Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: unknown files/"malware" in registry

  1. #1
    Junior Member
    Join Date
    Sep 2007
    Location
    Jersey.
    Posts
    12

    Default unknown files/"malware" in registry

    I was wondering if somebody could help me. I have some unknown programs running in my registry. I also scanned my system using spybot and it found:

    Virtumonde
    Crypt.Spambot.qk
    Element
    Virtumonde.generic

    I then followed everything the "Before you post a log" thread said and here it is...
    Thank you!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:45:25 PM, on 9/25/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\WINDOWS\system32\rwkgjnuzroz.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://newmilfordschools.org/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {43F85621-6A64-4CB3-ADCA-65FC4F259514} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O2 - BHO: (no name) - {7EABCB33-DFF2-4D7F-87C2-1FA268BCA753} - C:\WINDOWS\system32\oppqq.dll (file missing)
    O2 - BHO: (no name) - {F9C79A6F-9F08-4F3F-969F-451173E1FD1A} - C:\WINDOWS\system32\urqop.dll (file missing)
    O3 - Toolbar: Optimum Online Toolbar - {720B3C59-7EDE-44d1-AD9C-71106A7550AF} - C:\Program Files\OptimumOnline\insptbar.dll (file missing)
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [xtmpouwdme] C:\WINDOWS\system32\xtmpouwdme.exe
    O4 - HKLM\..\Run: [rwkgjnuzroz] C:\WINDOWS\system32\rwkgjnuzroz.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
    O4 - HKLM\..\RunServices: [szblneajb] C:\WINDOWS\system32\szblneajb.exe
    O4 - HKLM\..\RunServices: [xtmpouwdme] C:\WINDOWS\system32\xtmpouwdme.exe
    O4 - HKLM\..\RunServices: [rwkgjnuzroz] C:\WINDOWS\system32\rwkgjnuzroz.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\xurduxkb.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Optimum Online Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\OptimumOnline\contextsearch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.priv.njmls.xmlsweb.com/XM...h/XMLCache.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1111274866408
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1152727605292
    O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
    O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.co...oadControl.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...59/mcfscan.cab
    O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
    O20 - Winlogon Notify: efcywvw - efcywvw.dll (file missing)
    O20 - Winlogon Notify: oppqq - C:\WINDOWS\system32\oppqq.dll (file missing)
    O20 - Winlogon Notify: urqop - C:\WINDOWS\system32\urqop.dll (file missing)
    O20 - Winlogon Notify: yayvsqr - yayvsqr.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: Print Spooler Service (oaxis7kugxzd) - Unknown owner - C:\WINDOWS\system32\rwkgjnuzroz.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: PCCare Premium - Unknown owner - C:\Program Files\PCCare\Client\srvc.exe (file missing)
    O23 - Service: Service Configurator (Service_v1) - Unknown owner - C:\WINDOWS\Config\service.exe (file missing)
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    O23 - Service: Windows Maintenance Monitor (wmoisvc) - Unknown owner - C:\WINDOWS\winrss.exe (file missing)

    --
    End of file - 9224 bytes
    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Tuesday, September 25, 2007 8:08:46 AM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.93.1
    Kaspersky Anti-Virus database last update: 25/09/2007
    Kaspersky Anti-Virus database records: 423082
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\

    Scan Statistics:
    Total number of scanned objects: 54380
    Number of viruses found: 7
    Number of infected objects: 24
    Number of suspicious objects: 0
    Duration of the scan process: 03:51:41

    Infected Object Name / Virus Name / Last Action
    C:\_RESTORE\ARCHIVE\FS3112.CAB/A0469202.CPY Infected: Trojan-Downloader.Win32.VB.db skipped
    C:\_RESTORE\ARCHIVE\FS3112.CAB/A0469203.CPY Infected: Trojan-Downloader.Win32.VB.ec skipped
    C:\_RESTORE\ARCHIVE\FS3112.CAB/A0469204.CPY Infected: Trojan-Downloader.Win32.VB.ec skipped
    C:\_RESTORE\ARCHIVE\FS3112.CAB/A0469205.CPY Infected: Trojan-Dropper.Win32.Small.nm skipped
    C:\_RESTORE\ARCHIVE\FS3112.CAB/A0469206.CPY Infected: Trojan.Win32.StartPage.pe skipped
    C:\_RESTORE\ARCHIVE\FS3112.CAB/A0469207.CPY Infected: Trojan.Win32.StartPage.pe skipped
    C:\_RESTORE\ARCHIVE\FS3112.CAB/A0469208.CPY Infected: Trojan.Win32.StartPage.pe skipped
    C:\_RESTORE\ARCHIVE\FS3112.CAB CAB: infected - 7 skipped
    C:\_RESTORE\ARCHIVE\FS3113.CAB/A0469209.CPY Infected: Trojan-Downloader.Win32.VB.db skipped
    C:\_RESTORE\ARCHIVE\FS3113.CAB/A0469210.CPY Infected: Trojan-Downloader.Win32.VB.df skipped
    C:\_RESTORE\ARCHIVE\FS3113.CAB/A0469211.CPY Infected: Trojan-Downloader.Win32.VB.ez skipped
    C:\_RESTORE\ARCHIVE\FS3113.CAB CAB: infected - 3 skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SYSTEM32\DRIVERS\sptd2381.sys Object is locked skipped
    C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys Object is locked skipped
    C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat Object is locked skipped
    C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
    C:\WINDOWS\SYSTEM32\vstelbh.exe Infected: Trojan.Win32.Obfuscated.gy skipped
    C:\WINDOWS\SYSTEM32\rvhpa.exe Infected: Trojan.Win32.Obfuscated.gy skipped
    C:\WINDOWS\SYSTEM32\qkaynqvpqm.exe Infected: Trojan.Win32.Obfuscated.gy skipped
    C:\WINDOWS\SYSTEM32\nuvatlvfnspq.exe Infected: Trojan.Win32.Obfuscated.gy skipped
    C:\WINDOWS\SYSTEM32\rwkgjnuzroz.exe Infected: Trojan.Win32.Obfuscated.gy skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    C:\WINDOWS\pfirewall.log Object is locked skipped
    C:\WINDOWS\TEMP\ZLT07993.TMP Object is locked skipped
    C:\WINDOWS\TEMP\ZLT079a0.TMP Object is locked skipped
    C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
    C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
    C:\WINDOWS\Internet Logs\FAMILYROOM.ldb Object is locked skipped
    C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
    C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\EventCache\{60015F56-8116-4E59-8FC7-D603D0F591EA}.bin Object is locked skipped
    C:\Documents And Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
    C:\Documents And Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
    C:\Documents And Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
    C:\Documents And Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents And Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents And Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents And Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents And Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents And Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents And Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NLZHMJX5\three[1].exe Infected: Trojan.Win32.Obfuscated.gy skipped
    C:\Documents And Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents And Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents And Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents And Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents And Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents And Settings\Bryan\NTUSER.DAT.LOG Object is locked skipped
    C:\Documents And Settings\Bryan\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents And Settings\Bryan\Local Settings\History\History.IE5\MSHist012007092520070926\index.dat Object is locked skipped
    C:\Documents And Settings\Bryan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents And Settings\Bryan\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents And Settings\Bryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents And Settings\Bryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents And Settings\Bryan\Cookies\index.dat Object is locked skipped
    C:\Documents And Settings\Bryan\ntuser.dat Object is locked skipped
    C:\System Volume Information\_restore{94883545-816E-49F9-A47E-C04E281C9FE4}\RP135\change.log Object is locked skipped
    C:\System Volume Information\_restore{94883545-816E-49F9-A47E-C04E281C9FE4}\RP135\A0025930.exe Infected: Trojan.Win32.Obfuscated.gy skipped
    C:\System Volume Information\_restore{94883545-816E-49F9-A47E-C04E281C9FE4}\RP135\A0025931.exe Infected: Trojan.Win32.Obfuscated.gy skipped
    C:\System Volume Information\_restore{94883545-816E-49F9-A47E-C04E281C9FE4}\RP135\A0025932.exe Infected: Trojan.Win32.Obfuscated.gy skipped
    C:\System Volume Information\_restore{94883545-816E-49F9-A47E-C04E281C9FE4}\RP135\A0025933.exe Infected: Trojan.Win32.Obfuscated.gy skipped
    C:\System Volume Information\_restore{94883545-816E-49F9-A47E-C04E281C9FE4}\RP135\A0025934.exe Infected: Trojan.Win32.Obfuscated.gy skipped
    C:\System Volume Information\_restore{94883545-816E-49F9-A47E-C04E281C9FE4}\RP135\A0025935.exe Infected: Trojan.Win32.Obfuscated.gy skipped

    Scan process completed.

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hello and welcome to the FOrums

    One or more of the identified infections is a backdoor trojan

    This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

    I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

    Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
    When Should I Format, How Should I Reinstall

    I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.

    Please let us know what you have decided to do in your next post
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  3. #3
    Junior Member
    Join Date
    Sep 2007
    Location
    Jersey.
    Posts
    12

    Default Let's do it.

    I'd like to go ahead and try to clean this thing lol. Thank you beforehand for helping me.

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Sorry for the delay, I don't know how I forgot this

    I'll be happy to help you with the cleaning.

    At first you need to disable a few realtime protections. These may interfere with our cleaning process.
    We'll enable these when you're clean...

    Disable Ad-Aware Ad-Watch realtime protection
    • Right click on the Ad-Watch icon in the system tray.
    • At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
      • Active: This will turn Ad-Watch On\Off without closing it
      • Automatic: Suspicious activity will be blocked automatically
    • Uncheck both of those boxes.


    Download SDFix and save it to your desktop.

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
    • Open the extracted folder and double click RunThis.bat to start the script.
    • Type Y to begin the script.
    • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • Your system will take longer that normal to restart as the fixtool will be running and removing files.
    • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
    • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  5. #5
    Junior Member
    Join Date
    Sep 2007
    Location
    Jersey.
    Posts
    12

    Default here ya go

    Thanks for getting back to me. Here are the reports you've asked for...


    SDFix: Version 1.107

    Run by Bryan on Tue 10/02/2007 at 06:21 PM

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\DOCUME~1\Bryan\Desktop\SDFix\SDFix

    Safe Mode:
    Checking Services:

    Name:
    Service_v1
    oaxis7kugxzd

    ImagePath:
    "C:\WINDOWS\Config\service.exe"
    C:\WINDOWS\system32\rwkgjnuzroz.exe /service

    Service_v1 - Deleted
    oaxis7kugxzd - Deleted



    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...


    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\WINDOWS\SYSTEM32\VSTELBH.EXE - Deleted
    C:\WINDOWS\SYSTEM32\RVHPA.EXE - Deleted
    C:\WINDOWS\SYSTEM32\QKAYNQ~1.EXE - Deleted
    C:\WINDOWS\SYSTEM32\NUVATL~1.EXE - Deleted
    C:\WINDOWS\SYSTEM32\RWKGJN~1.EXE - Deleted
    C:\WINDOWS\Temp\removalfile.bat - Deleted



    Removing Temp Files...

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32\ntoskrnl.exe
    No streams found.



    Final Check:

    Remaining Services:
    ------------------




    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe:*:Enabled:LimeWire"
    "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
    "C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
    "C:\\Program Files\\Common Files\\AOL\\1125933981\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1125933981\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
    "C:\\Program Files\\Palm\\hotsync.exe"="C:\\Program Files\\Palm\\hotsync.exe:*:Enabled:HotSyncr Manager Application"
    "C:\\Program Files\\Common Files\\AOL\\1125933981\\EE\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1125933981\\EE\\aolsoftware.exe:*:Enabled:AOL Services"
    "C:\\Program Files\\Common Files\\AOL\\1125933981\\EE\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1125933981\\EE\\aim6.exe:*:Enabled:AIM"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "C:\\WINDOWS\\System32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\System32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
    "C:\\WINDOWS\\system32\\xurduxkb.exe"="C:\\WINDOWS\\system32\\xur"
    "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
    "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
    "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
    "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
    "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
    "C:\\Program Files\\Common Files\\AOL\\1125933981\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1125933981\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

    Remaining Files:
    ---------------

    File Backups: - C:\DOCUME~1\Bryan\Desktop\SDFix\SDFix\backups\backups.zip

    Files with Hidden Attributes:

    Thu 8 Jun 2000 93,040 ..SH. --- "C:\COMMAND.COM"
    Wed 29 Dec 2004 194 ..SH. --- "C:\AUTOEXEC.BAK"
    Mon 28 Jun 2004 68,608 ...H. --- "C:\My Documents\~WRL3930.tmp"
    Sun 9 Sep 2007 2,009,979 ..SH. --- "C:\WINDOWS\SYSTEM32\poqru.bak2"
    Thu 21 Jun 2007 1,821,503 ..SH. --- "C:\WINDOWS\SYSTEM32\qqppo.bak1"
    Fri 22 Jun 2007 1,820,056 ..SH. --- "C:\WINDOWS\SYSTEM32\qqppo.bak2"
    Sun 9 Sep 2007 2,010,489 ..SH. --- "C:\WINDOWS\SYSTEM32\poqru.bak1"
    Thu 8 Jun 2000 53,248 ...H. --- "C:\Program Files\Accessories\mspcx32.dll"
    Thu 8 Jun 2000 582,928 ...H. --- "C:\Program Files\Accessories\HyperTerminal\hypertrm.dll"
    Thu 8 Jun 2000 29,456 ...H. --- "C:\Program Files\Accessories\HyperTerminal\hticons.dll"
    Thu 5 May 2005 4,348 ..SH. --- "C:\Documents And Settings\All Users\DRM\DRMv1.bak"
    Sun 15 May 2005 29,696 ...H. --- "C:\Documents And Settings\Bryan\Desktop\~WRL1635.tmp"
    Tue 18 Sep 2007 0 A.SH. --- "C:\Documents And Settings\All Users\DRM\Cache\Indiv01.tmp"
    Wed 25 May 2005 20 A..H. --- "C:\Documents And Settings\Bryan\My Documents\My Music\License Backup\drmv1lic.bak"
    Thu 5 May 2005 4,348 ...H. --- "C:\Documents And Settings\Bryan\My Documents\My Music\License Backup\drmv1key.bak"
    Wed 25 May 2005 1,536 A..H. --- "C:\Documents And Settings\Bryan\My Documents\My Music\License Backup\drmv2lic.bak"
    Thu 5 May 2005 400 ...H. --- "C:\Documents And Settings\Bryan\My Documents\My Music\License Backup\drmv2key.bak"
    Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents And Settings\Bryan\Application Data\U3\temp\Launchpad Removal.exe"

    Finished!


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:55:26 PM, on 10/2/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://newmilfordschools.org/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {43F85621-6A64-4CB3-ADCA-65FC4F259514} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O2 - BHO: (no name) - {7EABCB33-DFF2-4D7F-87C2-1FA268BCA753} - C:\WINDOWS\system32\oppqq.dll (file missing)
    O2 - BHO: (no name) - {F9C79A6F-9F08-4F3F-969F-451173E1FD1A} - C:\WINDOWS\system32\urqop.dll (file missing)
    O3 - Toolbar: Optimum Online Toolbar - {720B3C59-7EDE-44d1-AD9C-71106A7550AF} - C:\Program Files\OptimumOnline\insptbar.dll (file missing)
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [xtmpouwdme] C:\WINDOWS\system32\xtmpouwdme.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\RunServices: [szblneajb] C:\WINDOWS\system32\szblneajb.exe
    O4 - HKLM\..\RunServices: [xtmpouwdme] C:\WINDOWS\system32\xtmpouwdme.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\xurduxkb.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Optimum Online Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\OptimumOnline\contextsearch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.priv.njmls.xmlsweb.com/XM...h/XMLCache.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1111274866408
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1152727605292
    O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
    O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.co...oadControl.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...59/mcfscan.cab
    O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
    O20 - Winlogon Notify: efcywvw - efcywvw.dll (file missing)
    O20 - Winlogon Notify: oppqq - C:\WINDOWS\system32\oppqq.dll (file missing)
    O20 - Winlogon Notify: urqop - C:\WINDOWS\system32\urqop.dll (file missing)
    O20 - Winlogon Notify: yayvsqr - yayvsqr.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: PCCare Premium - Unknown owner - C:\Program Files\PCCare\Client\srvc.exe (file missing)
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    O23 - Service: Windows Maintenance Monitor (wmoisvc) - Unknown owner - C:\WINDOWS\winrss.exe (file missing)

    --
    End of file - 8631 bytes

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Ok much better...

    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  7. #7
    Junior Member
    Join Date
    Sep 2007
    Location
    Jersey.
    Posts
    12

    Default combofix log

    here it is...

    ComboFix 07-10-04.2 - Bryan 2007-10-03 19:38:16.1 - FAT32x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.39 [GMT -4:00]
    Running from: C:\Documents and Settings\Bryan\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2007-09-05 to 2007-10-05 )))))))))))))))))))))))))))))))
    .

    2007-10-03 19:32 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-10-02 18:18 <DIR> d-------- C:\WINDOWS\ERUNT
    2007-09-25 18:43 <DIR> d-------- C:\Program Files\Trend Micro
    2007-09-25 01:09 <DIR> d-------- C:\Documents And Settings\All Users\Application Data\Kaspersky Lab
    2007-09-25 01:08 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
    2007-09-24 22:44 <DIR> d-------- C:\Program Files\Lavasoft
    2007-09-24 22:44 <DIR> d-------- C:\Documents And Settings\All Users\Application Data\Lavasoft
    2007-09-24 08:30 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
    2007-09-18 16:08 <DIR> d-------- C:\Program Files\Windows Media Connect 2
    2007-09-18 15:33 32 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
    2007-09-18 15:15 75,248 --a------ C:\WINDOWS\zllsputility.exe
    2007-09-18 15:15 <DIR> d-------- C:\Documents And Settings\All Users\Application Data\MailFrontier
    2007-09-18 15:02 <DIR> d-------- C:\Program Files\iTunes
    2007-09-18 14:59 <DIR> d-------- C:\Program Files\QuickTime
    2007-09-18 14:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRVSTORE
    2007-09-18 14:57 <DIR> d-------- C:\Program Files\Common Files\Apple
    2007-09-18 14:54 <DIR> d-------- C:\Documents And Settings\All Users\Application Data\Apple
    2007-09-09 10:26 2,009,979 ---hs---- C:\WINDOWS\SYSTEM32\poqru.bak2

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-10-04 20:04 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2007-09-09 10:39 2010489 ---hs---- C:\WINDOWS\SYSTEM32\poqru.bak1
    2007-09-06 16:14 1086952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
    2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
    2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
    2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
    2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
    2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
    2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuapi.dll
    2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
    2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
    2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
    2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
    2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\dllcache\wucltui.dll
    2007-07-30 19:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
    2007-07-30 19:19 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
    2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
    2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuweb.dll
    2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
    2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
    2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
    2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\dllcache\wups.dll
    2007-07-19 03:00 3583488 --a------ C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
    2007-07-12 19:31 765952 --a------ C:\WINDOWS\SYSTEM32\dllcache\vgx.dll
    2003-05-07 12:11 271 ---hs---- C:\Program Files\desktop.ini
    2003-05-07 12:11 23357 ---h----- C:\Program Files\folder.htt
    2001-11-22 23:08 712704 --a------ C:\WINDOWS\INF\OTHER\audio3d.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43F85621-6A64-4CB3-ADCA-65FC4F259514}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7EABCB33-DFF2-4D7F-87C2-1FA268BCA753}]
    C:\WINDOWS\system32\oppqq.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9C79A6F-9F08-4F3F-969F-451173E1FD1A}]
    C:\WINDOWS\system32\urqop.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
    "xtmpouwdme"="C:\WINDOWS\system32\xtmpouwdme.exe" []
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 10:00]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-18 15:24]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
    "Aim6"="" []

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
    "szblneajb"=C:\WINDOWS\system32\szblneajb.exe
    "xtmpouwdme"=C:\WINDOWS\system32\xtmpouwdme.exe

    C:\Documents And Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]

    C:\Documents And Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcywvw]
    efcywvw.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oppqq]
    C:\WINDOWS\system32\oppqq.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqop]
    C:\WINDOWS\system32\urqop.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayvsqr]
    yayvsqr.dll

    S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys
    S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
    AutoRun\command- F:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94237d60-dc74-11db-82b5-0080c6e86144}]
    AutoRun\command- F:\LaunchU3.exe -a

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-09-29 16:29:32 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    .
    **************************************************************************

    catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-10-04 20:08:31
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-10-04 20:25:28 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-10-04 20:25
    .
    --- E O F ---

  8. #8
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi, we'll continue

    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    File::
    C:\WINDOWS\SYSTEM32\poqru.bak2
    C:\WINDOWS\SYSTEM32\poqru.bak1
    C:\WINDOWS\system32\oppqq.dll
    C:\WINDOWS\system32\urqop.dll
    C:\WINDOWS\system32\xtmpouwdme.exe
    C:\WINDOWS\system32\szblneajb.exe
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43F85621-6A64-4CB3-ADCA-65FC4F259514}]
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7EABCB33-DFF2-4D7F-87C2-1FA268BCA753}]
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9C79A6F-9F08-4F3F-969F-451173E1FD1A}]
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "xtmpouwdme"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
    "szblneajb"=-
    "xtmpouwdme"=-
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcywvw]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oppqq]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqop]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayvsqr]
    Save this as "CFScript"



    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  9. #9
    Junior Member
    Join Date
    Sep 2007
    Location
    Jersey.
    Posts
    12

    Default more logs

    Here ya go..thanks again for taking the time to help me!


    ComboFix 07-10-04.2 - Bryan 2007-10-05 18:53:50.2 - FAT32x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.42 [GMT -4:00]
    Running from: C:\Documents and Settings\Bryan\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Bryan\Desktop\CFScript.txt

    FILE::
    C:\WINDOWS\system32\oppqq.dll
    C:\WINDOWS\SYSTEM32\poqru.bak1
    C:\WINDOWS\SYSTEM32\poqru.bak2
    C:\WINDOWS\system32\szblneajb.exe
    C:\WINDOWS\system32\urqop.dll
    C:\WINDOWS\system32\xtmpouwdme.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\SYSTEM32\poqru.bak1
    C:\WINDOWS\SYSTEM32\poqru.bak2

    .
    ((((((((((((((((((((((((( Files Created from 2007-09-05 to 2007-10-05 )))))))))))))))))))))))))))))))
    .

    2007-10-03 19:32 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-10-02 18:18 <DIR> d-------- C:\WINDOWS\ERUNT
    2007-09-25 18:43 <DIR> d-------- C:\Program Files\Trend Micro
    2007-09-25 01:09 <DIR> d-------- C:\Documents And Settings\All Users\Application Data\Kaspersky Lab
    2007-09-25 01:08 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
    2007-09-24 22:44 <DIR> d-------- C:\Program Files\Lavasoft
    2007-09-24 22:44 <DIR> d-------- C:\Documents And Settings\All Users\Application Data\Lavasoft
    2007-09-24 08:30 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
    2007-09-18 16:08 <DIR> d-------- C:\Program Files\Windows Media Connect 2
    2007-09-18 15:33 32 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
    2007-09-18 15:15 75,248 --a------ C:\WINDOWS\zllsputility.exe
    2007-09-18 15:15 <DIR> d-------- C:\Documents And Settings\All Users\Application Data\MailFrontier
    2007-09-18 15:02 <DIR> d-------- C:\Program Files\iTunes
    2007-09-18 14:59 <DIR> d-------- C:\Program Files\QuickTime
    2007-09-18 14:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRVSTORE
    2007-09-18 14:57 <DIR> d-------- C:\Program Files\Common Files\Apple
    2007-09-18 14:54 <DIR> d-------- C:\Documents And Settings\All Users\Application Data\Apple

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-10-04 20:04 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2007-09-06 16:14 1086952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
    2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
    2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
    2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
    2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
    2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
    2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuapi.dll
    2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
    2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
    2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
    2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
    2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\dllcache\wucltui.dll
    2007-07-30 19:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
    2007-07-30 19:19 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
    2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
    2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuweb.dll
    2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
    2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
    2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
    2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\dllcache\wups.dll
    2007-07-19 03:00 3583488 --a------ C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
    2007-07-12 19:31 765952 --a------ C:\WINDOWS\SYSTEM32\dllcache\vgx.dll
    2003-05-07 12:11 271 ---hs---- C:\Program Files\desktop.ini
    2003-05-07 12:11 23357 ---h----- C:\Program Files\folder.htt
    2001-11-22 23:08 712704 --a------ C:\WINDOWS\INF\OTHER\audio3d.dll
    .

    ((((((((((((((((((((((((((((( snapshot@2007-10-04_20.20.28.36 )))))))))))))))))))))))))))))))))))))))))
    .
    ---h--w 4,212 2007-10-05 00:10:20 C:\WINDOWS\SYSTEM32\zllictbl.dat
    .
    ---h--w 4,212 2007-10-05 00:00:06 C:\WINDOWS\SYSTEM32\zllictbl.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 10:00]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-18 15:24]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
    "Aim6"="" []

    C:\Documents And Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]

    C:\Documents And Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]

    S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
    AutoRun\command- F:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94237d60-dc74-11db-82b5-0080c6e86144}]
    AutoRun\command- F:\LaunchU3.exe -a

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-09-29 16:29:32 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    .
    **************************************************************************

    catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-10-05 19:15:37
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-10-05 19:26:29
    C:\ComboFix-quarantined-files.txt ... 2007-10-05 19:26
    C:\ComboFix2.txt ... 2007-10-04 20:25
    .
    --- E O F ---


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:30:58 PM, on 10/5/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://newmilfordschools.org/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O3 - Toolbar: Optimum Online Toolbar - {720B3C59-7EDE-44d1-AD9C-71106A7550AF} - C:\Program Files\OptimumOnline\insptbar.dll (file missing)
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Optimum Online Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\OptimumOnline\contextsearch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.priv.njmls.xmlsweb.com/XM...h/XMLCache.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1111274866408
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1152727605292
    O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
    O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.co...oadControl.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...59/mcfscan.cab
    O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: PCCare Premium - Unknown owner - C:\Program Files\PCCare\Client\srvc.exe (file missing)
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    O23 - Service: Windows Maintenance Monitor (wmoisvc) - Unknown owner - C:\WINDOWS\winrss.exe (file missing)

    --
    End of file - 7766 bytes

  10. #10
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi again, we'll continue

    You should print these instructions or save these to a text file. Follow these instructions carefully.

    Download ATF Cleaner by Atribune to your desktop.
    Do NOT run yet.

    ==================

    Disable the bad service
    • Start
    • Run
    • Type services.msc to the field and press enter.
    • A window opens, scroll down to Windows Maintenance Monitor (wmoisvc)
    • Rightclick it and choose Stop
    • Then choose Properties
    • Set Startup to Disabled
    • Click Apply and OK.


    Then, open HijackThis.
    • Open the Misc Tools section
    • Delete an NT service
    • Copy the following line to the box and press OK; wmoisvc
    • Answer Yes
    • Close HIjackThis

    Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O3 - Toolbar: Optimum Online Toolbar - {720B3C59-7EDE-44d1-AD9C-71106A7550AF} - C:\Program Files\OptimumOnline\insptbar.dll (file missing)

    Open HijackThis.
    • Open the Misc Tools section
    • Delete a file on Reboot
    • Copy the following line to the filenamebox and press Open; C:\WINDOWS\winrss.exe
    • Answer Yes
    • Reboot the computer if it isn't restarted automatically


    Run ATF Cleaner
    • Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.

    Please run the F-Secure Online Scanner

    Note: This Scanner is for Internet Explorer Only!
    • Follow the Instruction Here for installation.
    • Accept the License Agreement.
    • Once the ActiveX installs,Click Full System Scan
    • Once the download completes,the scan will begin automatically.
    • The scan will take some time to finish,so please be patient.
    • When the scan completes, click the Automatic cleaning (recommended) button.
    • Click the Show Report button and Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •