View Full Version : Lots of issues... Virtumonde, AntivirusXP, etc - please help
KiloWatts
2008-09-17, 04:46
Hello... My laptop is out of control, and I'm not sure where to start. Spybot comes up with numerous problems - too many for me to list here. Below is my HJT log. One thing of note: I can't seem to enable Automatic Updates in the services for some reason. Hopefully everything can be cleaned up...
Thank you...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:22 PM, on 9/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\MAFWTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Jamie\Application Data\SpeedRunner\SpeedRunner.exe
C:\Documents and Settings\Jamie\Application Data\Microsoft\Windows\rdsuve.exe
C:\Program Files\mjc\mjc.exe
C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe
C:\Program Files\MicroStar\WLANUtility\WLAN_Service.exe
C:\Spyware Crap\HijackThis.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\MAFWTray.exe
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKLM\..\Run: [BMcbd2fc3e] Rundll32.exe "C:\WINDOWS\system32\kctajoks.dll",s
O4 - HKLM\..\Run: [c8e1cfa2] rundll32.exe "C:\WINDOWS\system32\ltrxhgkp.dll",b
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Jamie\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [Skra] C:\Program Files\Skra\Skra.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Jamie\Application Data\Microsoft\Windows\rdsuve.exe
O4 - HKCU\..\Run: [mjc] C:\Program Files\mjc\mjc.exe
O4 - Global Startup: WlanUtility.lnk = C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221444931203
O20 - AppInit_DLLs: tincfr.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 3573 bytes
KiloWatts
2008-09-19, 02:52
Any idea what I should do first?
shelf life
2008-09-23, 02:01
hi,
we will start with malwarebytes;
Please download Malwarebytes' Anti-Malware to your desktop:
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
please post the malwarebytes log and a new hjt log.
KiloWatts
2008-09-23, 02:33
Thank you for your response.
Malwarebytes required a reboot to remove everything, so I rebooted. When it was finished, I ran HijackThis. Here are the logs:
------------------------
Malwarebytes' Anti-Malware 1.28
Database version: 1194
Windows 5.1.2600 Service Pack 3
9/22/2008 7:29:20 PM
mbam-log-2008-09-22 (19-29-20).txt
Scan type: Full Scan (C:\|)
Objects scanned: 70419
Time elapsed: 18 minute(s), 17 second(s)
Memory Processes Infected: 3
Memory Modules Infected: 6
Registry Keys Infected: 28
Registry Values Infected: 10
Registry Data Items Infected: 2
Folders Infected: 4
Files Infected: 101
Memory Processes Infected:
C:\Documents and Settings\Jamie\Application Data\SpeedRunner\SpeedRunner.exe (Adware.SpeedRunner) -> Unloaded process successfully.
C:\Documents and Settings\Jamie\Application Data\Microsoft\Windows\rdsuve.exe (Trojan.Vundo) -> Unloaded process successfully.
C:\Program Files\mjc\mjc.exe (Trojan.Agent) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\system32\hgGayywW.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ltrxhgkp.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\eelqspgh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tincfr.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\mlJYrqPJ.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\kltwohdp.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3231a75f-fc47-433e-b693-f451c1b90311} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{3231a75f-fc47-433e-b693-f451c1b90311} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{788629af-89bb-40cc-825c-44170578e2cc} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljyrqpj (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{788629af-89bb-40cc-825c-44170578e2cc} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e174496c-771e-4223-88f6-0829954db9e2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e174496c-771e-4223-88f6-0829954db9e2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6c0de209-c495-4c57-be70-2a9bd9764538} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6c0de209-c495-4c57-be70-2a9bd9764538} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Webtools (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpeedRunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c8e1cfa2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmcbd2fc3e (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{788629af-89bb-40cc-825c-44170578e2cc} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\speedrunner (Adware.SpeedRunner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfkg6wip (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mjc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\hggayyww -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggayyww -> Delete on reboot.
Folders Infected:
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\mjc (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamie\Application Data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\hgGayywW.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\WwyyaGgh.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\WwyyaGgh.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJYrqPJ.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tincfr.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ltrxhgkp.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pkghxrtl.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nbhtwcib.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bicwthbn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xbohusnu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\unsuhobx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamie\Local Settings\Temporary Internet Files\Content.IE5\SHCJW64H\silent.dll[1].bak (Trojan.BHO.H) -> Delete on reboot.
C:\WINDOWS\system32\eelqspgh.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Jamie\Application Data\SpeedRunner\SpeedRunner.exe (Adware.SpeedRunner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamie\Application Data\Microsoft\Windows\rdsuve.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\mjc\mjc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kltwohdp.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Jamie\Application Data\SpeedRunner\SRUninstall.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamie\Local Settings\Temp\mshtml3.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamie\Local Settings\Temporary Internet Files\Content.IE5\04NXJ2XP\upd105320[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamie\Local Settings\Temporary Internet Files\Content.IE5\04NXJ2XP\nd82m0[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamie\Local Settings\Temporary Internet Files\Content.IE5\SHCJW64H\kb678031[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamie\Local Settings\Temporary Internet Files\Content.IE5\UAB3S5R7\CATK655Z (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\wzfk\wzfka.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\wzfk\wzfkl.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\wzfk\wzfkp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\wzfk\wzfkd\wzfkc.dll (Adware.TargetServer) -> Quarantined and deleted successfully.
C:\Program Files\HijackThis\backups\backup-20080726-190506-386.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\HijackThis\backups\backup-20080726-190507-299.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\HijackThis\backups\backup-20080726-190507-966.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\srff.dll (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP10\A0006325.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP10\A0006337.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP10\A0006338.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP10\A0006339.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP12\A0007385.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP12\A0008397.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP12\A0008421.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP14\A0010530.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP14\A0010531.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP14\A0010534.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP16\A0010597.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP7\A0003184.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP7\A0003185.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP7\A0003186.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP7\A0003187.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP7\A0003193.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP7\A0003196.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP7\A0003197.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP7\A0003198.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP7\A0003199.exe (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP7\A0003200.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP7\A0003201.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP7\A0003202.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP9\A0005227.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{53AF7C3A-3439-490E-ADD4-E1DD6F4F77E4}\RP9\A0005229.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\torrents\Nero Burning ROM v.6.6.0.8a Keygen(wWw.LiMiTeDiVx.CoM)(LMD_T34M)By_NexT\Nero Burning ROM v.6.6.0.8a Keygen(wWw.LiMiTeDiVx.CoM)(LMD_T34M)By_NexT\Keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\b152.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\b155.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\b156.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu1044.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\psyebggb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qcbjlhel.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qdhxjq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uqljga.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urbmluqr.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aimsuoho.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\daqdfmdh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dbtbjs.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ekdulqtb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\esltkisv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gbiigfpg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gsvwkpmq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gyasnwyk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hpmdlgwg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lkwihlwk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nsyipexa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nxheydxw.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tivjdc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vlvccg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vpqjeaog.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\utnugc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uxglvonk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wrqcyqwq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbwsweex.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oftbjjqt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sqevogyw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lurvwcnc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qlanbtga.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qqnsrz.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qurjcdqp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bivvhrqi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bkddokwe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\duufobeu.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bvbokduo.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamie\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WGA.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMcbd2fc3e.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMcbd2fc3e.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
-----------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:13 PM, on 9/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\MAFWTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe
C:\Program Files\MicroStar\WLANUtility\WLAN_Service.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Spyware Crap\HijackThis.exe
O2 - BHO: (no name) - {51FAD598-9D29-437B-8E18-9A0CF06CD041} - C:\WINDOWS\system32\iifdecBT.dll (file missing)
O2 - BHO: (no name) - {5C293F4A-F677-49A6-94C6-A67BF91EE4A6} - C:\WINDOWS\system32\byXqPGaW.dll (file missing)
O2 - BHO: {16f159f3-be68-adf9-1084-022fcc929bd5} - {5db929cc-f220-4801-9fda-86eb3f951f61} - C:\WINDOWS\system32\dbtbjs.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\MAFWTray.exe
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKCU\..\Run: [Skra] C:\Program Files\Skra\Skra.exe
O4 - Global Startup: WlanUtility.lnk = C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221444931203
O20 - AppInit_DLLs: dbtbjs.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 3397 bytes
KiloWatts
2008-09-23, 02:44
I figured you'd probably want me to run MalwareBytes again, since it took a reboot, so here's the new log:
Malwarebytes' Anti-Malware 1.28
Database version: 1194
Windows 5.1.2600 Service Pack 3
9/22/2008 7:43:20 PM
mbam-log-2008-09-22 (19-43-20).txt
Scan type: Quick Scan
Objects scanned: 37643
Time elapsed: 3 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5db929cc-f220-4801-9fda-86eb3f951f61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5db929cc-f220-4801-9fda-86eb3f951f61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\dbtbjs.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
shelf life
2008-09-23, 05:07
hi KiloWatts,
ok thanks for the info. must be looking way better on your end. please provide a uninstall list. you can get one like this:
start hjt
click on 'open misc tools section"
click on "open uninstall manager'
click on "save list"
save the list somewhere and post it in your reply.
we will also get another download to use. it only runs in safe mode. link and directions:
Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
KiloWatts
2008-09-24, 03:11
Thanks - much, much better. Here are the logs:
AKAI professional VST Collection v1.0
ALPS Touch Pad Driver
Anarchy Effects VST v1.4
Anarchy.Rhythms.VST.v2.0-DAC
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Azureus Vuze
FireWire Family
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
IEEE802.11a/b/g Wireless LAN Software
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Live 6.0.1
Live 7.0.3
Lounge Lizard EP-2 v2.0
Malwarebytes' Anti-Malware
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
MIDI-OX
Mozilla Firefox (2.0.0.15)
Multimedia / Internet Keyboard Driver VerR8.15
Native Instruments Reaktor v4.1.3.005
Native Instruments Reaktor v5.1.0
Novation USB Audio Driver 1.2.5
OpenOffice.org Installer 1.0
Opera 9.52
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Spybot - Search & Destroy
Steinberg Cubase SX v3.1.1.944
SyncroSoft Emu (Remove only)
Syncrosoft's License Control
Ultrafunk Sonitus:fx R3 plug-in uninstaller
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VideoLAN VLC media player 0.8.6d
Winamp
Windows Internet Explorer 7
Windows Media Format Runtime
WinRAR archiver
SDFix: Version 1.228
Run by Jamie on Tue 09/23/2008 at 08:05 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-23 20:07:54
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile"=str(2):"c:\windows\system32\ESENT.dll"
"CategoryMessageFile"=str(2):"c:\windows\system32\ESENT.dll"
scanning hidden registry entries ...
scanning hidden files ...
C:\WINDOWS\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\wuredir.cab.bak 9668 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files :
Files with Hidden Attributes :
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 18 Aug 2008 1,832,272 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 29 May 2008 230,400 ..SHR --- "C:\WINDOWS\s?mbols\?xplorer.exe"
Mon 14 Jan 2008 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Mon 14 Jan 2008 48 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Fri 25 Jul 2008 68,608 A.SHR --- "C:\WINDOWS\system32\çasks\alg.exe"
Finished!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:56 PM, on 9/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\MAFWTray.exe
C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe
C:\Program Files\MicroStar\WLANUtility\WLAN_Service.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Spyware Crap\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {51FAD598-9D29-437B-8E18-9A0CF06CD041} - C:\WINDOWS\system32\iifdecBT.dll (file missing)
O2 - BHO: (no name) - {5C293F4A-F677-49A6-94C6-A67BF91EE4A6} - C:\WINDOWS\system32\byXqPGaW.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\MAFWTray.exe
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - Global Startup: WlanUtility.lnk = C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221444931203
O20 - AppInit_DLLs: dbtbjs.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 3723 bytes
shelf life
2008-09-24, 03:48
hi KiloWatts,
ok good thanks for the info. we will use hjt now.
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
O2 - BHO: (no name) - {51FAD598-9D29-437B-8E18-9A0CF06CD041} - C:\WINDOWS\system32\iifdecBT.dll (file missing)
O2 - BHO: (no name) - {5C293F4A-F677-49A6-94C6-A67BF91EE4A6} - C:\WINDOWS\system32\byXqPGaW.dll (file missing)
O20 - AppInit_DLLs: dbtbjs.dll
reboot and post one more hjt log please, then i think we can finish up.
KiloWatts
2008-09-24, 04:02
Here we gooo:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:26 PM, on 9/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\MAFWTray.exe
C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe
C:\Program Files\MicroStar\WLANUtility\WLAN_Service.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Spyware Crap\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\MAFWTray.exe
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - Global Startup: WlanUtility.lnk = C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221444931203
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 3434 bytes
shelf life
2008-09-24, 05:29
hi KiloWatts,
ok looks good. you can delete the sdfix folder from its default install @ C:/
keep malwarebytes and check for updates before using it. good practice to keep it updated even if you only do a occasional scan.
two things: java and system restore:
java:
Vulnerabilities/exploits in versions of Sun Java may be responsible for some malware installs via your browser.
It is important to keep Sun Java up to date and also to remove older versions.
* 1. Uninstall old versions of Sun Java via Add/Remove Programs.
* 2. Click the Remove or Change/Remove button
* 3. Reboot your PC if prompted.
to check if you have the latest version of Java and to download the latest version:
http://www.java.com/en/download/installed.jsp
system restore:
One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
Nero Burning ROM v.6.6.0.8a Keygen
see # 10 below
plenty of keygens carry "other" payloads. I didnt see nero in the add/remove programs list
some info for you:
My Top Ten List
The Short Version:
1) Keep your OS, (Windows) browser (IE, FireFox) and other software up to date.
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons. Do you trust the source?
3) Install, keep updated: one antivirus and two or three anti-malware applications.
4) Refrain from clicking on links or installing files you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.
5) Don't click on ads/pop ups or offers from websites to install software to your computer.
6) Don't click on offers to "scan" your computer.
7) Set up and use limited accounts rather than administrator accounts.
8) Install and understand the limitations of a third party software firewall.
9) Consider using an alternate browser and E-mail client.
10) If your habits include visiting or downloading/installing files from: warez, crack sites or p2p (file sharing) networks: then you are much more likely to encounter malicious code. Do you trust the source?
longer version in link below
happy safe surfing
KiloWatts
2008-09-24, 06:07
Thanks very much :)
shelf life
2008-09-25, 00:34
ok KiloWatts, your welcome. happy safe surfing out there.