Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Spyware/adware :(

Started by Rahmi , Apr 22 2007 05:27 AM

  • This topic is locked This topic is locked
15 replies to this topic

#1 Rahmi

Rahmi

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 22 April 2007 - 05:27 AM

Im getting a pop up every time a browse through a website, i have had the problem for a month or two, and the problem just keeps getting worse.

here is some of the websites i keep getting directed to

http://login.revenue...sw/5245/CD1753/
http://www.pokerstars.com/sites/13/
http://puzzle-games....opUp_PoppitSite
http://pcturbopro.co...level_uk_en_ed2
http://www.888.com/
http://www.hollywood...OTC-gen0407adon
http://www.movietick...C-gen0407adonmt
http://www.ukprizedr...t.aspx?campid=7
http://www.ukprizedr....aspx?campid=12

and here is my hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 12:26:21, on 22/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\ekrviabr.dll",setvm
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.2.100.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.macmillan...tsweb/msrdp.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory....ap/DigWXMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab53083.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

    Advertisements

Register to Remove

#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 22 April 2007 - 06:53 AM

Hello and Welcome to the forum.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Open the HijackThis Folder. Find the file HijackThis.exe, Right Click on the file and Select Rename. Rename Hijackthis.exe to Spyware.exe.

Post a new HijackThis Log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#3 Rahmi

Rahmi

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 22 April 2007 - 07:43 AM

hi, thanks for the fast reply, i was a little unclear on the instruction: Clear "Hide protected operating system files." , i presumed you mean uncheck the box, which i had done and here is the new log

Logfile of HijackThis v1.99.1
Scan saved at 14:39:40, on 22/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\Spyware.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\wfaouotl.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {51AA3670-16E9-4A1C-96FF-A3FB1DA2B130} - C:\WINDOWS\system32\gpwbedkt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {D0BF7794-EB96-4710-8B8C-31265196B4CF} - C:\WINDOWS\system32\geedb.dll
O2 - BHO: 0 - {E7046B1B-6BB7-4830-92AC-3074F808F9DB} - (no file)
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\ekrviabr.dll",setvm
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.2.100.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.macmillan...tsweb/msrdp.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory....ap/DigWXMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab53083.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: geedb - C:\WINDOWS\system32\geedb.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 22 April 2007 - 08:03 AM

* Download VirtumundoBegone, place it on your desktop.

Doubleclick VirtumundoBeGone.exe to start the tool.
Follow the instructions on the screen.
Don't worry if you'll get a Blue screen with an error in it - this is normal.
After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\wfaouotl.dll
O2 - BHO: (no name) - {51AA3670-16E9-4A1C-96FF-A3FB1DA2B130} - C:\WINDOWS\system32\gpwbedkt.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {D0BF7794-EB96-4710-8B8C-31265196B4CF} - C:\WINDOWS\system32\geedb.dll
O2 - BHO: 0 - {E7046B1B-6BB7-4830-92AC-3074F808F9DB} - (no file)
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O20 - Winlogon Notify: geedb - C:\WINDOWS\system32\geedb.dll

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Delete these files if listed:
C:\WINDOWS\system32\wfaouotl.dll
C:\WINDOWS\system32\gpwbedkt.dll
C:\WINDOWS\system32\geedb.dll
C:\Program Files\Ipwindows\ipwins.exe
C:\WINDOWS\system32\geedb. <--All files with this name like .ini, .bak
C:\WINDOWS\system32\wfaouotl. <--All files with this name like .ini, .bak
C:\WINDOWS\system32\gpwbedkt. <--All files with this name like .ini, .bak

Delete this Folder if listed:
C:\Program Files\Ipwindows

Empty Recycle Bin

Reboot

Post the contents of the log VBG.TXT which present on your desktop together with a new HijackThis log in your next reply.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#5 Rahmi

Rahmi

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 22 April 2007 - 08:34 AM

i ran VirtumundoBegone, it crashed my computer causing me to switch the power, off im unsure if this is normal but here are the new logs

VGB log:

[04/22/2007, 15:05:57] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Rahmi\Desktop\VirtumundoBeGone.exe" )
[04/22/2007, 15:06:06] - Detected System Information:
[04/22/2007, 15:06:06] - Windows Version: 5.1.2600, Service Pack 2
[04/22/2007, 15:06:06] - Current Username: Rahmi (Admin)
[04/22/2007, 15:06:06] - Windows is in NORMAL mode.
[04/22/2007, 15:06:06] - Searching for Browser Helper Objects:
[04/22/2007, 15:06:06] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/22/2007, 15:06:06] - BHO 2: {1557B435-8242-4686-9AA3-9265BF7525A4} ()
[04/22/2007, 15:06:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:06:06] - Checking for HKLM\...\Winlogon\Notify\wfaouotl
[04/22/2007, 15:06:06] - Key not found: HKLM\...\Winlogon\Notify\wfaouotl, continuing.
[04/22/2007, 15:06:06] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[04/22/2007, 15:06:06] - BHO 4: {51AA3670-16E9-4A1C-96FF-A3FB1DA2B130} ()
[04/22/2007, 15:06:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:06:06] - Checking for HKLM\...\Winlogon\Notify\gpwbedkt
[04/22/2007, 15:06:06] - Key not found: HKLM\...\Winlogon\Notify\gpwbedkt, continuing.
[04/22/2007, 15:06:06] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/22/2007, 15:06:06] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[04/22/2007, 15:06:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:06:06] - No filename found. Continuing.
[04/22/2007, 15:06:06] - BHO 7: {D0BF7794-EB96-4710-8B8C-31265196B4CF} ()
[04/22/2007, 15:06:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:06:06] - Checking for HKLM\...\Winlogon\Notify\geedb
[04/22/2007, 15:06:06] - Found: HKLM\...\Winlogon\Notify\geedb - This is probably Virtumundo.
[04/22/2007, 15:06:06] - Assigning {D0BF7794-EB96-4710-8B8C-31265196B4CF} MSEvents Object
[04/22/2007, 15:06:06] - BHO list has been changed! Starting over...
[04/22/2007, 15:06:06] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/22/2007, 15:06:06] - BHO 2: {1557B435-8242-4686-9AA3-9265BF7525A4} ()
[04/22/2007, 15:06:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:06:06] - Checking for HKLM\...\Winlogon\Notify\wfaouotl
[04/22/2007, 15:06:06] - Key not found: HKLM\...\Winlogon\Notify\wfaouotl, continuing.
[04/22/2007, 15:06:06] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[04/22/2007, 15:06:06] - BHO 4: {51AA3670-16E9-4A1C-96FF-A3FB1DA2B130} ()
[04/22/2007, 15:06:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:06:06] - Checking for HKLM\...\Winlogon\Notify\gpwbedkt
[04/22/2007, 15:06:06] - Key not found: HKLM\...\Winlogon\Notify\gpwbedkt, continuing.
[04/22/2007, 15:06:06] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/22/2007, 15:06:06] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[04/22/2007, 15:06:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:06:06] - No filename found. Continuing.
[04/22/2007, 15:06:06] - BHO 7: {D0BF7794-EB96-4710-8B8C-31265196B4CF} (MSEvents Object)
[04/22/2007, 15:06:06] - ALERT: Found MSEvents Object!
[04/22/2007, 15:06:06] - BHO 8: {E7046B1B-6BB7-4830-92AC-3074F808F9DB} ()
[04/22/2007, 15:06:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:06:06] - No filename found. Continuing.
[04/22/2007, 15:06:06] - Finished Searching Browser Helper Objects
[04/22/2007, 15:06:06] - *** Detected MSEvents Object
[04/22/2007, 15:06:06] - Trying to remove MSEvents Object...
[04/22/2007, 15:06:07] - Terminating Process: IEXPLORE.EXE
[04/22/2007, 15:06:07] - Terminating Process: RUNDLL32.EXE
[04/22/2007, 15:06:07] - Disabling Automatic Shell Restart
[04/22/2007, 15:06:07] - Terminating Process: EXPLORER.EXE
[04/22/2007, 15:06:08] - Suspending the NT Session Manager System Service
[04/22/2007, 15:06:08] - Terminating Windows NT Logon/Logoff Manager

[04/22/2007, 15:13:05] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Rahmi\Desktop\VirtumundoBeGone.exe" )
[04/22/2007, 15:13:07] - User choose NOT to continue. Exiting...

[04/22/2007, 15:13:46] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Rahmi\Desktop\VirtumundoBeGone.exe" )
[04/22/2007, 15:13:47] - Detected System Information:
[04/22/2007, 15:13:47] - Windows Version: 5.1.2600, Service Pack 2
[04/22/2007, 15:13:47] - Current Username: Rahmi (Admin)
[04/22/2007, 15:13:47] - Windows is in NORMAL mode.
[04/22/2007, 15:13:47] - Searching for Browser Helper Objects:
[04/22/2007, 15:13:47] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/22/2007, 15:13:47] - BHO 2: {1557B435-8242-4686-9AA3-9265BF7525A4} ()
[04/22/2007, 15:13:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:13:47] - Checking for HKLM\...\Winlogon\Notify\wfaouotl
[04/22/2007, 15:13:47] - Key not found: HKLM\...\Winlogon\Notify\wfaouotl, continuing.
[04/22/2007, 15:13:47] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[04/22/2007, 15:13:47] - BHO 4: {51AA3670-16E9-4A1C-96FF-A3FB1DA2B130} ()
[04/22/2007, 15:13:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:13:47] - Checking for HKLM\...\Winlogon\Notify\gpwbedkt
[04/22/2007, 15:13:47] - Key not found: HKLM\...\Winlogon\Notify\gpwbedkt, continuing.
[04/22/2007, 15:13:47] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/22/2007, 15:13:47] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[04/22/2007, 15:13:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:13:47] - No filename found. Continuing.
[04/22/2007, 15:13:47] - BHO 7: {E7046B1B-6BB7-4830-92AC-3074F808F9DB} ()
[04/22/2007, 15:13:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:13:47] - No filename found. Continuing.
[04/22/2007, 15:13:47] - BHO 8: {F90BA696-90A9-448B-A25C-B8D49C23971A} ()
[04/22/2007, 15:13:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:13:47] - Checking for HKLM\...\Winlogon\Notify\geedb
[04/22/2007, 15:13:47] - Found: HKLM\...\Winlogon\Notify\geedb - This is probably Virtumundo.
[04/22/2007, 15:13:47] - Assigning {F90BA696-90A9-448B-A25C-B8D49C23971A} MSEvents Object
[04/22/2007, 15:13:47] - BHO list has been changed! Starting over...
[04/22/2007, 15:13:47] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/22/2007, 15:13:47] - BHO 2: {1557B435-8242-4686-9AA3-9265BF7525A4} ()
[04/22/2007, 15:13:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:13:47] - Checking for HKLM\...\Winlogon\Notify\wfaouotl
[04/22/2007, 15:13:47] - Key not found: HKLM\...\Winlogon\Notify\wfaouotl, continuing.
[04/22/2007, 15:13:47] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[04/22/2007, 15:13:47] - BHO 4: {51AA3670-16E9-4A1C-96FF-A3FB1DA2B130} ()
[04/22/2007, 15:13:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:13:47] - Checking for HKLM\...\Winlogon\Notify\gpwbedkt
[04/22/2007, 15:13:47] - Key not found: HKLM\...\Winlogon\Notify\gpwbedkt, continuing.
[04/22/2007, 15:13:47] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/22/2007, 15:13:47] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[04/22/2007, 15:13:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:13:47] - No filename found. Continuing.
[04/22/2007, 15:13:47] - BHO 7: {E7046B1B-6BB7-4830-92AC-3074F808F9DB} ()
[04/22/2007, 15:13:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:13:47] - No filename found. Continuing.
[04/22/2007, 15:13:47] - BHO 8: {F90BA696-90A9-448B-A25C-B8D49C23971A} (MSEvents Object)
[04/22/2007, 15:13:47] - ALERT: Found MSEvents Object!
[04/22/2007, 15:13:47] - Finished Searching Browser Helper Objects
[04/22/2007, 15:13:47] - *** Detected MSEvents Object
[04/22/2007, 15:13:47] - Trying to remove MSEvents Object...
[04/22/2007, 15:13:48] - Terminating Process: IEXPLORE.EXE
[04/22/2007, 15:13:49] - Terminating Process: RUNDLL32.EXE
[04/22/2007, 15:13:49] - Disabling Automatic Shell Restart
[04/22/2007, 15:13:49] - Terminating Process: EXPLORER.EXE
[04/22/2007, 15:13:49] - Suspending the NT Session Manager System Service
[04/22/2007, 15:13:49] - Terminating Windows NT Logon/Logoff Manager


hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 15:32:51, on 22/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\ekrviabr.dll",setvm
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.2.100.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.macmillan...tsweb/msrdp.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory....ap/DigWXMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab53083.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 22 April 2007 - 08:38 AM

Open the HijackThis Folder. Find the file HijackThis.exe, Right Click on the file and Select Rename. Rename Hijackthis.exe to Spyware.exe.

Post a new HijackThis Log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#7 Rahmi

Rahmi

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 22 April 2007 - 08:38 AM

Logfile of HijackThis v1.99.1
Scan saved at 15:38:25, on 22/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\Spyware.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\wfaouotl.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {51AA3670-16E9-4A1C-96FF-A3FB1DA2B130} - C:\WINDOWS\system32\gpwbedkt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {766C28A5-2072-48FF-8FD7-62929BA43CF0} - C:\WINDOWS\system32\geedb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: 0 - {E7046B1B-6BB7-4830-92AC-3074F808F9DB} - (no file)
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\ekrviabr.dll",setvm
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.2.100.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.macmillan...tsweb/msrdp.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory....ap/DigWXMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab53083.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: geedb - C:\WINDOWS\system32\geedb.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 22 April 2007 - 08:49 AM

Some of the bad guys are still there:


It can appear to crash your system but that's just the malware. Sometimes you have to manually power off then back on.

Doubleclick VirtumundoBeGone.exe to start the tool.
Follow the instructions on the screen.
Don't worry if you'll get a Blue screen with an error in it - this is normal.
After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\wfaouotl.dll (file missing)
O2 - BHO: (no name) - {51AA3670-16E9-4A1C-96FF-A3FB1DA2B130} - C:\WINDOWS\system32\gpwbedkt.dll
O2 - BHO: (no name) - {766C28A5-2072-48FF-8FD7-62929BA43CF0} - C:\WINDOWS\system32\geedb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: 0 - {E7046B1B-6BB7-4830-92AC-3074F808F9DB} - (no file)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O20 - Winlogon Notify: geedb - C:\WINDOWS\system32\geedb.dll

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Delete these files if listed:
C:\WINDOWS\system32\gpwbedkt. <--All files with this name
C:\WINDOWS\system32\geedb. <--All files with this name


Empty Recycle Bin

Reboot

Post the contents of the log VBG.TXT which present on your desktop together with a new HijackThis log in your next reply.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#9 Rahmi

Rahmi

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 22 April 2007 - 09:25 AM

im having trouble deleting the file C:\WINDOWS\system32\gpwbedkt.dll i get the error message : Cannot delete gpwbedkt Access is denied.

but here are the logs:

VBG log:


[04/22/2007, 15:05:57] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Rahmi\Desktop\VirtumundoBeGone.exe" )
[04/22/2007, 15:06:06] - Detected System Information:
[04/22/2007, 15:06:06] - Windows Version: 5.1.2600, Service Pack 2
[04/22/2007, 15:06:06] - Current Username: Rahmi (Admin)
[04/22/2007, 15:06:06] - Windows is in NORMAL mode.
[04/22/2007, 15:06:06] - Searching for Browser Helper Objects:
[04/22/2007, 15:06:06] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/22/2007, 15:06:06] - BHO 2: {1557B435-8242-4686-9AA3-9265BF7525A4} ()
[04/22/2007, 15:06:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:06:06] - Checking for HKLM\...\Winlogon\Notify\wfaouotl
[04/22/2007, 15:06:06] - Key not found: HKLM\...\Winlogon\Notify\wfaouotl, continuing.
[04/22/2007, 15:06:06] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[04/22/2007, 15:06:06] - BHO 4: {51AA3670-16E9-4A1C-96FF-A3FB1DA2B130} ()
[04/22/2007, 15:06:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:06:06] - Checking for HKLM\...\Winlogon\Notify\gpwbedkt
[04/22/2007, 15:06:06] - Key not found: HKLM\...\Winlogon\Notify\gpwbedkt, continuing.
[04/22/2007, 15:06:06] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/22/2007, 15:06:06] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[04/22/2007, 15:06:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:06:06] - No filename found. Continuing.
[04/22/2007, 15:06:06] - BHO 7: {D0BF7794-EB96-4710-8B8C-31265196B4CF} ()
[04/22/2007, 15:06:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:06:06] - Checking for HKLM\...\Winlogon\Notify\geedb
[04/22/2007, 15:06:06] - Found: HKLM\...\Winlogon\Notify\geedb - This is probably Virtumundo.
[04/22/2007, 15:06:06] - Assigning {D0BF7794-EB96-4710-8B8C-31265196B4CF} MSEvents Object
[04/22/2007, 15:06:06] - BHO list has been changed! Starting over...
[04/22/2007, 15:06:06] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/22/2007, 15:06:06] - BHO 2: {1557B435-8242-4686-9AA3-9265BF7525A4} ()
[04/22/2007, 15:06:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:06:06] - Checking for HKLM\...\Winlogon\Notify\wfaouotl
[04/22/2007, 15:06:06] - Key not found: HKLM\...\Winlogon\Notify\wfaouotl, continuing.
[04/22/2007, 15:06:06] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[04/22/2007, 15:06:06] - BHO 4: {51AA3670-16E9-4A1C-96FF-A3FB1DA2B130} ()
[04/22/2007, 15:06:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:06:06] - Checking for HKLM\...\Winlogon\Notify\gpwbedkt
[04/22/2007, 15:06:06] - Key not found: HKLM\...\Winlogon\Notify\gpwbedkt, continuing.
[04/22/2007, 15:06:06] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/22/2007, 15:06:06] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[04/22/2007, 15:06:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:06:06] - No filename found. Continuing.
[04/22/2007, 15:06:06] - BHO 7: {D0BF7794-EB96-4710-8B8C-31265196B4CF} (MSEvents Object)
[04/22/2007, 15:06:06] - ALERT: Found MSEvents Object!
[04/22/2007, 15:06:06] - BHO 8: {E7046B1B-6BB7-4830-92AC-3074F808F9DB} ()
[04/22/2007, 15:06:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:06:06] - No filename found. Continuing.
[04/22/2007, 15:06:06] - Finished Searching Browser Helper Objects
[04/22/2007, 15:06:06] - *** Detected MSEvents Object
[04/22/2007, 15:06:06] - Trying to remove MSEvents Object...
[04/22/2007, 15:06:07] - Terminating Process: IEXPLORE.EXE
[04/22/2007, 15:06:07] - Terminating Process: RUNDLL32.EXE
[04/22/2007, 15:06:07] - Disabling Automatic Shell Restart
[04/22/2007, 15:06:07] - Terminating Process: EXPLORER.EXE
[04/22/2007, 15:06:08] - Suspending the NT Session Manager System Service
[04/22/2007, 15:06:08] - Terminating Windows NT Logon/Logoff Manager

[04/22/2007, 15:13:05] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Rahmi\Desktop\VirtumundoBeGone.exe" )
[04/22/2007, 15:13:07] - User choose NOT to continue. Exiting...

[04/22/2007, 15:13:46] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Rahmi\Desktop\VirtumundoBeGone.exe" )
[04/22/2007, 15:13:47] - Detected System Information:
[04/22/2007, 15:13:47] - Windows Version: 5.1.2600, Service Pack 2
[04/22/2007, 15:13:47] - Current Username: Rahmi (Admin)
[04/22/2007, 15:13:47] - Windows is in NORMAL mode.
[04/22/2007, 15:13:47] - Searching for Browser Helper Objects:
[04/22/2007, 15:13:47] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/22/2007, 15:13:47] - BHO 2: {1557B435-8242-4686-9AA3-9265BF7525A4} ()
[04/22/2007, 15:13:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:13:47] - Checking for HKLM\...\Winlogon\Notify\wfaouotl
[04/22/2007, 15:13:47] - Key not found: HKLM\...\Winlogon\Notify\wfaouotl, continuing.
[04/22/2007, 15:13:47] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[04/22/2007, 15:13:47] - BHO 4: {51AA3670-16E9-4A1C-96FF-A3FB1DA2B130} ()
[04/22/2007, 15:13:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:13:47] - Checking for HKLM\...\Winlogon\Notify\gpwbedkt
[04/22/2007, 15:13:47] - Key not found: HKLM\...\Winlogon\Notify\gpwbedkt, continuing.
[04/22/2007, 15:13:47] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/22/2007, 15:13:47] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[04/22/2007, 15:13:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:13:47] - No filename found. Continuing.
[04/22/2007, 15:13:47] - BHO 7: {E7046B1B-6BB7-4830-92AC-3074F808F9DB} ()
[04/22/2007, 15:13:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:13:47] - No filename found. Continuing.
[04/22/2007, 15:13:47] - BHO 8: {F90BA696-90A9-448B-A25C-B8D49C23971A} ()
[04/22/2007, 15:13:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:13:47] - Checking for HKLM\...\Winlogon\Notify\geedb
[04/22/2007, 15:13:47] - Found: HKLM\...\Winlogon\Notify\geedb - This is probably Virtumundo.
[04/22/2007, 15:13:47] - Assigning {F90BA696-90A9-448B-A25C-B8D49C23971A} MSEvents Object
[04/22/2007, 15:13:47] - BHO list has been changed! Starting over...
[04/22/2007, 15:13:47] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/22/2007, 15:13:47] - BHO 2: {1557B435-8242-4686-9AA3-9265BF7525A4} ()
[04/22/2007, 15:13:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:13:47] - Checking for HKLM\...\Winlogon\Notify\wfaouotl
[04/22/2007, 15:13:47] - Key not found: HKLM\...\Winlogon\Notify\wfaouotl, continuing.
[04/22/2007, 15:13:47] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[04/22/2007, 15:13:47] - BHO 4: {51AA3670-16E9-4A1C-96FF-A3FB1DA2B130} ()
[04/22/2007, 15:13:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:13:47] - Checking for HKLM\...\Winlogon\Notify\gpwbedkt
[04/22/2007, 15:13:47] - Key not found: HKLM\...\Winlogon\Notify\gpwbedkt, continuing.
[04/22/2007, 15:13:47] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/22/2007, 15:13:47] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[04/22/2007, 15:13:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:13:47] - No filename found. Continuing.
[04/22/2007, 15:13:47] - BHO 7: {E7046B1B-6BB7-4830-92AC-3074F808F9DB} ()
[04/22/2007, 15:13:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 15:13:47] - No filename found. Continuing.
[04/22/2007, 15:13:47] - BHO 8: {F90BA696-90A9-448B-A25C-B8D49C23971A} (MSEvents Object)
[04/22/2007, 15:13:47] - ALERT: Found MSEvents Object!
[04/22/2007, 15:13:47] - Finished Searching Browser Helper Objects
[04/22/2007, 15:13:47] - *** Detected MSEvents Object
[04/22/2007, 15:13:47] - Trying to remove MSEvents Object...
[04/22/2007, 15:13:48] - Terminating Process: IEXPLORE.EXE
[04/22/2007, 15:13:49] - Terminating Process: RUNDLL32.EXE
[04/22/2007, 15:13:49] - Disabling Automatic Shell Restart
[04/22/2007, 15:13:49] - Terminating Process: EXPLORER.EXE
[04/22/2007, 15:13:49] - Suspending the NT Session Manager System Service
[04/22/2007, 15:13:49] - Terminating Windows NT Logon/Logoff Manager

[04/22/2007, 16:05:26] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Rahmi\Desktop\VirtumundoBeGone.exe" )
[04/22/2007, 16:05:39] - Detected System Information:
[04/22/2007, 16:05:40] - Windows Version: 5.1.2600, Service Pack 2
[04/22/2007, 16:05:40] - Current Username: Rahmi (Admin)
[04/22/2007, 16:05:40] - Windows is in NORMAL mode.
[04/22/2007, 16:05:40] - Searching for Browser Helper Objects:
[04/22/2007, 16:05:40] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/22/2007, 16:05:40] - BHO 2: {1557B435-8242-4686-9AA3-9265BF7525A4} ()
[04/22/2007, 16:05:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 16:05:40] - Checking for HKLM\...\Winlogon\Notify\wfaouotl
[04/22/2007, 16:05:40] - Key not found: HKLM\...\Winlogon\Notify\wfaouotl, continuing.
[04/22/2007, 16:05:40] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[04/22/2007, 16:05:40] - BHO 4: {51AA3670-16E9-4A1C-96FF-A3FB1DA2B130} ()
[04/22/2007, 16:05:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 16:05:40] - Checking for HKLM\...\Winlogon\Notify\gpwbedkt
[04/22/2007, 16:05:40] - Key not found: HKLM\...\Winlogon\Notify\gpwbedkt, continuing.
[04/22/2007, 16:05:40] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/22/2007, 16:05:40] - BHO 6: {766C28A5-2072-48FF-8FD7-62929BA43CF0} ()
[04/22/2007, 16:05:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 16:05:40] - Checking for HKLM\...\Winlogon\Notify\geedb
[04/22/2007, 16:05:40] - Found: HKLM\...\Winlogon\Notify\geedb - This is probably Virtumundo.
[04/22/2007, 16:05:40] - Assigning {766C28A5-2072-48FF-8FD7-62929BA43CF0} MSEvents Object
[04/22/2007, 16:05:40] - BHO list has been changed! Starting over...
[04/22/2007, 16:05:40] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/22/2007, 16:05:40] - BHO 2: {1557B435-8242-4686-9AA3-9265BF7525A4} ()
[04/22/2007, 16:05:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 16:05:40] - Checking for HKLM\...\Winlogon\Notify\wfaouotl
[04/22/2007, 16:05:40] - Key not found: HKLM\...\Winlogon\Notify\wfaouotl, continuing.
[04/22/2007, 16:05:40] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[04/22/2007, 16:05:40] - BHO 4: {51AA3670-16E9-4A1C-96FF-A3FB1DA2B130} ()
[04/22/2007, 16:05:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 16:05:40] - Checking for HKLM\...\Winlogon\Notify\gpwbedkt
[04/22/2007, 16:05:40] - Key not found: HKLM\...\Winlogon\Notify\gpwbedkt, continuing.
[04/22/2007, 16:05:40] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/22/2007, 16:05:40] - BHO 6: {766C28A5-2072-48FF-8FD7-62929BA43CF0} (MSEvents Object)
[04/22/2007, 16:05:40] - ALERT: Found MSEvents Object!
[04/22/2007, 16:05:40] - BHO 7: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[04/22/2007, 16:05:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 16:05:40] - No filename found. Continuing.
[04/22/2007, 16:05:40] - BHO 8: {E7046B1B-6BB7-4830-92AC-3074F808F9DB} ()
[04/22/2007, 16:05:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 16:05:40] - No filename found. Continuing.
[04/22/2007, 16:05:40] - Finished Searching Browser Helper Objects
[04/22/2007, 16:05:40] - *** Detected MSEvents Object
[04/22/2007, 16:05:40] - Trying to remove MSEvents Object...
[04/22/2007, 16:05:41] - Terminating Process: IEXPLORE.EXE
[04/22/2007, 16:05:41] - Terminating Process: RUNDLL32.EXE
[04/22/2007, 16:05:41] - Disabling Automatic Shell Restart
[04/22/2007, 16:05:41] - Terminating Process: EXPLORER.EXE
[04/22/2007, 16:05:41] - Suspending the NT Session Manager System Service
[04/22/2007, 16:05:41] - Terminating Windows NT Logon/Logoff Manager

Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 16:22:06, on 22/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\Spyware.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\pguitrql.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {37A3C801-E58F-4393-ADFF-F404C0F98C61} - C:\WINDOWS\system32\geedb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: 0 - {E7046B1B-6BB7-4830-92AC-3074F808F9DB} - (no file)
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\ekrviabr.dll",setvm
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.2.100.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.macmillan...tsweb/msrdp.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory....ap/DigWXMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab53083.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: geedb - C:\WINDOWS\system32\geedb.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

Edited by Rahmi, 22 April 2007 - 09:26 AM.

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 22 April 2007 - 09:28 AM

That bad boy doesn't want to die. Lets find what's keeping it alive :thumbup:

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove

#11 Rahmi

Rahmi

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 22 April 2007 - 09:50 AM

Combofix log:

"Rahmi" - 07-04-22 16:30:45 Service Pack 2
ComboFix 07-04-21.2V - Running from: C:\Program Files\Mozilla Firefox\


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ddaby.dll
C:\WINDOWS\system32\bdbimrjh.dll
C:\WINDOWS\system32\cdgqxkmi.dll
C:\WINDOWS\system32\cltybkmw.dll
C:\WINDOWS\system32\deskjcfi.dll
C:\WINDOWS\system32\ekrviabr.dll
C:\WINDOWS\system32\kouojrsh.dll
C:\WINDOWS\system32\mjuaqcqp.dll
C:\WINDOWS\system32\odhipjsv.dll
C:\WINDOWS\system32\opitkjbx.dll
C:\WINDOWS\system32\udksxpqs.dll
C:\WINDOWS\system32\ufrnxydn.dll
C:\WINDOWS\system32\wukxubip.dll
C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\pguitrql.dll
C:\WINDOWS\system32\snkgbvoc.dll
C:\WINDOWS\system32\khffgef.dll
C:\WINDOWS\system32\gpwbedkt.dll
C:\WINDOWS\system32\heeolorn.dll
C:\WINDOWS\system32\bdeeg.bak1
C:\WINDOWS\system32\bdeeg.bak2
C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\rbaivrke.ini
C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\geedb.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Rahmi\APPLIC~1\Dxcknwrd.dll
C:\Program Files\ipwindows\ipwins.exe
C:\Program Files\ipwindows\UnInstall.exe
C:\Program Files\printview\hotlist.dat
C:\WINDOWS\system32\bund1\ClientBundle1.exe
C:\WINDOWS\system32\bund1\temp.txt
C:\Program Files\Common Files\{380D4~1\Bar888.dll
C:\Program Files\Common Files\{380D4~1\UnInstall.exe
C:\WINDOWS\uni_eh10.exe
C:\WINDOWS\111uninst.exe
C:\Program Files\ipwindows
C:\Program Files\printview
C:\Program Files\winupdates
C:\WINDOWS\system32\bund1
C:\Program Files\Common Files\{380D4~1
C:\Program Files\Common Files\{780D4~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\Client IP-IPX


((((((((((((((((((((((((((((((( Files Created from 2007-03-22 to 2007-04-22 ))))))))))))))))))))))))))))))))))


2007-04-21 23:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-21 22:41 <DIR> d-------- C:\Program Files\InterMute
2007-04-16 17:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SwiftSwitch
2007-04-10 01:31 1,302 --a------ C:\WINDOWS\mozver.dat
2007-04-09 01:06 <DIR> d-------- C:\DOCUME~1\Rahmi\APPLIC~1\Lavasoft
2007-04-09 01:04 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-09 01:03 <DIR> d-------- C:\Program Files\CCleaner
2007-04-08 02:28 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-07 21:04 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-04-07 21:04 72,320 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-04-07 21:04 <DIR> d-------- C:\WINDOWS\system32\micro1
2007-04-07 21:04 <DIR> d-------- C:\Temp\tn3
2007-04-07 21:04 <DIR> d-------- C:\Fraps
2007-04-01 01:21 <DIR> d-------- C:\Program Files\Defcon
2007-03-30 15:43 <DIR> d-------- C:\DOCUME~1\Rahmi\APPLIC~1\Command & Conquer 3 Tiberium Wars Demo
2007-03-30 15:36 <DIR> d-------- C:\Program Files\Electronic Arts
2007-03-29 22:36 1 --a------ C:\WINDOWS\gaminof10.dat
2007-03-29 22:36 <DIR> d-------- C:\Program Files\AML Products
2007-03-29 22:28 <DIR> d-------- C:\Program Files\ImTOO
2007-03-29 22:21 <DIR> d-------- C:\Program Files\Xilisoft
2007-03-29 22:21 <DIR> d-------- C:\Program Files\QuickTime
2007-03-29 22:17 475,136 --a------ C:\WINDOWS\system32\SkinCrafter.dll
2007-03-29 22:16 <DIR> d-------- C:\Program Files\Plato Video To 3GP Converter
2007-03-24 12:20 <DIR> d-------- C:\Program Files\City of Heroes


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-22 12:39 -------- d-------- C:\Program Files\steam
2007-04-19 18:51 -------- d-------- C:\DOCUME~1\Rahmi\APPLIC~1\skype
2007-04-18 22:09 -------- d-------- C:\Program Files\divx
2007-04-16 20:39 -------- d-------- C:\Program Files\swiftswitch
2007-04-12 21:28 -------- d-------- C:\Program Files\teamspeak2_rc2
2007-04-11 17:46 -------- d-------- C:\Program Files\mirc
2007-04-07 14:10 -------- d-------- C:\DOCUME~1\Rahmi\APPLIC~1\hamachi
2007-04-06 00:55 -------- d-------- C:\Program Files\ea games
2007-04-03 17:41 -------- d---s---- C:\Program Files\xfire
2007-04-03 17:41 -------- d-------- C:\DOCUME~1\Rahmi\APPLIC~1\xfire
2007-04-01 13:46 -------- d-------- C:\DOCUME~1\Rahmi\APPLIC~1\screenshot sender
2007-03-29 16:39 -------- d--h----- C:\Program Files\installshield installation information
2007-03-19 22:31 -------- d-------- C:\Program Files\tvants
2007-03-19 21:36 -------- d-------- C:\Program Files\sopcast
2007-03-19 21:36 -------- d-------- C:\DOCUME~1\Rahmi\APPLIC~1\sopcast
2007-03-19 21:12 62768 --a------ C:\DOCUME~1\Rahmi\APPLIC~1\gdipfontcachev1.dat
2007-03-19 17:29 -------- d-------- C:\Program Files\msn messenger
2007-03-19 17:29 -------- d-------- C:\Program Files\messenger plus! live
2007-03-18 20:53 -------- d-------- C:\DOCUME~1\Rahmi\APPLIC~1\screaming bee
2007-03-18 14:33 -------- d-------- C:\Program Files\windows media connect 2
2007-03-18 12:53 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-03-18 12:38 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-03-17 14:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-16 22:42 -------- d-------- C:\DOCUME~1\Rahmi\APPLIC~1\reallusion
2007-03-15 19:54 -------- d-------- C:\Program Files\skype
2007-03-12 21:47 -------- d-------- C:\Program Files\windows live safety center
2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-06 21:05 520192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-03-05 17:38 -------- d-------- C:\DOCUME~1\Rahmi\APPLIC~1\blah boob delete
2007-03-02 21:57 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-03-02 21:54 307200 --a------ C:\WINDOWS\system32\atidemgx.dll
2007-03-02 21:53 265728 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-03-02 21:53 1972224 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-03-02 21:47 42496 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-03-02 21:47 26112 --a------ C:\WINDOWS\system32\ati2mdxx.exe
2007-03-02 21:47 118784 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-03-02 21:47 110592 --a------ C:\WINDOWS\system32\oemdspif.dll
2007-03-02 21:47 110592 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-03-02 21:46 446464 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-03-02 21:45 53248 --a------ C:\WINDOWS\system32\atiddc.dll
2007-03-02 21:38 2824512 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-03-02 21:29 1288960 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-03-02 21:21 5398528 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-03-02 21:17 258048 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-03-02 21:16 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-03-02 21:11 348160 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-02-26 16:44 147685 --a------ C:\WINDOWS\system32\atiicdxx.dat
2007-02-05 21:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-01-24 16:27 255848 --a------ C:\WINDOWS\system32\xactengine2_6.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
{1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINDOWS\system32\pguitrql.dll [x]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C} C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LXCFCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCFtime.dll,_RunDLLEntry@16"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"RegistryMechanic"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Steam"=""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\
Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\
Notification Packages REG_MULTI_SZ scecli\


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\.protected"
"backup"="C:\\WINDOWS\\pss\\.protectedCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\.protected"
"item"=".protected"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^msconfig.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\msconfig.exe"
"backup"="C:\\WINDOWS\\pss\\msconfig.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\msconfig.exe"
"item"="msconfig"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rahmi^Start Menu^Programs^Startup^.protected]
"path"="C:\\Documents and Settings\\Rahmi\\Start Menu\\Programs\\Startup\\.protected"
"backup"="C:\\WINDOWS\\pss\\.protectedStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Rahmi\\Start Menu\\Programs\\Startup\\.protected"
"item"=".protected"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rahmi^Start Menu^Programs^Startup^Adobe Gamma.lnk]
"path"="C:\\Documents and Settings\\Rahmi\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rahmi^Start Menu^Programs^Startup^Xfire.lnk]
"path"="C:\\Documents and Settings\\Rahmi\\Start Menu\\Programs\\Startup\\Xfire.lnk"
"backup"="C:\\WINDOWS\\pss\\Xfire.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Xfire\\Xfire.exe "
"item"="Xfire"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTIVBOARD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ABoard"
"hkey"="HKLM"
"command"="c:\\apps\\ABoard\\ABoard.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCMTR"
"hkey"="HKLM"
"command"="ALCMTR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCWZRD"
"hkey"="HKLM"
"command"="ALCWZRD.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CLIStart"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ehtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ehome\\ehtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free first drive 01]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="software thunk"
"hkey"="HKLM"
"command"="C:\\Documents and Settings\\All Users\\Application Data\\magsbaitfreefirst\\software thunk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HDAudPropShortcut"
"hkey"="HKLM"
"command"="HDAudPropShortcut.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mags Creative]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Hold Bleh"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\Rahmi\\APPLIC~1\\BLAHBO~1\\Hold Bleh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntl Netguard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RPS"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ntl\\ntl Netguard\\RPS.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Application Launcher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Client IP-IPX"=dword:00000002
"WMPNetworkSvc"=dword:00000003
"VCSSecS"=dword:00000002
"usnjsvc"=dword:00000003
"SLService"=dword:00000002
"MDM"=dword:00000002
"lxcf_device"=dword:00000003
"iPodService"=dword:00000003
"IDriverT"=dword:00000003
"AVGEMS"=dword:00000002
"Avg7UpdSvc"=dword:00000002
"Avg7Alrt"=dword:00000002
"ATI Smart"=dword:00000002
"Ati HotKey Poller"=dword:00000002
"AOL ACS"=dword:00000002
"Adobe LM Service"=dword:00000003

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\
WudfServiceGroup REG_MULTI_SZ WUDFSvc\


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\setup.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\B7945B3498A3DA68.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-22 16:43:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-22 16:46:04 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-22 16:46


Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 16:48:53, on 22/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\Spyware.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\pguitrql.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: 0 - {E7046B1B-6BB7-4830-92AC-3074F808F9DB} - (no file)
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.2.100.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.macmillan...tsweb/msrdp.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory....ap/DigWXMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab53083.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

#12 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 22 April 2007 - 10:09 AM

Looking much better :thumbup:

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free...mitfraudFix.exe
Double Click SmitfraudFix.exe on your Desktop. A folder named SmitfraudFix will be created on your Desktop.

Posted Image

______________________________
Next:

Download AVG Anti-Spyware from HERE and save that file to your
desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop
    and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition
    files.
  • On the main screen select the icon "Update" then select the "
    Update now    " link.
    • Next select the "Start Update" button, the update will start and a
      progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of
    the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then
    select "Delete".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly if needed.

______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter

Posted Image

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. It will create a file named:
c:\rapport.txt


IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Please post:
C:\rapport.txt

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#13 Rahmi

Rahmi

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 22 April 2007 - 10:21 AM

SmitFraudFix v2.171 Scan done at 17:19:08.81, 22/04/2007 Run from C:\Program Files\Mozilla Firefox\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Hijackthis\Spyware.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS C:\WINDOWS\.protected FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Rahmi »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Rahmi\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Rahmi\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32 »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: USB Cable Modem 351000 - Packet Scheduler Miniport DNS Server Search Order: 194.168.4.100 DNS Server Search Order: 194.168.8.100 HKLM\SYSTEM\CCS\Services\Tcpip\..\{612C8606-F4EF-4F56-A20B-9BAD62492B7E}: DhcpNameServer=194.168.4.100 194.168.8.100 HKLM\SYSTEM\CS1\Services\Tcpip\..\{612C8606-F4EF-4F56-A20B-9BAD62492B7E}: DhcpNameServer=194.168.8.100 194.168.4.100 HKLM\SYSTEM\CS2\Services\Tcpip\..\{612C8606-F4EF-4F56-A20B-9BAD62492B7E}: DhcpNameServer=194.168.4.100 194.168.8.100 HKLM\SYSTEM\CS3\Services\Tcpip\..\{612C8606-F4EF-4F56-A20B-9BAD62492B7E}: DhcpNameServer=194.168.4.100 194.168.8.100 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.168.8.100 194.168.4.100 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

#14 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 22 April 2007 - 10:26 AM

Running the Clean

Warning: running option #2 on a non infected computer will remove your Desktop background.


Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

Posted Image


The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware, and run a full scan.
  • IMPORTANT: Do not open any other windows or
    programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab
    then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little
    time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all
    actions    "
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the
    screen and save it as a text file on your Desktop (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and Reboot in Normal Mode.

______________________________

Please post:
1.c:\rapport.txt
2.AVG Anti-Spyware log
3.A new HijackThis log

Your may need several replies to post the requested logs, otherwise they might get cut off.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#15 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 25 April 2007 - 04:59 PM

How are you doing with the fix?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·