PDA

View Full Version : Like everyone else, browser hijacked and self uploading MORE malicious code



jimjam
2006-10-21, 14:58
Good day Ladies, Gents!

I'm at my wits end. I rarely ask for advice as I try sort things myself and rtfm as much as I can, but after 3 days, I clearly need help. And thus I come to you.

I have a browserjacker that I can activate by searching for "virus" on google. within 3 goes, everytime my browser gets hijacked.

I have run Many anti virus progs and spyware removers (and so my feel for what is good and what are bad apps has improved) For 3 days my HDD has been scanned back and forth. I've used avast, avg, nod32, spybot, ad aware and a few others I cant remember. As I remove malicious code, on the next scan there are more but different spyware apps. So ther eis a common hijacker, that I cant root out and it continually uploads something new as soon as it hijacks. (which explains the above behavior).
I'm sure this is the common problem.

Anyway, for your perusal, I have followed the log upload instructions clearly:

Panda activescan:

Incident Status Location

Adware:adware/keenvalue Not disinfected C:\Documents and Settings\halcyon\Desktop\Complete IncrediMail Installation.lnk
Virus:Bck/Agent.CWB Disinfected C:\Documents and Settings\halcyon\Local Settings\Temp\mst11.tmp
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\halcyon\Local Settings\Temp\b122.exe[mc-0-0-0.exe][²ÜÇ\nsProcess.dll]
Adware:Adware/PCodec Not disinfected C:\Documents and Settings\halcyon\Local Settings\Temp\b122.exe[²ÜÇ\nsRandom.dll]
Adware:Adware/PrintView Not disinfected C:\Documents and Settings\halcyon\Local Settings\Temp\b124.exe
Adware:Adware/YazzleSudoku Not disinfected C:\Documents and Settings\halcyon\Local Settings\Temp\b116.exe
Adware:Adware/DeluxeComunications Not disinfected C:\Documents and Settings\halcyon\Local Settings\Temp\b126.exe
Virus:Bck/Agent.CWB Disinfected C:\Documents and Settings\halcyon\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\EF5B19BE-C086-4553-902A-CCE74D\835B00BA-F0D7-44C6-8BCF-4930EC
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\halcyon\Cookies\halcyon@drivecleaner[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\halcyon\Cookies\halcyon@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\halcyon\Cookies\halcyon@stats1.reliablestats[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\halcyon\Cookies\halcyon@www.drivecleaner[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.2o7.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.com.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.go.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.rightmedia.net/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.searchportal.information.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.tucows.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.uol.com.br/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[server.iad.liveperson.net/hc/83874292]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Firefox\Profiles\er1q8w5d.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\halcyon\Application Data\Mozilla\Profiles\default\7vap2bez.slt\cookies.txt[.2o7.net/]
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{3CFBC2EE-0728-3081-0728-04040726003d}\Activate.exe
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\{3CFBC2EE-0728-3081-0728-04040726003d}\Uninst.exe
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\oxtlocam.dll.bad
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\VundoFix Backups\uvbynphl.exe.bad
Adware:Adware/DeluxeComunications Not disinfected C:\Recycled\Dc2\cupdater.exe

HJT to follow....

