007-08-20 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2007-08-20 22:09 --------- d-----w C:\Documents and Settings\admin\Application Data\MSN6
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-25 15:50 412,160 ----a-w C:\WINDOWS\installer.exe
2007-07-15 19:06 202,240 ----a-w C:\WINDOWS\system32\Yamaha 2007 R1.scr
2007-03-25 01:55 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{078A5878-DA1D-4AD9-A6CD-63D7F737106A}]
2001-08-23 12:00 105591 --a------ C:\WINDOWS\System32\mstlsap.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC91129A-A238-49F2-B101-2896DF91A32F}]
2007-10-07 13:22 94720 --a------ c:\windows\system32\cagacag.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50]
"HostManager"="C:\Program Files\Common Files\AOL\1155247693\ee\AOLSoftware.exe" [2006-09-25 20:52]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 17:42]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-08-10 18:10]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-10 18:11]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 17:33]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-26 17:58]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 00:33]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bsfrzvci]
cagacag.dll 2007-10-07 13:22 94720 C:\WINDOWS\system32\cagacag.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
helpsvcgpejsjbq

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-11 18:34:30
Windows 5.1.2600 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-11 18:38:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-11 18:38
C:\ComboFix2.txt ... 2007-10-09 19:30
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 6:47:37 PM, on 10/11/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\Program Files\Common Files\AOL\1155247693\ee\AOLSoftware.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\admin\Desktop\New Folder\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {078A5878-DA1D-4AD9-A6CD-63D7F737106A} - C:\WINDOWS\System32\mstlsap.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BC91129A-A238-49F2-B101-2896DF91A32F} - c:\windows\system32\cagacag.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1155247693\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: bsfrzvci - C:\WINDOWS\SYSTEM32\cagacag.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WUSB54GSCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe" "WUSB54GSC.exe (file missing)

#14 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 12 October 2007 - 02:41 PM

Hi Joecastle

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\cagacag.dll
C:\WINDOWS\system32\drivers\iiccncfm.dat
C:\WINDOWS\system32\drivers\lhfjncwk.dat
C:\WINDOWS\system32\mstlsap.dll

Folder::
C:\FOUND.013

Driver::
iiccncfm
lhfjncwk

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetSvcs\helpsvcgpejsjbq]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{078A5878-DA1D-4AD9-A6CD-63D7F737106A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC91129A-A238-49F2-B101-2896DF91A32F}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bsfrzvci]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=-

3. Save the above as CFScript.txt

It would be a good idea if you print out these instructions or write them down, as you wont have access to the internet.

4. Next, we need to boot into Safe Mode.

Restart the computer.
As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
Use the arrow keys to select the Safe mode menu item
Press Enter.

Once in safe mode:

5. Open HijackThis. Hit Do A System Scan Only. Place a check next to the following items (if present):
O2 - BHO: (no name) - {078A5878-DA1D-4AD9-A6CD-63D7F737106A} - C:\WINDOWS\System32\mstlsap.dll
O2 - BHO: (no name) - {BC91129A-A238-49F2-B101-2896DF91A32F} - c:\windows\system32\cagacag.dll
O20 - Winlogon Notify: bsfrzvci - C:\WINDOWS\SYSTEM32\cagacag.dll

Close all browsers and windows except for HijackThis and click Fix Checked.

6. drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

Thanks,

jpshotstuff

Proud Graduate of the TC/WTT Classroom

#15 Joecastle

Authentic Member

Authentic Member
215 posts

Posted 12 October 2007 - 06:28 PM

Hi jpshortstuff,

Everytime I run the combofix & in the middle of its process a window pops up with the said file sed.cfexe at the top and at the bottom of it it says sed.cfexe has encountered a problem and needs to close. We are sorry for the inconvenience. I always click Don't Send. I think it is probably why these files are not going away?

ComboFix 07-10-09.3 - admin 2007-10-12 20:13:51.3 - FAT32x86 MINIMAL
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\admin\Desktop\CFScript_used_2007-10-11@18.27.txt

FILE::
C:\Documents and Settings\admin\ie_update3r.exe
C:\FOUND.013
C:\Program Files\Common Files\profsy.html
C:\Program Files\hlpsrv.exe
C:\WINDOWS\elaah89v.exe
C:\WINDOWS\system32\_svchost.exe
C:\WINDOWS\system32\btasv.dll
C:\WINDOWS\system32\cagacag.dll
C:\WINDOWS\system32\conf.dat
C:\WINDOWS\system32\cookie1.dat
C:\WINDOWS\system32\drivers\iiccncfm.dat
C:\WINDOWS\system32\drivers\lhfjncwk.dat
C:\WINDOWS\system32\iljmkkgf.dat
C:\WINDOWS\system32\jmgqhxtg.dat
C:\WINDOWS\system32\mcnrbxba.dll
C:\WINDOWS\system32\mstlsap.dll
C:\WINDOWS\system32\ngvbwtuz.dat
C:\WINDOWS\system32\ps1.dat
C:\WINDOWS\system32\rc.dat
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\update176.exe
C:\WINDOWS\system32\update281.exe
C:\WINDOWS\system32\update285.exe
C:\WINDOWS\system32\vahnjqck.dll
C:\WINDOWS\system32\wqsvwyfa.dat
C:\WINDOWS\tsitra1000106.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cagacag.dll . . . . failed to delete
C:\WINDOWS\system32\drivers\iiccncfm.dat . . . . failed to delete
C:\WINDOWS\system32\drivers\lhfjncwk.dat . . . . failed to delete
C:\WINDOWS\system32\mstlsap.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-09-13 to 2007-10-13 )))))))))))))))))))))))))))))))
.

2007-10-09 19:13 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-07 18:33 <DIR> d--hs---- C:\FOUND.013
2007-10-05 19:52 17,664 C:\WINDOWS\system32\drivers\lhfjncwk.dat
2007-10-05 19:52 5,120 C:\WINDOWS\system32\drivers\iiccncfm.dat
2007-10-05 17:26 <DIR> d-------- C:\Documents and Settings\admin\Application Data\TrojanHunter
2007-10-05 13:57 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-10-04 21:47 <DIR> d-------- C:\WINDOWS\peernet
2007-10-04 21:46 <DIR> d-------- C:\WINDOWS\provisioning
2007-10-04 21:33 20,480 --a------ C:\WINDOWS\system32\sprecovr.exe
2007-10-04 21:28 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-04 21:19 <DIR> d-------- C:\WINDOWS\EHome
2007-10-04 20:53 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-10-04 17:28 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-10-04 17:28 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-10-04 17:28 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-10-04 17:28 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-10-04 17:28 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-10-04 17:08 <DIR> d--h----- C:\WINDOWS\$xpsp1hfm$
2007-10-04 17:08 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-10-04 02:56 <DIR> d-------- C:\WINDOWS\system32\bits
2007-10-04 00:09 <DIR> d-------- C:\WINDOWS\pss
2007-10-03 23:49 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-03 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-03 23:17 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-10-03 23:17 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-10-03 23:17 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-10-03 23:17 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-10-03 23:17 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-10-03 23:17 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-09-20 20:34 6,720 --a------ C:\WINDOWS\system32\syslodr.sys
2007-09-20 19:38 105,591 --a------ C:\WINDOWS\system32\mstlsap.dll
2007-09-20 19:24 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-09-20 19:24 17,992 --a------ C:\WINDOWS\system32\bcm42rly.sys
2007-09-20 19:24 17,801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-09-20 19:23 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-09-20 19:07 <DIR> d-------- C:\Documents and Settings\admin\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 17:22 94,720 ----a-w C:\WINDOWS\system32\cagacag.dll
2007-10-04 03:50 246 ----a-w C:\Program Files\Common Files\lavu
2007-09-08 02:23 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2007-09-08 02:23 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2007-08-20 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2007-08-20 22:09 --------- d-----w C:\Documents and Settings\admin\Application Data\MSN6
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-25 15:50 412,160 ----a-w C:\WINDOWS\installer.exe
2007-07-15 19:06 202,240 ----a-w C:\WINDOWS\system32\Yamaha 2007 R1.scr
2007-03-25 01:55 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{078A5878-DA1D-4AD9-A6CD-63D7F737106A}]
2001-08-23 12:00 105591 --a------ C:\WINDOWS\System32\mstlsap.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC91129A-A238-49F2-B101-2896DF91A32F}]
2007-10-07 13:22 94720 --a------ c:\windows\system32\cagacag.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50]
"HostManager"="C:\Program Files\Common Files\AOL\1155247693\ee\AOLSoftware.exe" [2006-09-25 20:52]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 17:42]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-08-10 18:10]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-10 18:11]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 17:33]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-26 17:58]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 00:33]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bsfrzvci]
cagacag.dll 2007-10-07 13:22 94720 C:\WINDOWS\system32\cagacag.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
helpsvcgpejsjbq

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-12 20:18:06
Windows 5.1.2600 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-12 20:21:28 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-12 20:21
C:\ComboFix3.txt ... 2007-10-09 19:30
C:\ComboFix2.txt ... 2007-10-11 18:38
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 8:23:55 PM, on 10/12/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1155247693\ee\AOLSoftware.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\admin\Desktop\New Folder\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {078A5878-DA1D-4AD9-A6CD-63D7F737106A} - C:\WINDOWS\System32\mstlsap.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BC91129A-A238-49F2-B101-2896DF91A32F} - c:\windows\system32\cagacag.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1155247693\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: bsfrzvci - C:\WINDOWS\SYSTEM32\cagacag.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WUSB54GSCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe" "WUSB54GSC.exe (file missing)

Edited by Joecastle, 12 October 2007 - 07:05 PM.

Body Background

skin color theme