Page 1 of 3 123 LastLast
Results 1 to 10 of 29

Thread: My ongoing struggle with malware, help needed!

  1. #1
    Junior Member
    Join Date
    Oct 2008
    Posts
    15

    Default My ongoing struggle with malware, help needed!

    OK so i dont have much time now because i have to go to work. I will update later. My basic problem is that i got infected with the codec Zlob before and it changed my background ect ect. Well i got rid of it using malwarebytes. So currently I have avast antivirus, malwarebytes, ad-aware and superantispyware. All have deleted my trojans but i have now gotten new ones and are re-occruing on reboot.

    Some of the things i have encountered:
    Virtumonde
    Trojan-Clicker.Win3.Tiny.h
    Win32:Dialer-567
    Adclicker trojan among others

    Even now i am getting a pop up. Pops since getting rid of the rogue antir spyware trojan have included trashypretty.com, zedo.com and even websites about katanas (swords)

    I have run all my scans and deleted everything. I need more assistance. Would spyware docter fix it? I am afraid to use smitfraudfix because half the time your getting the fraud virus instead of the actual program. I need an easy way to do this. I can give logs from malwarebytes and ad-aware later if needed.

    oh yeah, also when i tried to restart my comp, the task manager came up and was ending tfswctrl.exe and axsjezit.exe. Are they part of the malware?

  2. #2
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi eagles26

    Click here to download HJTInstall.exe
    • Save HJTInstall.exe to your desktop.
    • Doubleclick on the HJTInstall.exe icon on your desktop.
    • By default it will install to C:\Program Files\Trend Micro\HijackThis .
    • Click on Install.
    • It will create a HijackThis icon on the desktop.
    • Once installed, it will launch Hijackthis.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
    • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #3
    Junior Member
    Join Date
    Oct 2008
    Posts
    15

    Default

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:12:04 PM, on 10/2/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\oembios.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us6.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us6.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\oembios.exe,
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
    O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
    O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
    O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\TEMP\prun.exe"
    O4 - HKLM\..\Run: [wvnylwvwlyie] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\System32\bcevgecmtuwru.dll" EntryPoint
    O4 - HKLM\..\Run: [IUpd721] C:\WINDOWS\Temp\winvsnet.exe
    O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKLM\..\RunOnce: [SpybotDeletingA1144] command /c del "C:\WINDOWS\system32\smp\msrc.exe"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC4409] cmd /c del "C:\WINDOWS\system32\smp\msrc.exe"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA5255] command /c del "C:\WINDOWS\wt\webdriver.dll"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC5352] cmd /c del "C:\WINDOWS\wt\webdriver.dll"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA1630] command /c del "C:\WINDOWS\wt\info.txt"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC9525] cmd /c del "C:\WINDOWS\wt\info.txt"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA8559] command /c del "C:\Program Files\webHancer\Programs\sporder.dll"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC4920] cmd /c del "C:\Program Files\webHancer\Programs\sporder.dll"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA2710] command /c del "C:\Program Files\webHancer\Programs\readme.txt"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC4584] cmd /c del "C:\Program Files\webHancer\Programs\readme.txt"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA6685] command /c del "C:\Program Files\webHancer\Programs\whagent.exe"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC5180] cmd /c del "C:\Program Files\webHancer\Programs\whagent.exe"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA6830] command /c del "C:\WINDOWS\system32\wvUoLcab.dll"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC5830] cmd /c del "C:\WINDOWS\system32\wvUoLcab.dll"
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\TEMP\prun.exe"
    O4 - HKCU\..\Run: [CfgShAct] C:\WINDOWS\system32\gdehefar.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\RunOnce: [SpybotDeletingB4128] command /c del "C:\WINDOWS\system32\smp\msrc.exe"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD929] cmd /c del "C:\WINDOWS\system32\smp\msrc.exe"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB5148] command /c del "C:\WINDOWS\wt\webdriver.dll"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD9957] cmd /c del "C:\WINDOWS\wt\webdriver.dll"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB5747] command /c del "C:\WINDOWS\wt\info.txt"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD7085] cmd /c del "C:\WINDOWS\wt\info.txt"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB7626] command /c del "C:\Program Files\webHancer\Programs\sporder.dll"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD8206] cmd /c del "C:\Program Files\webHancer\Programs\sporder.dll"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB2510] command /c del "C:\Program Files\webHancer\Programs\readme.txt"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD3118] cmd /c del "C:\Program Files\webHancer\Programs\readme.txt"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB2175] command /c del "C:\Program Files\webHancer\Programs\whagent.exe"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD1702] cmd /c del "C:\Program Files\webHancer\Programs\whagent.exe"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB5484] command /c del "C:\WINDOWS\system32\wvUoLcab.dll"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD3797] cmd /c del "C:\WINDOWS\system32\wvUoLcab.dll"
    O4 - HKLM\..\Policies\Explorer\Run: [t9KrBeo5mB] C:\Documents and Settings\All Users\Application Data\mfsnyhyp\axsjezit.exe
    O4 - HKUS\S-1-5-18\..\Run: [prunnet] "C:\WINDOWS\TEMP\prun.exe" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [prunnet] "C:\WINDOWS\TEMP\prun.exe" (User 'Default user')
    O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: Monitor.lnk = C:\Documents and Settings\Owner\Desktop\DESKTOP\Programs\media card\MCC Monitor.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O21 - SSODL: MntProcCmd - {191AC1A7-66E5-1C75-D7C9-014D8DAD4EF2} - C:\Program Files\xsbbbfg\MntProcCmd.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

  4. #4
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Please post next a fresh HijackThis log taken in normal mode
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #5
    Junior Member
    Join Date
    Oct 2008
    Posts
    15

    Default

    I believe i was in normal mode. Never the less, i will post a new log anyway. Because its probably different now. I will post it later, because im not on my comp now or at my house for that matter.

    It's just ridiculous how many trojans and malware i have, all from downloading one movie player app. I havent used my infected comp since the log, so i will update as soon as i am home, thanks shaba!

  6. #6
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Thank you informing me
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  7. #7
    Junior Member
    Join Date
    Oct 2008
    Posts
    15

    Default

    Antivirus 2009 is back. I thought i got rid of that one atleast. It's getting hard to get even this posted on this infected comp. Im getting bombarded by browser popups. Just ran the scan though. Here it is. Can you tell me wat to do, thanks.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:18:27 PM, on 10/6/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\oembios.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Documents and Settings\All Users\Application Data\mfsnyhyp\axsjezit.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\system32\dkxkzylc.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
    C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
    C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
    C:\WINDOWS\system32\dkxkzylc.exe
    C:\WINDOWS\TEMP\prun.exe
    C:\WINDOWS\System32\Rundll32.exe
    C:\WINDOWS\Temp\winvsnet.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us6.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us6.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\oembios.exe,
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
    O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
    O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
    O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\TEMP\prun.exe"
    O4 - HKLM\..\Run: [wvnylwvwlyie] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\System32\bcevgecmtuwru.dll" EntryPoint
    O4 - HKLM\..\Run: [IUpd721] C:\WINDOWS\Temp\winvsnet.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\TEMP\prun.exe"
    O4 - HKCU\..\Run: [CfgShAct] C:\WINDOWS\system32\gdehefar.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\RunOnce: [SpybotDeletingB4128] command /c del "C:\WINDOWS\system32\smp\msrc.exe"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD929] cmd /c del "C:\WINDOWS\system32\smp\msrc.exe"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB5148] command /c del "C:\WINDOWS\wt\webdriver.dll"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD9957] cmd /c del "C:\WINDOWS\wt\webdriver.dll"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB5747] command /c del "C:\WINDOWS\wt\info.txt"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD7085] cmd /c del "C:\WINDOWS\wt\info.txt"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB7626] command /c del "C:\Program Files\webHancer\Programs\sporder.dll"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD8206] cmd /c del "C:\Program Files\webHancer\Programs\sporder.dll"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB2510] command /c del "C:\Program Files\webHancer\Programs\readme.txt"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD3118] cmd /c del "C:\Program Files\webHancer\Programs\readme.txt"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB2175] command /c del "C:\Program Files\webHancer\Programs\whagent.exe"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD1702] cmd /c del "C:\Program Files\webHancer\Programs\whagent.exe"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB5484] command /c del "C:\WINDOWS\system32\wvUoLcab.dll"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD3797] cmd /c del "C:\WINDOWS\system32\wvUoLcab.dll"
    O4 - HKLM\..\Policies\Explorer\Run: [t9KrBeo5mB] C:\Documents and Settings\All Users\Application Data\mfsnyhyp\axsjezit.exe
    O4 - HKUS\S-1-5-18\..\Run: [prunnet] "C:\WINDOWS\TEMP\prun.exe" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [prunnet] "C:\WINDOWS\TEMP\prun.exe" (User 'Default user')
    O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: Monitor.lnk = C:\Documents and Settings\Owner\Desktop\DESKTOP\Programs\media card\MCC Monitor.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O20 - AppInit_DLLs: uzhysa.dll
    O21 - SSODL: MntProcCmd - {191AC1A7-66E5-1C75-D7C9-014D8DAD4EF2} - C:\Program Files\xsbbbfg\MntProcCmd.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 9975 bytes

  8. #8
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Yes it is back.

    Please download Malwarebytes Anti-Malware and save it to your desktop.
    alternate download link 1
    alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    • On the Scanner tab:
      • Make sure the "Perform Full Scan" option is selected.
      • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply and exit MBAM.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

    Post:

    - a fresh HijackThis log
    - mbam report
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  9. #9
    Junior Member
    Join Date
    Oct 2008
    Posts
    15

    Default

    Ok, I already have malware-bytes. I used it when I orginally got rid of most of the zlob and rogue spyware trojan. I have been scanning with search and destroy and it always eliminates most of the infections but leaves some, and on next scan most are back anyway. I know I have wildtangent/virtumonde among other smaller malware/trojans.

    Thankyou for getting back to me, as soon as I get home I will run malware-bytes and do a new scan.

  10. #10
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    OK, take your time
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •