PDA

View Full Version : byofypja.dll



jumpluffex
2008-11-21, 16:35
Greetings to all of the pros,

To keep things short, the following are my problems:-

1. Lost connection to internet by neither using Wifi nor LAN.
2. unable to turn Automatic Update to ON.
3. Trojan.win32.agent.aoto from system32/byofypja.dll

Even though I formatted, it seems the problem still occur. Maybe the source is from my pendrive... BUT i had scanned it with Kaspersky before I inserted it!!!

Thank you whoever lend a hand!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:44 PM, on 11/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Elantech\ktp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {AB583323-93BC-4DEB-A2C9-E3AACBC62BA9} - C:\WINDOWS\system32\bYOFYPJa.dll
O2 - BHO: (no name) - {DD153FDB-E2FB-40D2-8E36-F21C36B51DAD} - C:\WINDOWS\system32\nnnOhgec.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227160338578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227168623671
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: nnnOhgec - nnnOhgec.dll (file missing)
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

--
End of file - 4968 bytes

pskelley
2008-11-22, 18:29
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

http://forums.spybot.info/showthread.php?t=34288 <<< the last time you posted you never responded to the helper? Keep in mind all helpers are volunteers who take time from family and real life to help and that all forums are very busy with times running about 3 to 5 days. (if you get a response)

You are infected and it is a downloader so stay offline unless you are working on the problem.
O2 - BHO: (no name) - {AB583323-93BC-4DEB-A2C9-E3AACBC62BA9} - C:\WINDOWS\system32\bYOFYPJa.dll
http://www.systemlookup.com/CLSID/55669.html
O2 - BHO: (no name) - {DD153FDB-E2FB-40D2-8E36-F21C36B51DAD} - C:\WINDOWS\system32\nnnOhgec.dll (file missing) <<< this one looks to have been deleted, but there is usually much infection hidden.
http://www.systemlookup.com/CLSID/55343.html

As far as the "pendrive" do not put it in the computer. You can try to reformat it?
http://www.scribd.com/doc/231100/Reformatting-a-USB-Drive

Proceed like this, read and follow the diretions, then post a uninstall list:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

jumpluffex
2008-11-27, 20:01
Thx for replying, the requested log are as follows.









Agere Systems AC'97 Modem
BisonCam
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver for Mobile
Kaspersky Internet Security 2009
Kaspersky Internet Security 2009
KTP Ware PS/2-WDM 5.0.1.1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Windows Internet Explorer 7
Windows XP Service Pack 3
WinRAR archiver












ComboFix 08-11-26.05 - SheymyEX 2008-11-28 1:37:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.294 [GMT 8:00]
Running from: c:\documents and settings\SheymyEX\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\aJPYFOYb.ini
c:\windows\system32\aJPYFOYb.ini2
c:\windows\system32\fkclpnmq.ini
c:\windows\system32\fkkocb.dll
c:\windows\system32\hcnhmijr.dll

----- BITS: Possible infected sites -----

hxxp://leongkaiyoung.com
.
((((((((((((((((((((((((( Files Created from 2008-10-27 to 2008-11-27 )))))))))))))))))))))))))))))))
.

2008-11-21 22:13 . 2008-11-21 22:13 <DIR> d-------- c:\program files\Trend Micro
2008-11-21 21:05 . 2006-10-26 19:58 30,512 --a------ c:\windows\system32\mdimon.dll
2008-11-21 21:04 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-11-21 20:52 . 2008-11-21 20:52 <DIR> d-------- c:\program files\Microsoft Works
2008-11-21 20:51 . 2008-11-21 20:51 <DIR> d-------- c:\program files\MSBuild
2008-11-21 20:44 . 2008-11-21 20:50 <DIR> d-------- c:\windows\SHELLNEW
2008-11-21 20:42 . 2008-11-21 21:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-21 20:40 . 2008-11-21 20:40 <DIR> dr-h----- C:\MSOCache
2008-11-21 20:10 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-11-21 20:10 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-11-21 20:10 . 2008-04-14 02:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-11-21 20:10 . 2008-04-14 02:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-11-20 16:42 . 2008-10-04 01:41 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-11-20 16:42 . 2007-04-17 17:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-11-20 16:42 . 2007-03-08 13:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-11-20 16:42 . 2008-08-26 15:24 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-11-20 16:42 . 2008-08-26 15:24 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-11-20 16:42 . 2008-08-26 15:24 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-11-20 16:42 . 2008-08-26 15:24 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-11-20 16:42 . 2008-08-26 15:24 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-11-20 16:42 . 2008-08-25 16:38 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-11-20 16:18 . 2008-09-15 20:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-11-20 16:17 . 2008-08-14 18:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-20 16:17 . 2008-08-14 18:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-20 16:17 . 2008-08-14 17:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-20 16:17 . 2008-08-14 17:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-20 16:14 . 2008-06-13 19:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-20 16:13 . 2008-09-08 18:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-11-20 16:13 . 2008-08-14 18:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-11-20 16:10 . 2008-10-24 19:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-20 16:10 . 2008-05-08 22:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-11-20 16:09 . 2008-04-12 03:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-11-20 16:09 . 2008-05-01 22:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-11-20 16:08 . 2008-09-05 01:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-20 16:08 . 2008-10-16 00:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-11-20 13:30 . 2008-11-20 13:30 <DIR> d-------- c:\windows\system32\scripting
2008-11-20 13:30 . 2008-11-20 13:30 <DIR> d-------- c:\windows\system32\en
2008-11-20 13:30 . 2008-11-20 13:30 <DIR> d-------- c:\windows\system32\bits
2008-11-20 13:30 . 2008-11-20 13:30 <DIR> d-------- c:\windows\l2schemas
2008-11-20 13:25 . 2008-11-20 13:31 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-20 13:00 . 2004-08-03 22:29 701,440 --------- c:\windows\system32\drivers\ati2mtag.sys
2008-11-20 12:45 . 2008-11-20 17:35 <DIR> d--h----- c:\windows\$hf_mig$
2008-11-20 12:45 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe
2008-11-20 12:08 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-11-20 12:07 . 2008-11-20 12:07 <DIR> d--hs---- c:\documents and settings\SheymyEX\UserData
2008-11-20 10:39 . 2005-01-23 02:30 163,840 --a------ c:\windows\system32\igfxres.dll
2008-11-20 10:01 . 2004-08-04 20:00 10,129,408 --a--c--- c:\windows\system32\dllcache\hwxkor.dll
2008-11-20 10:00 . 2008-04-14 08:09 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-27 17:39 942,624 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-27 17:39 8,444 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-27 17:39 204,832 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-11-27 17:39 1,780 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-11-27 17:31 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-19 23:26 96,976 ----a-w c:\windows\system32\drivers\klin.dat
2008-11-19 22:50 --------- d-----w c:\program files\Elantech
2008-11-19 22:50 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-19 19:41 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-19 19:40 --------- d-----w c:\program files\Intel
2008-11-19 19:28 --------- d-----w c:\program files\Realtek Sound Manager
2008-11-19 19:28 --------- d-----w c:\program files\AvRack
2008-11-19 19:12 87,855 ----a-w c:\windows\system32\drivers\klick.dat
2008-11-19 19:11 --------- d-----w c:\program files\Kaspersky Lab
2008-11-19 19:10 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-19 18:18 --------- d-----w c:\program files\microsoft frontpage
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"KTPWare"="c:\program files\Elantech\ktp.exe" [2005-03-01 253952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]
"SoundMan"="SOUNDMAN.EXE" [2004-12-01 c:\windows\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-20 c:\windows\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
R3 Ktp;Elantech Touchpad;c:\windows\system32\DRIVERS\Ktp.sys [2008-11-20 25984]
.
- - - - ORPHANS REMOVED - - - -

BHO-{B3DCC652-58F7-4780-B961-574125BE61B2} - c:\windows\system32\bYOFYPJa.dll
Notify-nnnOhgec - nnnOhgec.dll



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 01:53:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-28 1:56:42 - machine was rebooted [SheymyEX]
ComboFix-quarantined-files.txt 2008-11-27 17:56:39

Pre-Run: 52,981,448,704 bytes free
Post-Run: 52,984,889,344 bytes free

146 --- E O F --- 2008-11-20 08:03:49

pskelley
2008-11-27, 20:52
When finished, it shall produce a log for you. Please include the
C:\ComboFix.txt in your next reply along with a New Hijackthis log
Please post the HijackThis log requested.

jumpluffex
2008-11-28, 12:38
Please excuse me....


Here it is:-




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:35:36 PM, on 11/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Elantech\ktp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227160338578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227168623671
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

--
End of file - 4541 bytes

pskelley
2008-11-28, 13:54
Thanks, your HJT log looks good, let's do this now.

Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop.
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now, any malware symptoms?

Thanks

jumpluffex
2008-11-29, 19:08
Hi there,

My PC now doesn't seems to have any malware, but still facing one problem:-

I cannot get online using my LAN cable with my local ISP, which works ok with my other PC.

Any problems that caused due to the malware or virus?

For your info, I had used both ATF and Malware removal. Seems ok. I didn't update the malware removal due to the problematic connection to internet.

Thx

pskelley
2008-11-29, 19:51
Please post the log from the MBAM scan so I can see it.

What happens when you try to connect? Do you get any messages? Have you tried calling technical suppport at your ISP? That is what you pay them for.

Thanks

pskelley
2008-12-05, 12:28
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.