View Full Version : Re-direct/pop-up problems
I'm hoping you can assist; I've picked up a nasty that I can't seem to shake out of my system. I've read your FAQ's and there are a few hints at what might be the problem, but I've gone as far as I can with my limited knowledge. I've already run Spybot S&D and AVG(v7.5); minor problems were detected and fixed, but still having pop-up problems, specificaly from IP 89.188.16.16.
I downloaded HijackThis! & followed the instructions I've read here in the forum. Below is the log of HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 1:23:15 PM, on 5/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\HijackThis\scanner.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\AUserInit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\System32\akmnakbe.dll (file missing)
O2 - BHO: (no name) - {1DE6A733-4782-0959-A33D-6AE34FE4F9EB} - C:\WINDOWS\System32\mjeb.dll (file missing)
O2 - BHO: (no name) - {3F9D0C61-737D-44D1-BD80-91AF857061CC} - C:\WINDOWS\System32\efcyyyw.dll (file missing)
O2 - BHO: (no name) - {4F7F7F0C-63E9-43DA-BBF0-F336643A76CF} - C:\WINDOWS\System32\gebyw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{031014D9-095F-1033-1101-040120050001}] "C:\Program Files\Common Files\{031014D9-095F-1033-1101-040120050001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [WinApp32] msapp.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Bev] "C:\Documents and Settings\Administrator\My Documents\?ssembly\?hkdsk.exe"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.sxload.net (HKLM)
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v44/scrabblecubes/scrabblecubes.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O20 - Winlogon Notify: efcyyyw - efcyyyw.dll (file missing)
O20 - Winlogon Notify: gebyw - C:\WINDOWS\System32\gebyw.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
**I read tashi's "Before you post" and understand that I may have an outdated SP installed- I "inherited" this computer from another family member and mistakenly assumed that it was up-to-date when I got it.**
Thanks in advance for any help you may be able to render!
Sincerely,
-Mark
pskelley
2007-05-04, 12:51
Welcome to the forum, I hate to be the bearer of bad news but you have a badly infected computer here. I see a Vundo infection which is hard to remove but it can be done and PurityScan/OIN wich is an adware infection but our major issue is this one:
O4 - HKLM\..\Run: [WinApp32] msapp.exe read about it here:
http://www.symantec.com/security_response/writeup.jsp?docid=2003-032416-1326-99
Backdoor.Rsbot is a back door Trojan horse that gives a hacker unauthorized access to your computer.
and the Google: http://www.google.com/search?hl=en&q=RSBOT+virus+&btnG=Google+Search
For your safety and security you need to consider this information:
You're infected, one or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
You said the computer was given to you and I do not know what you will be using it for. If you want to clean it, we can do that, we just can not say it will be safe after this type of intrusion. Please let me know how you wish to proceed in your next post.
Thanks...Phil
Well, I've always been up for a challenge- if you can walk me through it, I'd like to try to clean it, if it can be done.
Thanks for getting back to me & I will take your advice about securing/notifying my financial insitutions.
-Mark13
pskelley
2007-05-04, 23:10
OK Mark, first I would like you to review these instructions again so we are sure to be on the same page: "BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please follow the instructions carefully and in the order I post them.
1) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.
2) Start > Control Panel > Add Remove Programs and uninstall PurityScan, OIN, OuterInfo, Yazzle or any other program you know should not be there.
3) Some information about Winfixer/Vundo trojan: Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://www.revenews.com/wayneporter/archives/adware-spyware-greynets/getting_the_fix_on_winfixer_aol_network_now/
Thanks to Atribune and any others who helped with this fix.
Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
(hold the reports and logs until you finish)
______________________________________________
Thanks to sUBs and anyone else who helped with this fix.
4) Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Restart the computer and post the Vundofix report, the log from Combofix and a new HijackThis log.
Thanks
pskelly,
Ok, here's what I've done so far (I apologize in advance for the detail- just want to make sure I haven't missed/skipped a step or instruction):
- Reviewed the "BEFORE you POST" & understand contents. Will take advice @ my own risk.
#1: AVG Resident Shield deactivated.
#2: Only program that shouldn't be there was a "MediaTickets by OIN" -uninstalled successfully.
#3: Read the articles - thanks for the info
Here's the logs as requested (in order, Vundofix/Combofix/new HijackThis): **I ran Combofix for over an hour and never saw any kind of indication that the program had finished. I've attached the log that was generated**
Vundofix Log:
VundoFix V6.3.21
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 4:53:09 PM 5/4/2007
Listing files found while scanning....
C:\WINDOWS\System32\efcyyyw.dll
C:\WINDOWS\System32\gebyw.dll
C:\WINDOWS\System32\wybeg.bak1
C:\WINDOWS\System32\wybeg.bak2
C:\WINDOWS\System32\wybeg.ini
Beginning removal...
Attempting to delete C:\WINDOWS\System32\gebyw.dll
C:\WINDOWS\System32\gebyw.dll Has been deleted!
Attempting to delete C:\WINDOWS\System32\wybeg.bak1
C:\WINDOWS\System32\wybeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\System32\wybeg.bak2
C:\WINDOWS\System32\wybeg.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\System32\wybeg.ini
C:\WINDOWS\System32\wybeg.ini Has been deleted!
Performing Repairs to the registry.
Done!
Combofix Log:
1 file(s) copied.
Delete of value 'disableregistrytools' in 'hkcu\software\microsoft\windows\currentversion\policies\system' failed
C:\DOCUME~1\ALLUSE~1\APPLIC~1
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)
Error: Key: software\microsoft\windows\currentversion\uninstall\webnexus does not exist!
FINDSTR: Line 3223 is too long.
FINDSTR: Line 3234 is too long.
FINDSTR: Line 7435 is too long.
FINDSTR: No search strings
The process tried to write to a nonexistent pipe.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)
Error: Key: software\winpcap does not exist!
Could Not Find C:\DOCUME~1\ALLUSE~1\STARTM~1\-d743~1.lnk
Could Not Find C:\DOCUME~1\ALLUSE~1\STARTM~1\4bb6~1.lnk
Could Not Find C:\Documents and Settings\-83f1~1.url
New HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 18:58, on 07-05-04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\scanner.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\System32\akmnakbe.dll (file missing)
O2 - BHO: (no name) - {1DE6A733-4782-0959-A33D-6AE34FE4F9EB} - C:\WINDOWS\System32\mjeb.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O2 - BHO: (no name) - {DDC900BC-9B85-426C-B350-D3E9B8B39E92} - C:\WINDOWS\System32\gebyw.dll (file missing)
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Bev] "C:\Documents and Settings\Administrator\My Documents\?ssembly\?hkdsk.exe"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v44/scrabblecubes/scrabblecubes.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O20 - Winlogon Notify: efcyyyw - efcyyyw.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
Thanks again for taking the time & effort to help me on this!
-Mark
pskelley
2007-05-05, 02:57
Thanks for the feedback, not sure what happened to combofix, first time it has not worked for me. I can ask the creator if we need to, let's look at the HJT log, Vundofix seems to have killed that infection.
See this info: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_11\ <<< out of date, download the newest version and uninstall all old versions in Add Remove Programs.
Logfile of HijackThis v1.99.1 Scan saved at 18:58, on 07-05-04
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\System32\akmnakbe.dll (file missing)
O2 - BHO: (no name) - {1DE6A733-4782-0959-A33D-6AE34FE4F9EB} - C:\WINDOWS\System32\mjeb.dll (file missing)
O2 - BHO: (no name) - {DDC900BC-9B85-426C-B350-D3E9B8B39E92} - C:\WINDOWS\System32\gebyw.dll (file missing)
O4 - HKCU\..\Run: "C:\Documents and Settings\Administrator\My Documents\?ssembly\?hkdsk.exe"
O20 - Winlogon Notify: efcyyyw - efcyyyw.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\Documents and Settings\Administrator\My Documents\?ssembly\ <<< delete that folder
([B]PurityScan/OIN)
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a new HJT log, let me know how the computer is running.
Mark, since this was such a nasty infection and you have the program onboard, I would appreciate it if you would use the instructions in this link to run AVG Anti-Spyware making sure you delete or at least quarantine anything it finds. Post the scan results as soon as you have them. http://forums.security-central.us/showthread.php?t=3165
Thanks...Phil
Phil,
Ok, here's what I've accomplished:
#1: Checked/unchecked requested items.
#2: Downloaded ATF Cleaner.
#3: Deactivated the Resident Shield.
#4: Ran HijackThis & checked/fixed items indicated.
#5: Explored for "C:\Documents and Settings\Administrator\My Documents\?ssembly\ <<< delete that folder (PurityScan/OIN)", but could not locate folder by that name in that location. Searched entire C:\ drive and closest thing was located at: C:\Windows\assembly However, I did not delete it (since you didn't say to & the contents appeared important!).
#6: Ran ATF Cleaner
Below are the two logs you requested- HJT & AVG:
HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 23:19, on 07-05-04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\scanner.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v44/scrabblecubes/scrabblecubes.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
AVG Log:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 23:36 07-05-04
+ Scan result:
C:\System Volume Information\_restore{7C3DB445-2A0A-471B-982A-5E6208F3B43B}\RP405\A0036648.dll -> Trojan.Rond : Cleaned.
C:\System Volume Information\_restore{7C3DB445-2A0A-471B-982A-5E6208F3B43B}\RP405\A0036649.exe -> Trojan.Rond : Cleaned.
::Report end
The computer is running fine; start-up seems faster & only other change that is immediately noticable to me is that my clock changed from a 12 to 24 hour setting & my printer needs to be re-installed. If this is the worse that happens, I'll consider myself extremely lucky!
I've already said thanks several times, but here's another one: Thanks!!!
You guys have made my Christmas card list this year!
-Mark
pskelley
2007-05-05, 11:25
Thanks for the feedback Mark, you did the right thing with that file, we don't want to delete anything valid. Here are tools you can save to use if ever needed to check a file to see if it is valid:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
Looks like the OIN file is gone, probably had been removed and just needed to be removed from HJT.
You have a couple of restrictions set here, if you know about them, fine. You can use HJT to remove them if you don't want them:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
You can rename HJT if you wish, the balance of the HJT appears clean of malware.
These instructions will remove the junk from your System Restore files AVG found:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Some ideas to make the computer run better:
http://www.microsoft.com/atwork/getstarted/speed.mspx?wt_svl=20292a&mg_id=20292b
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_date_it_overview.mspx?mfr=true
If you do not own AVG Anti-Spyware, this information applies:
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
pskelley
2007-05-14, 13:06
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks