Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] yourprivacyguard


  • This topic is locked This topic is locked
10 replies to this topic

#1 ccornell0917

ccornell0917

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 01 November 2007 - 12:01 PM

When right clicking the link in the info bar at the top and going down to properties, the name given is zheltaya_hernya. When this top bar appears, the favorites menu disappears and will not come back until IE is restarted.

Logfile of HijackThis v1.99.1
Scan saved at 1:48:57 PM, on 11/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\sfoster.STAIR\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSVPS System - {E6E59F48-7BF8-4BEE-B906-273526C25DA4} - C:\WINDOWS\advrepvto.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: The NetworkControl - {3B28B033-8C1B-47DE-803D-3CF3AAE2CD20} - C:\WINDOWS\sdrmod.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stair.local
O17 - HKLM\Software\..\Telephony: DomainName = stair.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{9967F642-1028-464A-9845-BC3C6474CB47}: NameServer = 10.10.10.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Stair.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{9967F642-1028-464A-9845-BC3C6474CB47}: NameServer = 10.10.10.10,64.90.1.14
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = stair.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{9967F642-1028-464A-9845-BC3C6474CB47}: NameServer = 10.10.10.254
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = stair.local
O17 - HKLM\System\CS3\Services\Tcpip\..\{9967F642-1028-464A-9845-BC3C6474CB47}: NameServer = 10.10.10.254
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: rgbopx - rgbopx.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: hupsrv - {D99AF5B4-079A-4DDD-9E2C-EED3EEB37AEB} - C:\WINDOWS\hupsrv.dll
O21 - SSODL: bindmod - {CA96A4C9-E087-4E79-8EAE-BF76BE3AEC9E} - C:\WINDOWS\bindmod.dll

    Advertisements

Register to Remove


#2 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 01 November 2007 - 04:58 PM

Welcome to the forum.

1. Download RVAXO.exe to your desktop.

2. Double click on RVAXO.exe and choose unzip.
It will install to a folder called Rvaxo.

3. Now open up the Rvaxo folder and double click on RVAXO.cmd

You will see a small window pop up, and quickly some lines will run , then the window will close by itself, this is normal behavior.
Then it is possible for an uninstaller of some roque scanner to start up, do not close this but follow all prompts there, and let it run its course.

4. When it's done the computer will reboot.....press any key to reboot.

5. After reboot RVAXO will run again, let it finish

6. After it's done it will create a file called RVAXO-results.log in C:\RVAXO-results.log

7. Copy and paste it back here with a fresh HJT log.

Note:
You can use Uninstall.cmd to remove everything from RVAXO, it will be found in the RVAXO-folder on your desktop.

Good Luck, MrC


#3 ccornell0917

ccornell0917

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 02 November 2007 - 08:20 AM

Thank you so much for your awesome help so far! I ran RVAXO but had some problems. I got 2 error messages. It said "Cannot export templ.txt: Error opening the file. There may be a disk or system error. The second message was the same but templ.txt was replaced with ssodl.txt. After closing the messages, it quit running and did nothing else. However, it did save a log file with no info.

----------------RVAXO.exe first run-------------

Files found:

----------------RVAXO.exe first run-------------

Files found:


This morning, the computer had lots more problems too. The desktop image was seemingly changed but it was actually a massive icon. It was red with a Danger message. The url for the icon is file:///C:/windows/privacy_danger/images/spacer.gif. The user is also getting a tremendous amount of popups. They look very official and say things like "Windows Security Alert: Windows has detected an internet attack attempt. Somebody's trying to infect your PC" and "Spyware Alert: Windows has detected worm.win32.NetSky"

Not sure if a new hijackthis log will help but:

Scan saved at 9:49:03 AM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cscript.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cscript.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cscript.exe
C:\Documents and Settings\sfoster.STAIR\Local Settings\Temporary Internet Files\Content.IE5\CHM3SPUF\HiJackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSVPS System - {E6E59F48-7BF8-4BEE-B906-273526C25DA4} - C:\WINDOWS\advrepvto.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: The NetworkControl - {3B28B033-8C1B-47DE-803D-3CF3AAE2CD20} - C:\WINDOWS\sdrmod.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stair.local
O17 - HKLM\Software\..\Telephony: DomainName = stair.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{9967F642-1028-464A-9845-BC3C6474CB47}: NameServer = 10.10.10.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Stair.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{9967F642-1028-464A-9845-BC3C6474CB47}: NameServer = 10.10.10.10,64.90.1.14
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = stair.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{9967F642-1028-464A-9845-BC3C6474CB47}: NameServer = 10.10.10.254
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = stair.local
O17 - HKLM\System\CS3\Services\Tcpip\..\{9967F642-1028-464A-9845-BC3C6474CB47}: NameServer = 10.10.10.254
O20 - Winlogon Notify: rgbopx - rgbopx.dll (file missing)
O21 - SSODL: hupsrv - {D99AF5B4-079A-4DDD-9E2C-EED3EEB37AEB} - C:\WINDOWS\hupsrv.dll
O21 - SSODL: bindmod - {CA96A4C9-E087-4E79-8EAE-BF76BE3AEC9E} - C:\WINDOWS\bindmod.dll
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 6067 bytes

Thanks a bunch!

#4 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 02 November 2007 - 08:47 AM

OK we'll manually remove it.

But first.....

Please move HJT into its own permanent folder so backups can be made and found.
example: C:\MyHJT\HiJackThis.exe, C:\Program Files\MYHJT\HiJackThis.exe or C:\MyDocuments\MyHJT\HiJackThis.exe

--------------------


1. Please download the OTMoveIt by OldTimer to your desktop.
Don't run it yet.

-----------------


Close ALL programs down, leaving ONLY HijackThis running - Click Scan and.....
Place a check against the following items if found:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
O2 - BHO: MSVPS System - {E6E59F48-7BF8-4BEE-B906-273526C25DA4} - C:\WINDOWS\advrepvto.dll
O3 - Toolbar: The NetworkControl - {3B28B033-8C1B-47DE-803D-3CF3AAE2CD20} - C:\WINDOWS\sdrmod.dll
O20 - Winlogon Notify: rgbopx - rgbopx.dll (file missing)
O21 - SSODL: hupsrv - {D99AF5B4-079A-4DDD-9E2C-EED3EEB37AEB} - C:\WINDOWS\hupsrv.dll
O21 - SSODL: bindmod - {CA96A4C9-E087-4E79-8EAE-BF76BE3AEC9E} - C:\WINDOWS\bindmod.dll
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Click on Fix Checked and exit HijackThis.

-----------------------

Back to OTMoveIt....

2. Please double-click OTMoveIt.exe to run it.
Where it says: "Paste List of Files/Folders to be Moved", copy and paste next blue part into that Window:

C:\WINDOWS\advrepvto.dll
C:\WINDOWS\sdrmod.dll
C:\WINDOWS\hupsrv.dll
C:\WINDOWS\bindmod.dll
C:\WINDOWS\privacy_danger



3. Then click the red Moveit! button below.
This will display the results in the right windows where it says Results on top
4. Copy and paste everything present in the Results window (right window) and save these results in notepad and save it on your desktop, because I need to see those results afterwards.
5. Close OTMoveIt

Note:
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and post a fresh HijackThis log, the log from OTMoveIt and we'll take another look. MrC


#5 ccornell0917

ccornell0917

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 02 November 2007 - 09:53 AM

I saved both HiJack This and OTMoveIt to my documents folder. Here are the logs:

OTMoveIt:

File/Folder C:\WINDOWS\advrepvto.dll not found.
File/Folder C:\WINDOWS\sdrmod.dll not found.
File/Folder C:\WINDOWS\hupsrv.dll not found.
File/Folder C:\WINDOWS\bindmod.dll not found.
File/Folder C:\WINDOWS\privacy_danger not found.

Created on 11/02/2007 11:42:01

HJT after restart:

Logfile of HijackThis v1.99.1
Scan saved at 11:46:26 AM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\sfoster.STAIR\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: MSVPS System - {88418AA3-16F5-4FC2-A9D8-90B1266DF841} - C:\WINDOWS\nsduo.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stair.local
O17 - HKLM\Software\..\Telephony: DomainName = stair.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{9967F642-1028-464A-9845-BC3C6474CB47}: NameServer = 10.10.10.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Stair.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{9967F642-1028-464A-9845-BC3C6474CB47}: NameServer = 10.10.10.10,64.90.1.14
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = stair.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{9967F642-1028-464A-9845-BC3C6474CB47}: NameServer = 10.10.10.254
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = stair.local
O17 - HKLM\System\CS3\Services\Tcpip\..\{9967F642-1028-464A-9845-BC3C6474CB47}: NameServer = 10.10.10.254
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: bindmod - {1CC17498-A9F8-44B8-B82E-3337B97B74CC} - C:\WINDOWS\bindmod.dll (file missing)
O21 - SSODL: msmhost - {674A1AF0-CD02-4F77-8A7D-2E7B1DCCA982} - C:\WINDOWS\msmhost.dll
O21 - SSODL: msmdev - {BCD42DD7-5A61-4BCA-9819-7A55C1F3ECDC} - C:\WINDOWS\msmdev.dll

#6 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 02 November 2007 - 11:06 AM


Close ALL programs down, leaving ONLY HijackThis running - Click Scan and.....
Place a check against the following items if found:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
O2 - BHO: MSVPS System - {88418AA3-16F5-4FC2-A9D8-90B1266DF841} - C:\WINDOWS\nsduo.dll
O21 - SSODL: bindmod - {1CC17498-A9F8-44B8-B82E-3337B97B74CC} - C:\WINDOWS\bindmod.dll (file missing)
O21 - SSODL: msmhost - {674A1AF0-CD02-4F77-8A7D-2E7B1DCCA982} - C:\WINDOWS\msmhost.dll
O21 - SSODL: msmdev - {BCD42DD7-5A61-4BCA-9819-7A55C1F3ECDC} - C:\WINDOWS\msmdev.dll

Click on Fix Checked and exit HijackThis.

-------------------

Use OTMoveIt to delete these files...here's the code:

C:\WINDOWS\nsduo.dll
C:\WINDOWS\msmhost.dll
C:\WINDOWS\msmdev.dll


-----------------------

Open up the RVAXO folder and double click on the Uninstall.cmd, this will remove the items in C:\.
Now delete the RVAXO folder and the RVAXO.exe that you downloaded.
Now you shouldn't have any of the RVAXO on your system.
Now download RVAXO.exe again and run the ;program as outlined before.
Posts the logs back here, MrC


#7 ccornell0917

ccornell0917

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 02 November 2007 - 11:59 AM

OTMoveIt:

File/Folder C:\WINDOWS\nsduo.dll not found.
File/Folder C:\WINDOWS\msmhost.dll not found.
File/Folder C:\WINDOWS\msmdev.dll not found.

Created on 11/02/2007 13:42:54

RVAXO:

----------------RVAXO.exe first run-------------

Files found:

C:\WINDOWS\dat.txt
C:\WINDOWS\wtopmod.exe
C:\WINDOWS\main_uninstaller.exe
C:\WINDOWS\nsduo.dll
C:\WINDOWS\msmhost.dll
C:\WINDOWS\msmdev.dll

Uninstallers Rogue scanners:


Folders Found:


Hosts-file was reset, If you use a custom hosts file please replace it...

--------------RVAXO.exe last run---------------

Files found:

Folders Found:

--------------RVAXO.exe finished----------------

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 1:55:41 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\sfoster.STAIR\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stair.local
O17 - HKLM\Software\..\Telephony: DomainName = stair.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{9967F642-1028-464A-9845-BC3C6474CB47}: NameServer = 10.10.10.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Stair.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{9967F642-1028-464A-9845-BC3C6474CB47}: NameServer = 10.10.10.10,64.90.1.14
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = stair.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{9967F642-1028-464A-9845-BC3C6474CB47}: NameServer = 10.10.10.254
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = stair.local
O17 - HKLM\System\CS3\Services\Tcpip\..\{9967F642-1028-464A-9845-BC3C6474CB47}: NameServer = 10.10.10.254

#8 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 02 November 2007 - 12:59 PM

Looks Good Now.....How's it running, MrC

#9 ccornell0917

ccornell0917

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 02 November 2007 - 01:25 PM

Everything seems to be going great! We have had 2 users experience similar problems within the last several months with no IT person at this location. We greatly appreciate your help and will be donating to your site. Many many thanks :D

#10 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 02 November 2007 - 02:39 PM

Thanks :)

If you have any questions - please post back

I'll leave you with........

Some Preventive Maintenance:

Some of the programs you may have run create backups of what was deleted - you can safely delete them now: (delete folders in blue) You can also delete/uninstall the programs themselves.

C:\!KillBox (KillBox)
C:\VundoFix Backups (VundoFix)
C:\QooBox (ComboFix)
C:\SDFix\backups\backups.zip (SDFix)
C:\avenger\backup.zip (Avenger)

If you used AVG Anti-Spyware and/or SuperAntiSpyware...........

Open up SuperAntiSpyware > Preferences > General and Start-up > Start-up Options > Uncheck > Start SAS when Windows Starts.
"SAS free" provides no real time protection so there's no need for it to be running, I suggest you keep the program and update regularly - you can use it to scan for malware. It's an excellent program. When you want to start it - just double click on the SAS icon.

AVG Anti-Spyware will provide 30 days of real time protection and then after that you can use it to scan for malware - you'll have to manually update it first.


------------------Must have or do:-----------------

Now that you're clean: <----Important Step!!!!
Delete your system restore files and create a new restore point (XP only):

Note: This will remove all previous Restore Points!

1. Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer,

2. Turn on System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UnCheck Turn off System Restore.
Click Apply, and then click OK.

Visit Windows Update and install all the lastest critical updates.

Install these two free programs, they sit in the backround and protect your system from spy and adware being installed on your system, also from your browser being hijacked.

SpywareBlaster Check for updates weekly.

SpywareGuard

IE-SPYAD
Puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
or try the new ZonedOut

Blocking Unwanted Parasites with a Hosts File
Direct Download - MVPS HOSTS <==> MVPS HOSTS Tutorial

Need a free anti virus?
AVG*free
Avast Free
AntiVirŪ PersonalEdition Classic
-->Check for updates - daily<---

How about a firewall? The front door to your computer.
Windows firewall is not suffient...install a better one.
Comodo Free Firewall
ZoneAlarm*free
Other free firewalls

Keep those temp files off your system use
ATF Cleaner - hit "select all" then just uncheck "cookies" (uncheck cookies is optional - leave it checked if you want to delete all cookies) then "empty selected"
or
CCleaner
Uncheck "Cookies" under "Internet Explorer".
That will clear out all the temp files on the system.

IMPORTANT!!
Keep your Sun Java up-to-date JRE Version 6 Update 3<--newest version
Delete ALL old versions from add/remove programs if listed first!
Check HERE

Keep the registry backed up - use ERUNT
Print this out and save it
ERUNT Tutorial

Starter Manage you startup programs and services.

----------Free malware removal programs:----------

AVG Anti-Spyware<---VERY GOOD! (XP and 2K only)
SUPERAntiSpyware (free edition)<---Excellent!
AVG Anti-Rootkit Free Edition Run it!!
SpyBot
AD-Aware
CW-Shredder

Please consider using FireFox instead of Internet Explorer. A more secure browser! Easy to make the change!
FireFox Tutorial


Pop-up stoppers:
GoogleToolBar
Pop-upStopperFree

Disable "Windows Messenger Service" XP - 2K (stops pop-up ads -etc):
Shoot The Messenger

Anti-Rootkit Software - Detection, Removal & Protection

Reduce Online Fraud

Slow Computer - Check Here

Don't open e-mail attachments without first scanning them with an up-to-date anti virus program, even after doing that I would be very careful. Don't click on any executables in e-mails or any other links that you're not sure of.
Don't believe e-mails from your bank, financial institution, etc asking for personal informations - they're most likely fraudulent no matter how authentic they look.
Watch your surfing habits, don't click on or download anything you're not sure of. Don't install a program that hasn't been recommended by a reputable organization.

Good luck and thanks for using the forum - MrC


#11 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 07 November 2007 - 09:03 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users