LarsRoan
2007-03-07, 11:50
Like another member, http://forums.spybot.info/archive/index.php/t-2996.html I face the same problem. The reason is 10 minutes without firewall two days ago. I tried to link my new pc to my old pc by the router and has experienced that Zonealarm block this unless I close Z. down. Then I forgot to physical remove the broadband line into my router. Today AVG found to virus (or?): C:\Docum..settings\myName\LocalSettings\oexuwrin.dll and C:\Windows\system32\Mswinsck.ocx - which was deleted. By the time/date I found further some suspicious files established at the same time as the last one in C:\Windows\system32\;
ssqrpmj.dll + pmnkihg.dll + wvutrom.dll + fccayxw.dll + cbxyvww.dll + iifgfcd.dll + jkhhe.dll + ssqpo.dll + ssttt.dll and
ehhkj.ini + opqss.ini + tttss.ini + tttss.bak1 + qpnqhiti.exe + npgpbwqw.exe.
At exactly the same minute, but 24 hours after this was installed, also these files has been installed;
oylqfiwd.dll + tttss.bak2 + qpnqhiti.exe + dwifqlyo.ini.
tttss.ini and dwifqlyo.ini har been changed even this morning.
This morning SpybotSD found two infections;
VirtuMonde: Library (File, nothing done) D:\Programfiler\VSAdd-in\VSAdd-in.dll
VirtuMonde: Program directory (Directory, nothing done) D:\Programfiler\VSAdd-in\
Smitfraud-C.Toolbar888: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Araf15
Smitfraud-C.Toolbar888: Executable (File, nothing done)
C:\Documents and Settings\myname\Lokale innstillinger\Temp\removalfile.bat
They're both immunized. But how to remove them? What about the dll + + in my System32-folder? Here are my Hijackthis log [included som comments at the end of a few lines]:
Logfile of HijackThis v1.99.1
Scan saved at 10:41:15, on 07.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\AVGFRE~1\avgamsvr.exe [antivirus - ok]
D:\PROGRA~1\AVGFRE~1\avgupsvc.exe [antivirus - ok]
D:\PROGRA~1\AVGFRE~1\avgemc.exe [antivirus - ok]
C:\WINDOWS\system32\nvsvc32.exe
D:\Programfiler\DU Meter\DUMeter.exe [measure the traffic - ok]
D:\Programfiler\ZoneAlarm\zlclient.exe [firewall ok]
D:\Programfiler\Microsoft IntelliType Pro\type32.exe [MS keyboard - OK]
D:\Programfiler\Stickies\stickies.exe [notes - OK]
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Opera\Opera.exe [browser - ok]
D:\Programfiler\AVG Free\avgcc.exe [antivirus - ok]
D:\Programfiler\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftenposten.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [DU Meter] D:\Programfiler\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Programfiler\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [type32] "D:\Programfiler\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\oylqfiwd.dll",setvm [this is one of the infected files listed above]
O4 - Startup: Stickies.lnk = D:\Programfiler\Stickies\stickies.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
********************************
Anyone which can give me some good advice (like pskelley did for the other member) about how to go on and get rid of all these problems?
Is VundoFix the optimal tool for me as well?
ssqrpmj.dll + pmnkihg.dll + wvutrom.dll + fccayxw.dll + cbxyvww.dll + iifgfcd.dll + jkhhe.dll + ssqpo.dll + ssttt.dll and
ehhkj.ini + opqss.ini + tttss.ini + tttss.bak1 + qpnqhiti.exe + npgpbwqw.exe.
At exactly the same minute, but 24 hours after this was installed, also these files has been installed;
oylqfiwd.dll + tttss.bak2 + qpnqhiti.exe + dwifqlyo.ini.
tttss.ini and dwifqlyo.ini har been changed even this morning.
This morning SpybotSD found two infections;
VirtuMonde: Library (File, nothing done) D:\Programfiler\VSAdd-in\VSAdd-in.dll
VirtuMonde: Program directory (Directory, nothing done) D:\Programfiler\VSAdd-in\
Smitfraud-C.Toolbar888: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Araf15
Smitfraud-C.Toolbar888: Executable (File, nothing done)
C:\Documents and Settings\myname\Lokale innstillinger\Temp\removalfile.bat
They're both immunized. But how to remove them? What about the dll + + in my System32-folder? Here are my Hijackthis log [included som comments at the end of a few lines]:
Logfile of HijackThis v1.99.1
Scan saved at 10:41:15, on 07.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\AVGFRE~1\avgamsvr.exe [antivirus - ok]
D:\PROGRA~1\AVGFRE~1\avgupsvc.exe [antivirus - ok]
D:\PROGRA~1\AVGFRE~1\avgemc.exe [antivirus - ok]
C:\WINDOWS\system32\nvsvc32.exe
D:\Programfiler\DU Meter\DUMeter.exe [measure the traffic - ok]
D:\Programfiler\ZoneAlarm\zlclient.exe [firewall ok]
D:\Programfiler\Microsoft IntelliType Pro\type32.exe [MS keyboard - OK]
D:\Programfiler\Stickies\stickies.exe [notes - OK]
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Opera\Opera.exe [browser - ok]
D:\Programfiler\AVG Free\avgcc.exe [antivirus - ok]
D:\Programfiler\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftenposten.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [DU Meter] D:\Programfiler\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Programfiler\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [type32] "D:\Programfiler\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\oylqfiwd.dll",setvm [this is one of the infected files listed above]
O4 - Startup: Stickies.lnk = D:\Programfiler\Stickies\stickies.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
********************************
Anyone which can give me some good advice (like pskelley did for the other member) about how to go on and get rid of all these problems?
Is VundoFix the optimal tool for me as well?