jimjam
2006-10-21, 15:10
Logfile of HijackThis v1.99.1
Scan saved at 9:22:14 PM, on 21/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\INTERN~2\mum.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\hjt\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/halcyon/Desktop/lclhome.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\halcyon\Application Data\Mozilla\Profiles\default\7vap2bez.slt\prefs.js)
O2 - BHO: (no name) - {067EAC78-C556-49C1-81F6-B67AA8DEE7A7} - C:\WINDOWS\System32\mljjk.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\System32\oxtlocam.dll (file missing)
O2 - BHO: (no name) - {3D2E2E36-94B3-E034-977E-0503A5E8A0E4} - C:\WINDOWS\System32\ftbncdn.dll (file missing)
O2 - BHO: (no name) - {4F3E0BF7-C5E6-049B-AF14-082AA17AFE2E} - C:\WINDOWS\System32\iznjghi.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {577C783B-76C1-41AC-8B2A-3477AE3EA81B} - C:\WINDOWS\System32\jkhhg.dll (file missing)
O2 - BHO: (no name) - {612E7630-ED57-90C0-1089-0AF4CA581B99} - C:\WINDOWS\System32\tadjpqn.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [zzmpnp.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\zzmpnp.dll,vjjmpgg
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [cbigdpf.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\cbigdpf.dll,dsswlq
O4 - HKLM\..\Run: [eqdqawi.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\eqdqawi.dll,mkokssb
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [InternodeUsage] C:\PROGRA~1\INTERN~2\mum.exe
O4 - HKCU\..\Run: [Mauo] "C:\DOCUME~1\halcyon\MYDOCU~1\CROSOF~1\svchost.exe" -vt yazb
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\halcyon\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.mcafee.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab40641.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4871/mcfscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: jkhhg - C:\WINDOWS\System32\jkhhg.dll (file missing)
O20 - Winlogon Notify: mljjk - C:\WINDOWS\System32\mljjk.dll (file missing)
O20 - Winlogon Notify: winbug32 - winbug32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

Yes, No need to preach as I see the error of my SP1 ways.
The browser in question is IE
and Yes I hammered the HDD with spybot S&D till it detected nothing.
(the browser still gets jacked!)

Thanks in advance
JimJam:bigthumb:

jimjam
2006-10-21, 15:32
My problem sounded like another member's ?Smitfraud infection. SO I ran the scanner as well Smitfraudfix v2.112, output below:

SmitFraudFix v2.112

Scan done at 22:29:14.03, Sat 21/10/2006
Run from C:\hjt\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\halcyon


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\halcyon\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\halcyon\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Seems clear...?
cheers.

pskelley
2006-10-23, 15:36
Hello and welcome to the forum, sorry for the wait, logs are many and volunteers are few. If you still need help and are not receiving it at another forum, please do this.

Looks like no Smitfraud was found, I do see indications you had or have a Vundo infection. Let's run Atribunes tool to make sure nothing is left. You want all files located to be deleted!

Thanks to Atribune and any others who helped with this fix.

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

(Hold those logs until we finish)

Thanks to sUBs and anyone who helped with this fix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall

yYou might need to post half in one reply half in another.

Make sure you restart the computer then post the combofix log, Vundofix log and a fresh HJT log.

Thanks

jimjam
2006-10-24, 03:16
Hi PSKelley,

Good advice is worth waiting for :)

In the varied angles I had tried previously I had run Vundofix already, as can be seen by the log, another scan has showed up another two files:(

Here is the vundofixlog now:


VundoFix V6.2.6

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.6

Scan started at 7:47:10 PM 21/10/2006

Listing files found while scanning....

C:\WINDOWS\system32\oxtlocam.dll
C:\WINDOWS\system32\uvbynphl.exe
C:\WINDOWS\System32\jkhhg.dll
C:\WINDOWS\System32\mljjk.dll
C:\WINDOWS\System32\ghhkj.ini
C:\WINDOWS\System32\ghhkj.bak1
C:\WINDOWS\System32\ghhkj.bak2
C:\WINDOWS\System32\ghhkj.ini2
C:\WINDOWS\System32\ghhkj.tmp
C:\WINDOWS\System32\kjjlm.ini
C:\WINDOWS\System32\kjjlm.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\oxtlocam.dll
C:\WINDOWS\system32\oxtlocam.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uvbynphl.exe
C:\WINDOWS\system32\uvbynphl.exe Has been deleted!

Attempting to delete C:\WINDOWS\System32\ghhkj.ini
C:\WINDOWS\System32\ghhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\ghhkj.bak1
C:\WINDOWS\System32\ghhkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ghhkj.bak2
C:\WINDOWS\System32\ghhkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ghhkj.ini2
C:\WINDOWS\System32\ghhkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ghhkj.tmp
C:\WINDOWS\System32\ghhkj.tmp Has been deleted!

Attempting to delete C:\WINDOWS\System32\kjjlm.ini
C:\WINDOWS\System32\kjjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\kjjlm.bak1
C:\WINDOWS\System32\kjjlm.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.6

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.6

Scan started at 9:25:03 AM 24/10/2006

Listing files found while scanning....

C:\WINDOWS\System32\jkhhg.dll
C:\WINDOWS\System32\mljjk.dll

Beginning removal...

Performing Repairs to the registry.
Done!

Combifix log part 1:

halcyon - 06-10-24 10:02:28.15 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\halcyon\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\halcyon\Application Data\Dxcknwrd.dll
C:\Documents and Settings\halcyon\Application Data\Dxcuknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\misc002
C:\Program Files\PrintView
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{ACFBC2EE-0729-3081-0728-04040726003d}
C:\Program Files\Common Files\{3CFBC2EE-0729-3081-0728-04040726003d}
C:\Program Files\Common Files\{ACFBC2EE-0728-3081-0728-04040726003d}
C:\Program Files\Common Files\{3CFBC2EE-0728-3081-0728-04040726003d}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\system32\ASEMBL~1
C:\QooBox\Purity\Documents and Settings\halcyon\My Documents\CROSOF~1
C:\QooBox\Purity\Documents and Settings\halcyon\My Documents\CROSOF~1\??crosoft


((((((((((((((((((((((((((((((( Files Created from 2006-09-24 to 2006-10-24 ))))))))))))))))))))))))))))))))))


2006-10-21 22:28 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-10-21 22:28 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-10-21 22:28 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-10-21 22:28 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-10-21 12:01 502,368 --a------ C:\WINDOWS\system32\drivers\amon.sys
2006-10-21 12:01 274,432 --a------ C:\WINDOWS\system32\imon.dll
2006-10-18 15:26 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2006-10-18 00:22 454,656 --a------ C:\WINDOWS\system32\WINUTIL4.DLL
2006-10-18 00:22 393,216 --a------ C:\WINDOWS\system32\WINLCTL5.DLL


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-19 03:18 -------- d-------- C:\Program Files\Sunbelt Software
2006-10-18 15:32 -------- d-------- C:\Documents and Settings\halcyon\Application Data\Tenebril
2006-09-13 15:09 1110528 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-06 10:54 7296 -ra------ C:\WINDOWS\system32\drivers\grmnusb.sys
2006-09-06 10:54 17024 -ra------ C:\WINDOWS\system32\drivers\grmngen.sys
2006-09-06 10:54 11520 -ra------ C:\WINDOWS\system32\drivers\WDMSTUB.sys
2006-08-26 01:53 561664 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-25 19:14 595968 --a------ C:\WINDOWS\system32\xpsp2res.dll
2006-08-16 22:14 95232 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-16 22:14 70656 --a------ C:\WINDOWS\system32\ws2_32.dll
2006-08-16 22:14 54272 --a------ C:\WINDOWS\system32\ipv6mon.dll
2006-08-16 22:14 31232 --a------ C:\WINDOWS\system32\inetmib1.dll
2006-08-16 22:14 13312 --a------ C:\WINDOWS\system32\wship6.dll
2006-08-16 19:42 159232 --a------ C:\WINDOWS\system32\xpob2res.dll
2006-08-16 19:28 48640 --a------ C:\WINDOWS\system32\ipv6.exe
2006-08-16 19:27 83456 --a------ C:\WINDOWS\system32\netsh.exe

jimjam
2006-10-24, 03:18
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"InternodeUsage"="C:\\PROGRA~1\\INTERN~2\\mum.exe"
"Mauo"="\"C:\\DOCUME~1\\halcyon\\MYDOCU~1\\CROSOF~1\\svchost.exe\" -vt yazb"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VTTimer"="VTTimer.exe"
"AudioDeck"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Syslog"=""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"zzmpnp.dll"="C:\\WINDOWS\\System32\\rundll32.exe C:\\WINDOWS\\System32\\zzmpnp.dll,vjjmpgg"
"cbigdpf.dll"="C:\\WINDOWS\\System32\\rundll32.exe C:\\WINDOWS\\System32\\cbigdpf.dll,dsswlq"
"eqdqawi.dll"="C:\\WINDOWS\\System32\\rundll32.exe C:\\WINDOWS\\System32\\eqdqawi.dll,mkokssb"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhhg
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbug32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-24 10:03:59.26
C:\ComboFix.txt ... 06-10-24 10:04

A new HJT log to follow...

jimjam
2006-10-24, 03:19
Logfile of HijackThis v1.99.1
Scan saved at 10:12:12 AM, on 24/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\INTERN~2\mum.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/halcyon/Desktop/lclhome.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\halcyon\Application Data\Mozilla\Profiles\default\7vap2bez.slt\prefs.js)
O2 - BHO: (no name) - {067EAC78-C556-49C1-81F6-B67AA8DEE7A7} - C:\WINDOWS\System32\mljjk.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\System32\oxtlocam.dll (file missing)
O2 - BHO: (no name) - {3D2E2E36-94B3-E034-977E-0503A5E8A0E4} - C:\WINDOWS\System32\ftbncdn.dll (file missing)
O2 - BHO: (no name) - {4F3E0BF7-C5E6-049B-AF14-082AA17AFE2E} - C:\WINDOWS\System32\iznjghi.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {577C783B-76C1-41AC-8B2A-3477AE3EA81B} - C:\WINDOWS\System32\jkhhg.dll (file missing)
O2 - BHO: (no name) - {612E7630-ED57-90C0-1089-0AF4CA581B99} - C:\WINDOWS\System32\tadjpqn.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [zzmpnp.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\zzmpnp.dll,vjjmpgg
O4 - HKLM\..\Run: [cbigdpf.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\cbigdpf.dll,dsswlq
O4 - HKLM\..\Run: [eqdqawi.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\eqdqawi.dll,mkokssb
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [InternodeUsage] C:\PROGRA~1\INTERN~2\mum.exe
O4 - HKCU\..\Run: [Mauo] "C:\DOCUME~1\halcyon\MYDOCU~1\CROSOF~1\svchost.exe" -vt yazb
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\halcyon\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.ajwesley.com
O15 - Trusted Zone: *.mcafee.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab40641.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4871/mcfscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: jkhhg - C:\WINDOWS\System32\jkhhg.dll (file missing)
O20 - Winlogon Notify: mljjk - C:\WINDOWS\System32\mljjk.dll (file missing)
O20 - Winlogon Notify: winbug32 - winbug32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe


Once again, your input is much appreciated.

cheers :bigthumb:

pskelley
2006-10-24, 04:12
Thanks for returning your information, you had a very infected computer. Let's look at two things first.

Do you know what this is:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/halcyon/Desktop/lclhome.html
Did you make this your Start Page? If not remove it with HJT below.

1) Your Java program is out of date, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Update the program and remove all old versions of the program, as long as they are onboard, you can get infected via them.

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

4) We need to check some files created at the time of the infection. You must be very careful not to delete any that are not bad. Use these tools to scan them:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

It is possible you may have to delete the bad ones in Safe Mode? http://www.bleepingcomputer.com/tutorials/tutorial61.html Here are the files you will be checking:
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\swsc.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\swreg.exe
C:\WINDOWS\system32\drivers\amon.sys
C:\WINDOWS\system32\imon.dll
C:\WINDOWS\system32\archlib.dll
C:\WINDOWS\system32\WINUTIL4.DLL
C:\WINDOWS\system32\WINLCTL5.DLL
C:\WINDOWS\system32\msxml3.dll
C:\WINDOWS\system32\drivers\grmnusb.sys
C:\WINDOWS\system32\drivers\grmngen.sys
C:\WINDOWS\system32\drivers\WDMSTUB.sys
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\xpsp2res.dll
C:\WINDOWS\system32\6to4svc.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ipv6mon.dll
C:\WINDOWS\system32\inetmib1.dll
C:\WINDOWS\system32\wship6.dll
C:\WINDOWS\system32\xpob2res.dll
C:\WINDOWS\system32\ipv6.exe
C:\WINDOWS\system32\netsh.exe

I can't tell you how important it is that you delete only bad files and I have no way of knowing which are bad from here. Take your time and be very careful.


5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {067EAC78-C556-49C1-81F6-B67AA8DEE7A7} - C:\WINDOWS\System32\mljjk.dll (file missing)
(Next item is not working right if at all with the file missing, download it again when we are done if you use the BHO)
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\System32\oxtlocam.dll (file missing)
O2 - BHO: (no name) - {3D2E2E36-94B3-E034-977E-0503A5E8A0E4} - C:\WINDOWS\System32\ftbncdn.dll (file missing)
O2 - BHO: (no name) - {4F3E0BF7-C5E6-049B-AF14-082AA17AFE2E} - C:\WINDOWS\System32\iznjghi.dll (file missing)
O2 - BHO: (no name) - {577C783B-76C1-41AC-8B2A-3477AE3EA81B} - C:\WINDOWS\System32\jkhhg.dll (file missing)
O2 - BHO: (no name) - {612E7630-ED57-90C0-1089-0AF4CA581B99} - C:\WINDOWS\System32\tadjpqn.dll (file missing)
O4 - HKLM\..\Run: [zzmpnp.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\zzmpnp.dll,vjjmpgg
O4 - HKLM\..\Run: [cbigdpf.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\cbigdpf.dll,dsswlq
O4 - HKLM\..\Run: [eqdqawi.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\eqdqawi.dll,mkokssb
O4 - HKCU\..\Run: [Mauo] "C:\DOCUME~1\halcyon\MYDOCU~1\CROSOF~1\svchost.exe" -vt yazb
(next two, do you trust those enough to give them complete access to your computer? Leave them if you do)
O15 - Trusted Zone: http://www.ajwesley.com
O15 - Trusted Zone: *.mcafee.com
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: jkhhg - C:\WINDOWS\System32\jkhhg.dll (file missing)
O20 - Winlogon Notify: mljjk - C:\WINDOWS\System32\mljjk.dll (file missing)
O20 - Winlogon Notify: winbug32 - winbug32.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) RIGHT Click on Start then click on Explore. Locate and delete these items:

(these may be gone, just do not miss them)

C:\WINDOWS\System32\cbigdpf.dll <<< delete the file

C:\WINDOWS\System32\eqdqawi.dll <<< delete the file

C:\WINDOWS\System32\zzmpnp.dll <<< delete the file

C:\DOCUME~1\halcyon\MYDOCU~1\CROSOF~1\ <<< delete that folder

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Make sure you restart the computer, post a new HJT log and let me know how the computer is running.

Thanks

jimjam
2006-10-27, 16:07
Hi PSK

Yes that start page is a local .html file I wrote.

Java has been updated.

I went through all those listed files with all 3 scanners. This took a while. Process.exe came up as the only positive. So I deleted it.

Used HTJ to remove those issues.

(PC now boots without the missing file alerts)

Ran ATFcleaner.

Browser hasnt been hijacked in a while now :D:

Here is a new squeaky clean HTJ log :)

Logfile of HijackThis v1.99.1
Scan saved at 10:57:48 PM, on 27/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\INTERN~2\mum.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/halcyon/Desktop/lclhome.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\halcyon\Application Data\Mozilla\Profiles\default\7vap2bez.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [InternodeUsage] C:\PROGRA~1\INTERN~2\mum.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\halcyon\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab40641.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4871/mcfscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

A good time to upgrade to SP2 now?

Thanks again
JJ

pskelley
2006-10-27, 16:57
Thanks for the feedback, I am really surprised Process.exe was the only bad item. It is part of Smitfraud (fix won't run without it) and is often flagged as malware. We will have to trust scans, looking at the HJT log now.

O18 - Protocol: vskype - (no CLSID) - (no file) <<< something leftover from skype? Had it on the removal list, doubt it is anything. Did you try to remove it?

The log looks good, I see nothing that looks like malware. Great job with all of the complex instructions:bigthumb: Let's do this:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx
http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx
http://www.microsoft.com/windowsxp/sp2/sysreqs.mspx

Might be a good time to think about IE-7 also:
http://www.microsoft.com/windows/ie/default.mspx
http://www.microsoft.com/windows/ie/support/default.mspx

As you can see there is free phone support for IE download issues but alas I can no longer locate toll free support for SP2, you may be able to get a number from Microsoft. You must also be aware that Critical Update support has been stopped for SP1.

If all is well, I will wish you safe surfing...tashi:) will close the topic in a few days.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

tashi
2006-11-06, 08:52
As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Cheers. :)