View Full Version : smitfreud problems?
i have problems with my pc.. its slower than usual and the other threads here didint help..
+ teatimer registers a registry change which i must accept or else it pops up again instantly, and minutes after it is changed it gets deleted and added again...
my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 17:47:05, on 01.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programfiler\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
C:\WINDOWS\system\driver\csrss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programfiler\PowerISO\PWRISOVM.EXE
C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe
C:\Programfiler\3Com\3Com Wireless USB Utility\Wlan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\Programfiler\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Iexp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - Default URLSearchHook is missing
O1 - Hosts: AmsServer
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programfiler\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programfiler\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programfiler\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programfiler\Fellesfiler\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [IndexSearch] C:\Programfiler\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Programfiler\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [3COM] "C:\Programfiler\3Com\3Com Wireless USB Utility\Wlan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKCU\..\Run: [µTorrent] "C:\Documents and Settings\Administrator\Skrivebord\Ikoner\utorrent.exe"
O4 - Startup: ASUS Smartdoctor.lnk = C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.3.102.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programfiler\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe
pskelley
2007-03-03, 14:08
Welcome to the forum, you have a couple of real nasty trojans running on your computer.
NTLOAD X ntsrv.exe Flagged as Backdoor.Iroffer / Backdoor.Noer
NTSVCMGR X ntsrv.exe Flagged as Backdoor.Iroffer / Backdoor.Noer
http://www.pcreview.co.uk/startup/CSRSS.EXE/.svchost.php
Here they are on the computer:
C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
C:\WINDOWS\system\driver\csrss.exe
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
Here is information: http://www3.ca.com/securityadvisor/pest/pest.aspx?id=55409
Backdoor : A secret or undocumented means of getting into a computer system, or software that uses such a means to penetrate a system. Some software has a backdoor placed by the programmer to allow them to gain access to troubleshoot or change the program. Software that is classified as a "backdoor" is designed to exploit a vulnerability in a system, and open it to future access by an attacker
and the google: http://www.google.com/search?q=+Backdoor.Iroffer+&rls=com.microsoft:en-us:IE-SearchBox&ie=UTF-8&oe=UTF-8&sourceid=ie7&rlz=1I7GGLG
While I may be able to help you remove these worms, your security has been compromised and I need to give you this information:
You're infected, one or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
Please let us know what you have decided to do in your next post.
Thanks
hi, i used hjt to fix the entries:
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
but i dont think csrss.exe is a trojan cus i ran some tests on a site to see if i sent out any info and i didnt.. besides i cant terminate the proscess in task manager.
but for the 023 entry i thank you but i still have the problem with something about adding "winlogon notifiers" in spybot-sd "resident" constantly if i deny..
:spider: :spider: :spider: :spider: :spider: :spider: :spider: :spider:
thanks for the help so far!! best forum ever!!:bigthumb:
PS: what is a "icmp 11 echo recuest" and time "ecceeded for datagram"
evry program is trying to send something like that now and then, i see it on my firewall..:sad:
:oops: "time ecceeded for datagram":oops:
pskelley
2007-03-05, 21:24
If you are saying you would like me to help you clean the computer, post another HJT log. I will respond as soon as possible after you post.
Thanks
Logfile of HijackThis v1.99.1
Scan saved at 00:26:55, on 10.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Sygate\SPF\smc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programfiler\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programfiler\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Programfiler\3Com\3Com Wireless USB Utility\Wlan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programfiler\Fellesfiler\Teleca Shared\Generic.exe
C:\Programfiler\MSN Messenger\usnsvc.exe
C:\Programfiler\Ares\Ares.exe
C:\Programfiler\uTorrent\uTorrent.exe
C:\Programfiler\TuneUp Utilities 2007\SystemOptimizer.exe
C:\Programfiler\TuneUp Utilities 2007\RegistryCleaner.exe
C:\Programfiler\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\msiexec.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Iexp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - Default URLSearchHook is missing
O1 - Hosts: AmsServer
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programfiler\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programfiler\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programfiler\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [3COM] "C:\Programfiler\3Com\3Com Wireless USB Utility\Wlan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKCU\..\Run: [ares] "C:\Programfiler\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [µTorrent] "C:\Programfiler\uTorrent\uTorrent.exe"
O4 - Startup: ASUS Smartdoctor.lnk = C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Programfiler\Ares\chatServer.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programfiler\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe
but please what is "time ecceeded for datagram" and "icmp echo (8/11) request"
pskelley
2007-03-10, 01:11
I apologize, I did not understand that was a question earlier. Here is your own google:
http://www.google.com/ (careful to use the correct spelling)
http://www.google.com/search?hl=en&sa=X&oi=spell&resnum=1&ct=result&cd=1&q=time+exceeded+for+datagram&spell=1
http://www.google.com/search?hl=en&q=icmp+echo+%288%2F11%29+request&btnG=Search
I personally do not know either term, you may wish to discuss those with your Internet Service Provider.
Logfile of HijackThis v1.99.1 Scan saved at 00:26:55, on 10.03.2007
Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
Use these instructions > http://russelltexas.com/malware/teatimer.htm
Turn off TeaTimer until we are done, it will block changes we must make.
Appears you were able to remove the real problems, nothing but a little cleaning to do.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
(if you placed this in the Hosts file you may leave it)
O1 - Hosts: AmsServer
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Let me know about any malware issues along with a new HJT log for a final check.
Thanks
hi and thanks for a quick reply..
i have discovered something, i have all these winlogon notifiers in a list in spybot.. among them iifccdd.dll which i KNOW is a virus of some kind...
what should i do??
here is the spybot SD list:
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2007-02-07 TeaTimer.exe (1.5.0.6)
2007-01-02 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-01-15 advcheck.dll (1.2.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-03-07 Includes\Beta.sbi
2005-02-16 Includes\Beta.uti
2007-03-07 Includes\Cookies.sbi
2006-12-08 Includes\Dialer.sbi
2007-03-07 Includes\DialerC.sbi
2007-02-07 Includes\Hijackers.sbi
2007-03-07 Includes\HijackersC.sbi
2006-10-27 Includes\Keyloggers.sbi
2007-03-07 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2007-02-14 Includes\Malware.sbi
2007-03-07 Includes\MalwareC.sbi
2007-01-19 Includes\PUPS.sbi
2007-03-07 Includes\PUPSC.sbi
2007-03-07 Includes\Revision.sbi
2006-12-08 Includes\Security.sbi
2007-03-07 Includes\SecurityC.sbi
2007-02-02 Includes\Spybots.sbi
2007-03-07 Includes\SpybotsC.sbi
2005-02-17 Includes\Tracks.uti
2007-03-07 Includes\Trojans.sbi
2007-03-07 Includes\TrojansC.sbi
Located: HK_LM:Run, Alcmtr
command: ALCMTR.EXE
file: C:\WINDOWS\ALCMTR.EXE
size: 69632
MD5: 8b4cbba1ea526830c7f97e7822e2493a
Located: HK_LM:Run, AlcWzrd
command: ALCWZRD.EXE
file: C:\WINDOWS\ALCWZRD.EXE
size: 2805248
MD5: 986e16d223eeaf13ed30e6c0c576982c
Located: HK_LM:Run, DiskeeperSystray
command: "C:\Programfiler\Executive Software\Diskeeper\DkIcon.exe"
file: C:\Programfiler\Executive Software\Diskeeper\DkIcon.exe
size: 184408
MD5: 1cc38090c948ba34ac7d0cc17af3f4b4
Located: HK_LM:Run, High Definition Audio Property Page Shortcut
command: HDAudPropShortcut.exe
file: C:\WINDOWS\system32\HDAudPropShortcut.exe
size: 61952
MD5: bdb806c747c5257b9919e1a64b2db67b
Located: HK_LM:Run, HotKeysCmds
command: C:\WINDOWS\system32\hkcmd.exe
file: C:\WINDOWS\system32\hkcmd.exe
size: 77824
MD5: 303557c7f562e667b66fa406b7fa07bd
Located: HK_LM:Run, IgfxTray
command: C:\WINDOWS\system32\igfxtray.exe
file: C:\WINDOWS\system32\igfxtray.exe
size: 94208
MD5: 41e653a8852072673e9fa230d360f7a9
Located: HK_LM:Run, IntelliPoint
command: "C:\Programfiler\Microsoft IntelliPoint\point32.exe"
file: C:\Programfiler\Microsoft IntelliPoint\point32.exe
size: 217088
MD5: 997dd02e4b8f43795e90391b5e4266e6
Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: b3a06b00d56f3253f1f59c1f1f090d4f
Located: HK_LM:Run, NvMediaCenter
command: RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: b3a06b00d56f3253f1f59c1f1f090d4f
Located: HK_LM:Run, nwiz
command: nwiz.exe /install
file: C:\WINDOWS\system32\nwiz.exe
size: 1622016
MD5: 0294e2a5e89bf786f24a9cc2fd753191
Located: HK_LM:Run, Persistence
command: C:\WINDOWS\system32\igfxpers.exe
file: C:\WINDOWS\system32\igfxpers.exe
size: 114688
MD5: 614ba6b76f922a4924c26a80cdec376d
Located: HK_LM:Run, PWRISOVM.EXE
command: C:\Programfiler\PowerISO\PWRISOVM.EXE
file: C:\Programfiler\PowerISO\PWRISOVM.EXE
size: 200704
MD5: 63ff498268fed7262753f3975fd04860
Located: HK_LM:Run, SmcService
command: C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
file: C:\PROGRA~1\Sygate\SPF\smc.exe
size: 2577632
MD5: 8eca9578bfc7da42d6d24c862224c5db
Located: HK_LM:Run, Sony Ericsson PC Suite
command: "C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
file: C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
size: 159744
MD5: f0b9213ad99e77fc481c24c9023aa9c6
Located: HK_LM:Run, SoundMan
command: SOUNDMAN.EXE
file: C:\WINDOWS\SOUNDMAN.EXE
size: 90112
MD5: 1319df88f588709d13ac701c39745705
Located: HK_LM:Run, SW20
command: C:\WINDOWS\system32\sw20.exe
file: C:\WINDOWS\system32\sw20.exe
size: 208896
MD5: 7eedd0c922b320a4dafaca25ab980179
Located: HK_LM:Run, SW24
command: C:\WINDOWS\system32\sw24.exe
file: C:\WINDOWS\system32\sw24.exe
size: 69632
MD5: 3549b1a6b0aebef06b576591306c8af1
Located: HK_CU:Run, µTorrent
command: "C:\Programfiler\uTorrent\uTorrent.exe"
file: C:\Programfiler\uTorrent\uTorrent.exe
size: 177152
MD5: e3013175d75cb6abbb55f61fdfef7f50
Located: HK_CU:Run, 3COM
command: "C:\Programfiler\3Com\3Com Wireless USB Utility\Wlan.exe"
file: C:\Programfiler\3Com\3Com Wireless USB Utility\Wlan.exe
size: 409600
MD5: f656d94ff17a517ca1a1b9bba53d7b2d
Located: HK_CU:Run, ares
command: "C:\Programfiler\Ares\Ares.exe" -h
file: C:\Programfiler\Ares\Ares.exe
size: 969728
MD5: 9d452ef96110f68a113af0895c77c62a
Located: HK_CU:Run, AWMON
command: "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
file: C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
size: 517632
MD5: 107af2de3af10d6d09c1b36fe9ef9156
Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: ddc0e7a20f0f77bec5108c265c4ae435
Located: HK_CU:Run, MsnMsgr
command: "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
file: C:\Programfiler\MSN Messenger\MsnMsgr.Exe
size: 5674352
MD5: c4281ad865739e71fd1e4dac19a68d60
Located: Startup (user), ASUS Smartdoctor.lnk
command: C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
file: C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
size: 1073152
MD5: f0af728a7096f9b343e14d51c11f6f69
Located: WinLogon, awtqq
command: C:\WINDOWS\system32\awtqq.dll
file: C:\WINDOWS\system32\awtqq.dll
size: 282212
MD5: ea70704d54347567b8d28f49a0930af1
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
Located: WinLogon, iifccdd:spider:
command: iifccdd.dll
file: iifccdd.dll
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
++++++++++++++++++++++++++++++++++++++
Logfile of HijackThis v1.99.1
Scan saved at 14:08:49, on 10.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Sygate\SPF\smc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Programfiler\Executive Software\Diskeeper\DkService.exe
C:\Norman\Bin\Zanda.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Norman\bin\NJEEVES.EXE
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\BIN\nipsvc.exe
C:\Programfiler\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programfiler\3Com\3Com Wireless USB Utility\Wlan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\uTorrent\uTorrent.exe
C:\Programfiler\Fellesfiler\Teleca Shared\CapabilityManager.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\Programfiler\Fellesfiler\Teleca Shared\Generic.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Iexp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programfiler\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programfiler\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programfiler\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [3COM] "C:\Programfiler\3Com\3Com Wireless USB Utility\Wlan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKCU\..\Run: [ares] "C:\Programfiler\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [µTorrent] "C:\Programfiler\uTorrent\uTorrent.exe"
O4 - Startup: ASUS Smartdoctor.lnk = C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Programfiler\Ares\chatServer.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programfiler\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe
pskelley
2007-03-10, 16:38
Let me first say that your HJT log appears to be clean of malware. While I will try to help, I prefer you ask questions dealing with Spybot here:
http://forums.spybot.info/forumdisplay.php?f=4
DO NOT post HJT log there.
Using Google: http://www.google.com/ to search for this: iifccdd.dll returns this information:
http://www.google.com/search?q=iifccdd.dll+&rls=com.microsoft:en-us:IE-SearchBox&ie=UTF-8&oe=UTF-8&sourceid=ie7&rlz=1I7GGLG
The second link provides this information:
http://spywaredlls.prevx.com/RRAHHH25968799/FCCCCCD.DLL.html
I am guessing it is a leftover in the registry that was not removed, It is rare all of the infection is ever removed without a good cleaning of the registry. I would see what the folks in the Spybot forum have to say.
Here are scanners if you wish to scan any files:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
C:\WINDOWS\system32\awtqq.dll <<< no doubt this is a Vundo infection, and it may be a leftover? To see if you have a hidden vundo infection, please return to:
C:\Programfiler\Hijackthis\HijackThis.exe <<< rename the file to TVIRUS.exe or whatever you wish, restart the computer and post a new HJT log. If the infections is present, we should be able to see it.
Thanks
sorry, it took time to restart my computer..:oops: it has some hardware issues so sometimes it doesnt start..:sad: but anyhow.. i completed your steps an here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 11:52:43, on 13.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Sygate\SPF\smc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\ATKKBService.exe
C:\Programfiler\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programfiler\Prevx1\PXAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programfiler\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programfiler\3Com\3Com Wireless USB Utility\Wlan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\Programfiler\Fellesfiler\Teleca Shared\Generic.exe
C:\Programfiler\Hijackthis\xwsfadgdd.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Iexp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Programdata\Prevx\pxbho.dll
O2 - BHO: (no name) - {5FC69698-209F-4A4B-8219-1F047D7F1265} - C:\WINDOWS\system32\awtqq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C47A9554-195A-4769-9B13-04F15B450A39} - C:\WINDOWS\system32\iifccdd.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programfiler\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programfiler\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programfiler\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [3COM] "C:\Programfiler\3Com\3Com Wireless USB Utility\Wlan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKCU\..\Run: [ares] "C:\Programfiler\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [µTorrent] "C:\Programfiler\uTorrent\uTorrent.exe"
O4 - Startup: ASUS Smartdoctor.lnk = C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: awtqq - C:\WINDOWS\system32\awtqq.dll
O20 - Winlogon Notify: iifccdd - C:\WINDOWS\SYSTEM32\iifccdd.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Programfiler\Ares\chatServer.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programfiler\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Programfiler\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe
pskelley
2007-03-13, 13:58
Thanks for returning your information and you are indeed infected by the Vundo trojan and it is a nasty infection. Let me show it to you first so you will know what you are after. Also you have Prevx1 installed, keep in mind this program, which I use at times is a hugh resource user and will slow the computer considerably until it is removed, if you do not own it, you may want to consider uninstalling it. I can think of no reason for us using it for this removal.
Here is the Vundo:
O2 - BHO: (no name) - {5FC69698-209F-4A4B-8219-1F047D7F1265} - C:\WINDOWS\system32\awtqq.dll
O20 - Winlogon Notify: awtqq - C:\WINDOWS\system32\awtqq.dll
O2 - BHO: (no name) - {C47A9554-195A-4769-9B13-04F15B450A39} - C:\WINDOWS\system32\iifccdd.dll
O20 - Winlogon Notify: iifccdd - C:\WINDOWS\SYSTEM32\iifccdd.dll
So you will know how this works, the hackers can call their junk anything they want, sometimes it take the Vundofix a few runs to identify and kill all of the Vundo files. You want to watch the results and you are looking for the report to say all files "Have been deleted", at that point, post the results of the Vundofix.txt and a new HJT log.
Thanks to Atribune and any others who helped with this fix
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Thanks
You may want to keep an eye on this link, there is a class action in progress on this malware that you might be able to benefit from.
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
i have completed the steps and found a few vundos... hope i am clean from malware now!!
here is my vundofix log:
VundoFix V6.3.16
Checking Java version...
Sun Java not detected
Scan started at 14:56:42 14.03.2007
Listing files found while scanning....
C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\gyoxxcvq.exe
C:\WINDOWS\system32\iifccdd.dll
C:\WINDOWS\system32\lxwrlxvp.ini
C:\WINDOWS\system32\pvxlrwxl.dll
C:\WINDOWS\system32\qqtwa.ini
C:\WINDOWS\system32\vtuts.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\awtqq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gyoxxcvq.exe
C:\WINDOWS\system32\gyoxxcvq.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\iifccdd.dll
C:\WINDOWS\system32\iifccdd.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\lxwrlxvp.ini
C:\WINDOWS\system32\lxwrlxvp.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\pvxlrwxl.dll
C:\WINDOWS\system32\pvxlrwxl.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qqtwa.ini
C:\WINDOWS\system32\qqtwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\vtuts.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\iifccdd.dll
C:\WINDOWS\system32\iifccdd.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.16
Checking Java version...
Sun Java not detected
Scan started at 15:15:40 14.03.2007
Listing files found while scanning....
No infected files were found.
And my hjt log:
--------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 15:40:13, on 14.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Sygate\SPF\smc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\ATKKBService.exe
C:\Programfiler\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programfiler\Prevx1\PXAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programfiler\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programfiler\3Com\3Com Wireless USB Utility\Wlan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\Programfiler\uTorrent\uTorrent.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\Programfiler\Fellesfiler\Teleca Shared\Generic.exe
C:\Programfiler\MSN Messenger\usnsvc.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Hijackthis\xwsfadgdd.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Iexp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programfiler\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programfiler\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programfiler\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [3COM] "C:\Programfiler\3Com\3Com Wireless USB Utility\Wlan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKCU\..\Run: [ares] "C:\Programfiler\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [µTorrent] "C:\Programfiler\uTorrent\uTorrent.exe"
O4 - Startup: ASUS Smartdoctor.lnk = C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Programfiler\Ares\chatServer.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programfiler\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Programfiler\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe
pskelley
2007-03-14, 16:09
Thanks for returning your information. Good job:bigthumb: how's the computer running now? Let's do this:
C:\Programfiler\Hijackthis\xwsfadgdd.exe <<< you can rename HJT if you wish, and delete all programs we used during the cleanup. The exception is ATF-Cleaner, you may keep that nice program if you wish.
C:\Programfiler\Prevx1\PXAgent.exe <<< don't forget to uninstall this program if you did not purchase it. It eats resources.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
HJT may not be able to remove these lines with Ad-Watch and Prevx running, turn them off when you do this:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
(these are not malware just clutter, you may leave them if you wish)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Clean your System Restore files:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Now everything is back to normal! thanks to you and those programs:D:
well i know where to ask if something happens!.. but of course it wont.. i hope!!
:D:thanks again:D:
Tvirus:bigthumb:
pskelley
2007-03-24, 16:51
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks