Friends have a knack of breaking things the best..
when I started his machine it would not run any executables including spybot/avg/SAV ETC..
used reg file to fix (too long to list but can provide on request) worked great and then I was able to run standard av/spyware tools to clean. many infections removed except the one listed in the title.
HJT log listed below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:50 AM, on 9/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about
:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://83.149.75.33/info.png?cmp=fkf...mrk=1&ver=4057
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1676360506-3534062470-2318509989-1014\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} -
http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} -
https://a248.e.akamai.net/f/248/5462...l/SymDlBrg.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -
https://www-secure.symantec.com/tech...l/SymAData.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat,zxovgf.dll,C:\WINDOWS\system32\sovagejo.dll bkviyj.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bomgar Jump Client [1235567581-1235567625] (bomgar-ps-1235567581-1235567625) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49A543DD\bomgar-scc.exe (file missing)
O23 - Service: Bomgar Jump Client [1236139268-1236139313] (bomgar-ps-1236139268-1236139313) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49ADFD04\bomgar-scc.exe (file missing)
O23 - Service: Bomgar Jump Client [1236139268-1244144831] (bomgar-ps-1236139268-1244144831) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49ADFD04\bomgar-scc.exe (file missing)
O23 - Service: Bomgar Support Customer Client [1235567581] (bomgar-scc-1235567581) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49A543DD\bomgar-scc.exe (file missing)
O23 - Service: Bomgar Support Customer Client [1236139268] (bomgar-scc-1236139268) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49ADFD04\bomgar-scc.exe (file missing)
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
--
End of file - 7488 bytes
Spybot log listed below
--- Report generated: 2009-09-15 07:48 ---
Win32.TDSS.ntf: [SBI $C65DEAB2] File (File, nothing done)
C:\WINDOWS\SYSTEM32\drivers\SKYNEThoehbqlt.sys
Properties.size=0
Properties.md5=AFC2708D353D77D2AC94103D5730F160
Win32.TDSS.ntf: [SBI $F7C6EF60] File (File, nothing done)
C:\WINDOWS\SYSTEM32\SKYNETfumqskwp.dll
Properties.size=0
Properties.md5=5B4F59E220FA96D42363E8CAAC34D2D8
Win32.TDSS.ntf: [SBI $F7C6EF60] File (File, nothing done)
C:\WINDOWS\SYSTEM32\SKYNEToptqxpbu.dll
Properties.size=0
Properties.md5=3B0585750AD0EEAA4583F4AFDF696713
Win32.TDSS.ntf: [SBI $F7C6EF60] File (File, nothing done)
C:\WINDOWS\SYSTEM32\SKYNETrjrxloyq.dll
Properties.size=0
Properties.md5=3B0585750AD0EEAA4583F4AFDF696713
Win32.TDSS.ntf: [SBI $F7C6EF60] File (File, nothing done)
C:\WINDOWS\SYSTEM32\SKYNETthtvpuyu.dll
Properties.size=0
Properties.md5=5B4F59E220FA96D42363E8CAAC34D2D8
Win32.TDSS.ntf: [SBI $1A7ABF3C] File (File, nothing done)
C:\WINDOWS\SYSTEM32\SKYNETqxnopatm.dat
Properties.size=0
Properties.md5=0B4FB4690EFA25C5CB5D25A2B291E7F8
Win32.TDSS.ntf: [SBI $1A7ABF3C] File (File, nothing done)
C:\WINDOWS\SYSTEM32\SKYNETrqpoqxyv.dat
Properties.size=0
Properties.md5=CEB5FB6784BD4FC72E47C643BAF9958F
Win32.TDSS.ntf: [SBI $1A7ABF3C] File (File, nothing done)
C:\WINDOWS\SYSTEM32\SKYNETxrvngfsx.dat
Properties.size=0
Properties.md5=EBA256D5218C6D6314B1B7382AE0C9D9
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-03-12 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-09-01 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-09-01 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-09-01 Includes\HijackersC.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-09-01 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-08-19 Includes\Malware.sbi (*)
2009-09-01 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-09-01 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-09-01 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-09-01 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-08-25 Includes\Trojans.sbi (*)
2009-09-01 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Spybot and rootalyser are both able to detect it and allegedly remove them but they are detected on the next scan.
system restore is turned off.
manually ran msconfig and no files are executing that look suspicious (adobe aol etc)
first round of scans before these scans posted include
AVg version 8.5, MalewareBytes, Symantec AV, Spybot s&d, Rootanalyser.3.4.47
ERUNT has been run and backup taken
While I wait I am going to scan in safemode to see if that allows the utilities to delete the files.. any assistance is appreciated.
Thanks,
--------------------------
re-ran all scans in safe mode no luck
any recomendations?
============================
Removed quoted logs
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)