View Full Version : malware help please
Hello - I am having malware issues on my pc..any help would be great!:eek:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:53 PM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\Owner\APPLIC~1\ASEMBL~1\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\F?nts\s?ool32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Udhs] "C:\DOCUME~1\Owner\APPLIC~1\ASEMBL~1\svchost.exe" -vt ndrv
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\setup.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
--
End of file - 4813 bytes
just some additional information to add..
I ran a virus scan and it "cleaned" 10 virus.. (I do not have that log)
when I rebooted in safemode Spybot could not get rid of the malware
I am rerunning my virus scan and it is coming up with viruses again.. (will post that log when it's done)
I am getting 3 types of malware when I run spybot - I do not remember the names will put them up after virus checking is done but I do know that one is
smitfraud
the other is web(something)
and the third starts with a Z
I am also getting a DLS0523pmw.exe error whenever I reboot..
anti virus log
Started scanning at 7/20/2007 8:28:11 PM. Engine Ver: 30.8.1. Sig Ver:3797. Sig Date: 7/20/2007.
Finished scanning at 7/20/2007 8:28:22 PM.
Started scanning at 7/20/2007 9:06:07 PM. Engine Ver: 30.8.1. Sig Ver:3797. Sig Date: 7/20/2007.
C:\WINDOWS\SYSTEM32\efcyy.dll - Win32/Vundo!generic trojan. Cleaned.
C:\WINDOWS\SYSTEM32\efcyvst.dll - Win32/Chisyne!generic trojan. Cleaned.
C:\WINDOWS\SYSTEM32\config\system.LOG - scan failed.
C:\WINDOWS\SYSTEM32\config\software.LOG - scan failed.
C:\WINDOWS\SYSTEM32\config\default.LOG - scan failed.
C:\WINDOWS\SYSTEM32\config\SAM.LOG - scan failed.
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG - scan failed.
C:\WINDOWS\SYSTEM32\config\DEFAULT - scan failed.
C:\WINDOWS\SYSTEM32\config\SECURITY - scan failed.
C:\WINDOWS\SYSTEM32\config\SOFTWARE - scan failed.
C:\WINDOWS\SYSTEM32\config\SYSTEM - scan failed.
C:\WINDOWS\SYSTEM32\config\SAM - scan failed.
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb - scan failed.
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log - scan failed.
C:\VundoFix Backups\jkhef.dll.bad - Win32/Vundo!generic trojan. Deleted.
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - scan failed.
C:\Documents and Settings\NetworkService\ntuser.dat - scan failed.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - scan failed.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - scan failed.
C:\Documents and Settings\LocalService\ntuser.dat.LOG - scan failed.
C:\Documents and Settings\LocalService\ntuser.dat - scan failed.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - scan failed.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - scan failed.
C:\Documents and Settings\Owner\ntuser.dat.LOG - scan failed.
C:\Documents and Settings\Owner\ntuser.dat - scan failed.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M9HULN76\CA14AXPF - Win32/Vundo!generic trojan. Deleted.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\F7Q0A23D\!update-4395[1].0000 - Win32/Clspring.GS trojan. Deleted.
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - scan failed.
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - scan failed.
C:\Documents and Settings\Owner\Local Settings\Temp\!update.exe - Win32/Clspring.GS trojan. Deleted.
C:\Documents and Settings\Owner\Application Data\aѕsembly\svchost.exe - Win32/Clspring.GS trojan. Deleted.
C:\System Volume Information\_restore{ED23238F-F284-4BB5-A0F9-969C3CD601BD}\RP1435\A0182428.dll - Win32/Vundo!generic trojan. Deleted.
C:\System Volume Information\_restore{ED23238F-F284-4BB5-A0F9-969C3CD601BD}\RP1437\A0182445.dll - Win32/Vundo!generic trojan. Deleted.
C:\System Volume Information\_restore{ED23238F-F284-4BB5-A0F9-969C3CD601BD}\RP1437\A0182457.exe - Win32/Clspring.GS trojan. Deleted.
C:\System Volume Information\_restore{ED23238F-F284-4BB5-A0F9-969C3CD601BD}\RP1438\A0182514.EXE - Win32/Clspring.GS trojan. Deleted.
Finished scanning at 7/20/2007 10:02:54 PM.
renamed highjack this.exe and reran log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:48 PM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\SYSTEM32\F?nts\s?ool32.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\testhj.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15C314E1-037B-4704-9802-31CCCC848F83} - (no file)
O2 - BHO: (no name) - {264AC7F9-41FA-49E5-B11D-FC08B5205052} - C:\WINDOWS\system32\jkhef.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {663F4CDD-A63E-F4BD-1A16-828DBD57D796} - C:\WINDOWS\system32\bylyd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {95675BAC-9EC3-4884-99A1-B3EAA81F095B} - C:\WINDOWS\system32\efcyy.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\efcyvst.dll
O2 - BHO: (no name) - {f988d31b-800c-4ed8-82a9-e1b920186318} - C:\WINDOWS\system32\ahywbcv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKLM\..\RunOnce: [iWinArcadeIECleanup] C:\DOCUME~1\Owner\LOCALS~1\Temp\iWinArcadeAutocleanup.bat
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\setup.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O20 - Winlogon Notify: efcyvst - C:\WINDOWS\SYSTEM32\efcyvst.dll
O20 - Winlogon Notify: efcyy - C:\WINDOWS\system32\efcyy.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
--
End of file - 6002 bytes
I noticed that you asked people to run combofix.. ran that as well.. (trying to clean as much of this on my own).. here is the log
"Owner" - 2007-07-20 22:41:43 - ComboFix 07-07-14.6 - Service Pack 2 FAT32
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\SYSTEM32\yycfe.ini
C:\WINDOWS\SYSTEM32\yycfe.bak1
C:\WINDOWS\system32\efcyy.dll
C:\WINDOWS\system32\efcyvst.dll
C:\WINDOWS\system32\efcyvst.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Owner\APPLIC~1.\asembl~1
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\dls0523pmw.exe
C:\WINDOWS\rau001978.exe
C:\WINDOWS\retadpu572.exe
C:\WINDOWS\start.exe
C:\WINDOWS\system32\bylyd.dll
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\fnts~1\s?ool32.exe
C:\WINDOWS\system32\wnscpsv.exe
C:\WINDOWS\system32\Z1
C:\WINDOWS\system32\Z3
C:\WINDOWS\system32\Z3\w0716.exe
C:\WINDOWS\system32\Z5
C:\WINDOWS\system32\Z7
C:\WINDOWS\system32\Z9
C:\WINDOWS\system32\Z9\bw73.exe
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CORE
-------\LEGACY_NET_AGENT
-------\LEGACY_SFSYNC02
-------\core
-------\Net Agent
-------\sfsync02
((((((((((((((((((((((((( Files Created from 2007-06-21 to 2007-07-21 )))))))))))))))))))))))))))))))
2007-07-20 22:43 0 --a------ C:\WINDOWS\SYSTEM32\sfsync02.dll
2007-07-20 22:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 19:51 <DIR> d-------- C:\VundoFix Backups
2007-07-20 19:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-20 12:39 54,784 --a------ C:\WINDOWS\tbgmodg.exe
2007-07-20 12:39 49,152 --a------ C:\WINDOWS\TISKY009.exe
2007-07-20 12:39 172,032 --a------ C:\WINDOWS\SYSTEM32\ahywbcv.dll
2007-07-20 12:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\Z11
2007-07-20 12:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\driver
2007-07-20 12:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\b02FdUe
2007-07-13 18:28 <DIR> d-------- C:\images
2007-07-13 18:28 <DIR> d-------- C:\eq2map
2007-07-06 11:59 <DIR> d-------- C:\Program Files\Common Files\AOL
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-05 22:20:48 630,200 ----a-w C:\WINDOWS\system32\drivers\VetEFile.sys
2007-07-05 22:20:48 108,392 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-05-25 23:12:34 -------- d--h--w C:\DOCUME~1\Owner\APPLIC~1\GTek
2007-04-26 21:47:58 94 ----a-w C:\WINDOWS\popcinfo.dat
2005-05-28 01:35:40 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2003-09-23 01:16:30 271 --sh--w C:\Program Files\desktop.ini
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-11-03 14:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15C314E1-037B-4704-9802-31CCCC848F83}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{264AC7F9-41FA-49E5-B11D-FC08B5205052}]
C:\WINDOWS\system32\jkhef.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2007-05-21 21:53 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f988d31b-800c-4ed8-82a9-e1b920186318}]
2007-07-20 12:39 172032 --a------ C:\WINDOWS\system32\ahywbcv.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\SYSTEM32\NWIZ.EXE]
"LWBMOUSE"="C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [2001-03-26 00:35]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 19:41]
"CaAvTray"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe" [2006-01-16 13:01]
"CAVRID"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [2006-01-16 13:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-29 23:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 21:53]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CA0A4247-44BE-11d1-A005-00805F8ABE06}
RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
Contents of the 'Scheduled Tasks' folder
2007-07-18 19:41:34 C:\WINDOWS\tasks\Disk Cleanup.job
2007-07-20 07:00:02 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-20 22:48:44
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-20 22:49:24 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-20 22:49
--- E O F ---
one more combo- log - quarentined files
[code]
2000-06-08 17:00 20480 --a------ C:\Qoobox\Quarantine\C\WINDOWS\start.exe.vir
2005-08-10 09:06 19968 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\sfsync02.sys.vir
2007-06-20 10:49 60928 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bylyd.dll.vir
2007-06-20 10:50 229888 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\FNTS~1\s?ool32.exe.vir
2007-07-03 16:16 270336 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\Z9\bw73.exe.vir
2007-07-16 23:21 9814 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\Z3\w0716.exe.vir
2007-07-17 08:27 56320 --a------ C:\Qoobox\Quarantine\C\WINDOWS\b122.exe.vir
2007-07-20 12:39 189 --a------ C:\Qoobox\Quarantine\C\WINDOWS\retadpu572.exe.vir
2007-07-20 12:39 31254 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\efcyvst.dll.vir
2007-07-20 12:39 65536 --a------ C:\Qoobox\Quarantine\C\WINDOWS\dls0523pmw.exe.vir
2007-07-20 12:41 2 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wnscpsv.exe.vir
2007-07-20 18:37 34816 --a------ C:\Qoobox\Quarantine\C\WINDOWS\rau001978.exe.vir
2007-07-20 20:02 266336 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\efcyy.dll.vir
2007-07-20 20:02 6489 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\yycfe.bak1.vir
2007-07-20 22:43 1004 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_CORE.reg.cf
2007-07-20 22:43 1050 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_NET_AGENT.reg.cf
2007-07-20 22:43 1374 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_SFSYNC02.reg.cf
2007-07-20 22:43 2430 --a------ C:\Qoobox\Quarantine\Registry_backups\services_Net Agent.reg.cf
2007-07-20 22:43 2572 --a------ C:\Qoobox\Quarantine\Registry_backups\services_sfsync02.reg.cf
2007-07-20 22:43 7166 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\yycfe.ini.vir
2007-07-20 22:43 870 --a------ C:\Qoobox\Quarantine\Registry_backups\services_core.reg.cf
Folder PATH listing
Volume serial number is 2755-1C08
C:\QOOBOX
\---Quarantine
+---Registry_backups
| LEGACY_CORE.reg.cf
| LEGACY_NET_AGENT.reg.cf
| LEGACY_SFSYNC02.reg.cf
| services_core.reg.cf
| services_Net Agent.reg.cf
| services_sfsync02.reg.cf
|
\---C
\---WINDOWS
| retadpu572.exe.vir
| b122.exe.vir
| dls0523pmw.exe.vir
| rau001978.exe.vir
| start.exe.vir
|
\---SYSTEM32
| wnscpsv.exe.vir
| bylyd.dll.vir
| yycfe.ini.vir
| yycfe.bak1.vir
| efcyy.dll.vir
| efcyvst.dll.vir
|
+---FNTS~1
| s?ool32.exe.vir
|
+---Z3
| w0716.exe.vir
|
+---Z9
| bw73.exe.vir
|
\---DRIVERS
sfsync02.sys.vir
after running combo fix I reran vundo fix.. the last time I
ran it I got this log -
VundoFix V6.5.6
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 7:51:39 PM 7/20/2007
Listing files found while scanning....
C:\WINDOWS\system32\fehkj.bak1
C:\WINDOWS\system32\fehkj.ini
C:\WINDOWS\system32\jkhef.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\fehkj.bak1
C:\WINDOWS\system32\fehkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\fehkj.ini
C:\WINDOWS\system32\fehkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkhef.dll
C:\WINDOWS\system32\jkhef.dll Has been deleted!
Performing Repairs to the registry.
Done!
Now after running combo fix and rebooting... I ran it again with no files found and this log
Scan started at 10:55:26 PM 7/20/2007
Listing files found while scanning....
No infected files were found.
I then deleted the folders (but did not remove them from my recycle bin) labled Vundofix backups and QooBox.. I also deleted all my restores (by turning off restore points) =
this is my most recent highjack log -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:48 PM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\testhj.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15C314E1-037B-4704-9802-31CCCC848F83} - (no file)
O2 - BHO: (no name) - {264AC7F9-41FA-49E5-B11D-FC08B5205052} - C:\WINDOWS\system32\jkhef.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {f988d31b-800c-4ed8-82a9-e1b920186318} - C:\WINDOWS\system32\ahywbcv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\setup.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
--
End of file - 5175 bytes
I am running another spybot and will post results..
sorry for the multiple posts.. just trying to make sure I try all the solutions I have seen posted.. and try to figure out if there is anything still wrong with the pc.. after the combo fix.. the DLS0523OMW.exe error did dissapear..
ran spybot with no threats found!
I would appriciate if a volunteer could just check the logs and verify that there is still not something lurking about.. but I hope that all is well now!!!!
i will check back on this thread in the am.. it's getting late my time!:bigthumb:
Hi templa
Not 100% clean but much better than before combofix and vundofix :)
Open HijackThis, click do a system scan only and checkmark these:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {15C314E1-037B-4704-9802-31CCCC848F83} - (no file)
O2 - BHO: (no name) - {264AC7F9-41FA-49E5-B11D-FC08B5205052} - C:\WINDOWS\system32\jkhef.dll (file missing)
O2 - BHO: (no name) - {f988d31b-800c-4ed8-82a9-e1b920186318} - C:\WINDOWS\system32\ahywbcv.dll
Close all windows including browser and press fix checked.
Reboot.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\SYSTEM32\sfsync02.dll
C:\WINDOWS\tbgmodg.exe
C:\WINDOWS\TISKY009.exe
C:\WINDOWS\SYSTEM32\ahywbcv.dll
Folder::
C:\WINDOWS\SYSTEM32\Z11
C:\WINDOWS\SYSTEM32\driver
C:\WINDOWS\SYSTEM32\b02FdUe
Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
Thank you!!!.. I am at work right now.. will give this a go when I get home tonight and post the results.. Thank you for your help!!!
:bigthumb:
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.