Results 1 to 10 of 10

Thread: infected by agent.axo, small.dwx, tibs.im, banwarum.f, xorpix.ar

  1. #1
    Junior Member
    Join Date
    Oct 2006
    Posts
    4

    Default infected by agent.axo, small.dwx, tibs.im, banwarum.f, xorpix.ar

    please assist,

    turned off System Recovery, used Ccleaner to clear everything

    have already done in safe-mode -> SMITREM, S&D, EWIDO, AD-AWARE, AVG + F-SECURE but problem still persists

    log as below

    thanx lots! =)


    Logfile of HijackThis v1.99.1
    Scan saved at 11:00:43 PM, on 10/17/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\explorer.exe
    H:\AVG Anti-Spyware 7.5\avgas.exe
    K:\installers - antispy\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [avast!] H:\avastnew\ashDisp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "H:\quicktime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\RunOnce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\OFFICE~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int9.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/24d40611...p/RdxIE601.cab
    O16 - DPF: {5D2CF9D0-113A-476B-986F-288B54571614} - http://www.devalvr.com/instalacion/plugin/devalocx.cab
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} - http://spring1.ura.gov.sg/mapguide6/mgaxctrl.cab
    O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} - http://advnt01.com/dialer/internazionale_ver11.CAB
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: st3 - C:\WINDOWS\q111943876.dll (file missing)
    O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
    O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\bilqghd.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - H:\avastnew\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - H:\avastnew\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - H:\avastnew\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - H:\avastnew\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - H:\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: F-Secure product (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\4476822\Program\SERVIC~1.EXE
    O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
    O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Anti-Virus\fsgk32st.exe
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\4476822\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Common\FSMA32.EXE
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

  2. #2
    Expert-Emeritus illukka's Avatar
    Join Date
    Nov 2005
    Location
    The Pits Of Hell
    Posts
    1,289

    Default

    hi


    this hjt log appears to be scanned in safe mode ?
    can you post another one made while in normal mode.
    I Am A Proud Member of ASAP Since 2004

    To Ride, Shoot Straight And Speak TheTruth

    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!

  3. #3
    Junior Member
    Join Date
    Oct 2006
    Posts
    4

    Default

    Hi,

    Thanks for helping ... redone HJT in normal mode

    Logfile of HijackThis v1.99.1
    Scan saved at 8:34:08 AM, on 10/18/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    H:\avastnew\aswUpdSv.exe
    H:\avastnew\ashServ.exe
    H:\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\F-SECU~1\4476822\Program\SERVIC~1.EXE
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure Internet Security\4476822\program\fsbwsys.exe
    C:\Program Files\Anti-Virus\FSGK32.EXE
    C:\Program Files\Common\FSMA32.EXE
    C:\Program Files\Common\FSMB32.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common\FCH32.EXE
    C:\Program Files\Anti-Virus\fssm32.exe
    C:\Program Files\Common\FAMEH32.EXE
    C:\Program Files\FWES\Program\fsdfwd.exe
    H:\avastnew\ashMaiSv.exe
    H:\avastnew\ashWebSv.exe
    C:\Program Files\Anti-Virus\fsav32.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    H:\avastnew\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\taskdir.exe
    C:\Program Files\F-Secure Internet Security\4476822\Program\fspex.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    K:\installers - antispy\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    F2 - REG:system.ini: Shell=
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [avast!] H:\avastnew\ashDisp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "H:\quicktime\qttask.exe" -atboottime
    O4 - HKLM\..\RunOnce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\OFFICE~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\OFFICE~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int9.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/24d40611...p/RdxIE601.cab
    O16 - DPF: {5D2CF9D0-113A-476B-986F-288B54571614} - http://www.devalvr.com/instalacion/plugin/devalocx.cab
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} - http://spring1.ura.gov.sg/mapguide6/mgaxctrl.cab
    O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} - http://advnt01.com/dialer/internazionale_ver11.CAB
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: st3 - C:\WINDOWS\q111943876.dll (file missing)
    O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
    O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\bilqghd.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - H:\avastnew\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - H:\avastnew\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - H:\avastnew\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - H:\avastnew\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - H:\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: F-Secure product (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\4476822\Program\SERVIC~1.EXE
    O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
    O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Anti-Virus\fsgk32st.exe
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\4476822\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Common\FSMA32.EXE
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

  4. #4
    Expert-Emeritus illukka's Avatar
    Join Date
    Nov 2005
    Location
    The Pits Of Hell
    Posts
    1,289

    Default

    hi

    you seem to have two different antiviruses installed, and they both seem to be running real time.
    this is not recommended, as the programs will compete against each other, causing an excessive system lag. it also leads to crashes and errors
    uninstall the other, either avast or fsecure, which one you decide

    after uninstalling reboot

    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only
    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    reboot again

    First download AVG Anti-Spyware from HERE and save that file to your desktop.
    This is a 30 day trial of the program
    1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
    2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
    3. On the main screen select the icon "Update" then select the "Update now" link.
      • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    6. Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
    Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
    1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
      IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
    2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
    3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    5. If you have any infections you will prompted, then select "Apply all actions"
    6. Next select the "Reports" icon at the top.
    7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    8. Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.


    also post a fresh hijackthis log

    NOTE: the avg antispyware report may be large, split it into several posts if necessary to include all info in it

    good luck
    I Am A Proud Member of ASAP Since 2004

    To Ride, Shoot Straight And Speak TheTruth

    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!

  5. #5
    Junior Member
    Join Date
    Oct 2006
    Posts
    4

    Default

    hi all instructions followed, here is avg scan report and below that is HJT report ... thanks lots! =)



    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 8:40:12 PM 10/19/2006

    + Scan result:



    C:\WINDOWS\system32\vxgame2.exe -> Downloader.Small.drh : Cleaned with backup (quarantined).
    [216] C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll -> Proxy.Xorpix.ar : Cleaned with backup (quarantined).


    ::Report end



    START OF HJT REPORT

    Logfile of HijackThis v1.99.1
    Scan saved at 10:05:00 PM, on 10/19/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    H:\avastnew\aswUpdSv.exe
    H:\avastnew\ashServ.exe
    H:\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\WINDOWS\System32\svchost.exe
    H:\avastnew\ashMaiSv.exe
    H:\avastnew\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    H:\avastnew\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\taskdir.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    K:\installers - antispy\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    F2 - REG:system.ini: Shell=
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [avast!] H:\avastnew\ashDisp.exe
    O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
    O4 - HKLM\..\RunOnce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\OFFICE~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\OFFICE~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int9.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/24d40611...p/RdxIE601.cab
    O16 - DPF: {5D2CF9D0-113A-476B-986F-288B54571614} - http://www.devalvr.com/instalacion/plugin/devalocx.cab
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} - http://spring1.ura.gov.sg/mapguide6/mgaxctrl.cab
    O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} - http://advnt01.com/dialer/internazionale_ver11.CAB
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: st3 - C:\WINDOWS\q111943876.dll (file missing)
    O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
    O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\bilqghd.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - H:\avastnew\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - H:\avastnew\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - H:\avastnew\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - H:\avastnew\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - H:\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

  6. #6
    Expert-Emeritus illukka's Avatar
    Join Date
    Nov 2005
    Location
    The Pits Of Hell
    Posts
    1,289

    Default

    hi

    open hijackthis, click do a system scan only
    checkmark these entries
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    F2 - REG:system.ini: Shell=
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
    O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
    O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int9.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/24d40611...p/RdxIE601.cab
    O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} - http://advnt01.com/dialer/internazionale_ver11.CAB
    O20 - Winlogon Notify: st3 - C:\WINDOWS\q111943876.dll (file missing)
    O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
    O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\bilqghd.dll



    then close all browsers and explorer windows, until only hijackthis is running

    and click fix checked


    enable showing of system and hidden files:
    1. Click Start.
    2. Open My Computer.
    3. Select the Tools menu and click Folder Options.
    4. Select the View Tab.
    5. Under the Hidden files and folders heading select Show hidden files and folders.
    6. Uncheck the Hide protected operating system files (recommended) option.
    7. Click Yes to confirm.
    8. Click OK.





    Next, please reboot your computer in Safe Mode by doing the following:
    1. Restart your computer
    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3. Instead of Windows loading as normal, a menu should appear
    4. Select the first option, to run Windows in Safe Mode.


    For additional help in booting into Safe Mode, see the following site:
    http://www.pchell.com/support/safemode.shtml



    once in safe mode locate and delete these files:

    C:\WINDOWS\system32\spoolsvv.exe<<--this file
    C:\WINDOWS\system32\taskdir.exe<<--this file
    C:\WINDOWS\q111943876.dll<<--this file
    C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll<<--this file
    C:\WINDOWS\system32\bilqghd.dll<<--this file

    reboot back to normal mode
    rescan with hijackthis and post a new logfile
    I Am A Proud Member of ASAP Since 2004

    To Ride, Shoot Straight And Speak TheTruth

    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!

  7. #7
    Junior Member
    Join Date
    Oct 2006
    Posts
    4

    Default

    Hi, here's the latest HJT log

    Doesn't seem to have any malware problem (at least my avast doesn't pop-up with alerts =)

    Couldn't find the file C:\WINDOWS\system32\spoolsvv.exe

    So I deleted spoolsv.exe instead, not sure if that's gona cause me any problems

    thanks =)



    Logfile of HijackThis v1.99.1
    Scan saved at 10:59:49 AM, on 10/23/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    H:\avastnew\aswUpdSv.exe
    H:\avastnew\ashServ.exe
    H:\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    H:\avastnew\ashMaiSv.exe
    H:\avastnew\ashWebSv.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    H:\avastnew\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    H:\CCleaner\ccleaner.exe
    K:\installers - antispy\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [avast!] H:\avastnew\ashDisp.exe
    O4 - HKLM\..\RunOnce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\OFFICE~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\OFFICE~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {5D2CF9D0-113A-476B-986F-288B54571614} - http://www.devalvr.com/instalacion/plugin/devalocx.cab
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} - http://spring1.ura.gov.sg/mapguide6/mgaxctrl.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - H:\avastnew\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - H:\avastnew\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - H:\avastnew\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - H:\avastnew\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - H:\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

  8. #8
    Expert-Emeritus illukka's Avatar
    Join Date
    Nov 2005
    Location
    The Pits Of Hell
    Posts
    1,289

    Default

    http://www.castlecops.com/o23list-770.html
    that is legit file

    hopefully its still in recycle bin ?


    lets do an online virus scan next:

    Please run the F-Secure Online Scanner

    Note: This Scanner is for Internet Explorer Only!
    • Follow the Instruction Here for installation.
    • Accept the License Agreement.
    • Once the ActiveX installs,Click Full System Scan
    • Once the download completes,the scan will begin automatically.
    • The scan will take some time to finish,so please be patient.
    • When the scan completes, click the Automatic cleaning (recommended) button.
    • Click the Show Report button and Copy&Paste the entire report in your next reply.
    I Am A Proud Member of ASAP Since 2004

    To Ride, Shoot Straight And Speak TheTruth

    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!

  9. #9
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,956

    Default

    Still with us pcdown?
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  10. #10
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,956

    Default

    This topic is closed due to lack of a response.

    If you need it re-opened please send me a private message (pm) and provide a link to the thread.

    Applies only to the original topic starter.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •