Need help with vundo kill shot!

[Reck325]

Files are showing

I am positive that all of the files are showing because I made sure that i went back and hid them after I thought I was cleaned. After the problems resurfaced i had to unhide them again. I believe the reason that I did not find C:\documentsandsettings\ship\localsettings\temp\cnkvigtc.exe is because it was found by AVG and deleted first. I have downloaded Combofix and will begin the rest of the steps and then the scan. Just wanted to fill you in on the above hidden files issue.

 

[Reck325]

Combofix log, etc.

Sorry it took awhile to reply. I think this site was having issues. Anyway, I have completed the steps you recommended. I ran the ATF-Cleaner, Cleanmgr, command prompt, "DomainService", etc. but I could not locate "C:\WINDOWS\system32\jnrngaay.exe". Perhaps it was one of the files removed by the AVG scan I mentioned in a previous post? A couple of thing arose that I'm not sure of. An S&D notification window opened asking me to allow or deny a change about "category:User specific brower toolbar", "change: value deleted", "new entry: 11A69AE4.....etc. Should I deny this? I saw this same item referenced in post #4 of the below thread.

http://forums.spybot.info/search.php?searchid=633476)

Also, a windows security alert window opened asking me to block or unblock "Javaw". Any suggestions. Anyway, the Combofix log is below. Thanks again.

ComboFix 07-11-19.4 - ship 2007-11-27 8:57:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.157 [GMT -5:00]
Running from: C:\Documents and Settings\ship\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\lmllm.ini
C:\WINDOWS\system32\lmllm.ini2
C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\system32\pac.txt

.
((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.

2007-11-26 11:13 84,545 --a------ C:\WINDOWS\system32\okwxxfhv.dll
2007-11-26 11:07 80,960 --a------ C:\WINDOWS\system32\rcmkareq.dll
2007-11-21 10:53 <DIR> d-------- C:\VundoFix Backups
2007-11-21 10:07 714,281 --ahs---- C:\WINDOWS\system32\klspifxh.ini
2007-11-21 10:07 84,545 --a------ C:\WINDOWS\system32\hxfipslk.dll
2007-11-21 10:01 80,960 --a------ C:\WINDOWS\system32\rlvuqhyj.dll
2007-11-19 09:12 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-19 09:11 <DIR> d-------- C:\Program Files\Java
2007-11-19 09:11 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-15 16:03 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-15 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-15 10:00 79,936 --a------ C:\WINDOWS\system32\mxxvbimm.dll
2007-11-14 12:24 <DIR> d-------- C:\Documents and Settings\ship\Application Data\Grisoft
2007-11-14 12:24 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-14 12:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-13 21:28 672,261 --ahs---- C:\WINDOWS\system32\sfddpoxy.ini
2007-11-13 09:11 <DIR> d-------- C:\TEMP\abW9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 14:47 --------- d-----w C:\Program Files\Google
2007-11-15 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-12 16:27 --------- d-----w C:\Program Files\lmw32
2007-10-09 16:09 49,152 ----a-w C:\Documents and Settings\ship\PNPrint3.exe
2007-06-05 04:51 96,824 ----a-w C:\Documents and Settings\DOROTHY\Application Data\GDIPFONTCACHEV1.DAT
2006-04-12 13:16 88,592 ----a-w C:\Documents and Settings\ship\Application Data\GDIPFONTCACHEV1.DAT
2005-07-19 12:46 69,128 ----a-w C:\Documents and Settings\samrab\Application Data\GDIPFONTCACHEV1.DAT
2005-04-25 16:49 25,680 --sha-w C:\WINDOWS\msagent\rvsnur.bak1
2005-04-29 16:50 442,796 --sha-w C:\WINDOWS\msagent\rvsnur.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01408191-AA0E-4E1F-99F5-59AFB71DA20F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}]
C:\WINDOWS\system32\iifggge.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c0404a5-2dbc-400c-b866-330068b9c644}]
2007-11-26 11:07 80960 --a------ C:\WINDOWS\system32\rcmkareq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b03ac20d-d24d-4551-8def-feba2d87e8db}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4728951-1E39-450D-B2CB-2B48A73A4E02}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA2B1675-E3EB-4062-B876-20D8BE9C9A32}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]
"GWMDMMSG"="GWMDMMSG.exe" [2001-12-04 12:07 C:\WINDOWS\GWMDMMSG.exe]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 00:21]
"nwiz"="nwiz.exe" [2005-06-15 16:20 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 11:40]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 12:29]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 05:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}"= C:\WINDOWS\system32\iifggge.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifggge]
C:\WINDOWS\System32\NavLogon.dll 2003-05-21 00:19 45056 C:\WINDOWS\system32\NavLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\req]
C:\WINDOWS\system32\req.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mllml.dll

R0 rttmntr;R-TT Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\rttmntr.sys
R0 snaprtt;Acronis Snapshots Manager (R-TT);C:\WINDOWS\system32\DRIVERS\snaprtt.sys
R1 nvport;NVIDIA PORT IO Control Driver;\??\C:\WINDOWS\system32\Drivers\nvport.sys
R2 rttfsfilt;R-TT FS Filter;C:\WINDOWS\system32\DRIVERS\rttfsfilt.sys
S1 ITE8872;ITE8872 PCI Super IO Driver;C:\WINDOWS\system32\drivers\ITE8872.sys
S2 ITE8872par;ITE8872 Parallel Driver;C:\WINDOWS\system32\drivers\ITE8872par.sys
S2 ITE8872ser;ITE8872 Serial Driver;C:\WINDOWS\system32\drivers\ITE8872ser.sys
S2 NTFILERW;NTFILERW;\??\C:\WINDOWS\System32\Drivers\NTFILERW.SYS
S3 FILEMON;FILEMON;\??\C:\WINDOWS\system32\drivers\DSYNC.SYS
S3 iscFlash;iscFlash;\??\C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-27 14:11:52 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 09:10:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-27 9:14:21 - machine was rebooted
.
--- E O F ---

 

[pskelley]

I supplied you with tutorials for using Spybot and TeaTimer. If you have any more questions about those, post them here:
http://forums.spybot.info/forumdisplay.php?f=4

If you get a request for access and you do not know what it is, then deny it and use Google to find out where the request was from so you will know the next time.

You posted a dead link, check your links if you are going to post them.

Make sure all files and folders are visiable, these files may be gone, check and delete any you find.

C:\WINDOWS\system32\okwxxfhv.dll
C:\WINDOWS\system32\rcmkareq.dll
C:\WINDOWS\system32\klspifxh.ini
C:\WINDOWS\system32\hxfipslk.dll
C:\WINDOWS\system32\rlvuqhyj.dll
C:\WINDOWS\system32\mxxvbimm.dll
C:\WINDOWS\system32\sfddpoxy.ini

Here is the Google search engine: http://www.google.com/
Results of a search for "Javaw"
http://www.google.com/search?hl=en&q=Javaw&btnG=Search

 

[Reck325]

Steps complete.

Gotcha, I will post those questions in the other forum. I have deleted the files you specified. All went easy except for the "rcmkareq.dll". I had to delete it in safe mode. I thought I copied the link above properly but obviously not. The link below should (hopefully) be the correct one. The original post was done by "patientzero".

http://forums.spybot.info/showthread.php?t=19952&highlight=11A69AE4

 

[pskelley]

How is this computer running now?

 

[Reck325]

Haven't connected

I have yet to reconnect to the internet for fear of a reoccurrence like last time. Shall I reconnect?

 

[Reck325]

So far so good, but....

Good Morning Phil. I am back online and so far so good. I briefly surfed around and did not get any pop-ups or other tabs opening in IE. I ran HJT to see if there was anything fishy and I found a few things that were not there the last few times I scanned. I will post it below for your review. Of particular concern are the BHO categorys, especially the ones referencing "iifggge.dll" and "rcmkareq.dll". The other BHO's I am unsure of. Also, there are two lines regarding "Winlogon Notifys". One for sure looks fishy (iifggge!). Anyway, here is the newest HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:04, on 2007-11-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {01408191-AA0E-4E1F-99F5-59AFB71DA20F} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE} - C:\WINDOWS\system32\iifggge.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {446c9b86-0033-668b-c004-cbd25a4040c6} - {6c0404a5-2dbc-400c-b866-330068b9c644} - C:\WINDOWS\system32\rcmkareq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {b03ac20d-d24d-4551-8def-feba2d87e8db} - (no file)
O2 - BHO: (no name) - {B4728951-1E39-450D-B2CB-2B48A73A4E02} - (no file)
O2 - BHO: (no name) - {CA2B1675-E3EB-4062-B876-20D8BE9C9A32} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\Software\..\Telephony: DomainName = sawyerproducts.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O20 - Winlogon Notify: iifggge - C:\WINDOWS\
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6930 bytes

FYI: I ran an AVG and S&D scan prior to reconnecting the internet and neither found any issues.

 

[pskelley]

Thanks for posting, these are leftover junk (not active malware) but we should get rid of it. Understand spyware programs are designed to block changes, so we need to turn them off.

AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

TeaTimer is probably causing this, at times we have to uninstall the complete Spybot program to get this done.
TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
http://russelltexas.com/malware/teatimer.htm

We will do this also: In some cases it's sometimes quite usefull to reset TeaTimer, once you've had it disabled to remove HijackThis entries :
Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat http://downloads.subratam.org/ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

Once you are sure the above is done, then do this:

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {01408191-AA0E-4E1F-99F5-59AFB71DA20F} - (no file)
O2 - BHO: (no name) - {0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE} - C:\WINDOWS\system32\iifggge.dll (file missing)
O2 - BHO: {446c9b86-0033-668b-c004-cbd25a4040c6} - {6c0404a5-2dbc-400c-b866-330068b9c644} - C:\WINDOWS\system32\rcmkareq.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {b03ac20d-d24d-4551-8def-feba2d87e8db} - (no file)
O2 - BHO: (no name) - {B4728951-1E39-450D-B2CB-2B48A73A4E02} - (no file)
O2 - BHO: (no name) - {CA2B1675-E3EB-4062-B876-20D8BE9C9A32} - (no file)
O20 - Winlogon Notify: iifggge - C:\WINDOWS\
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run ATF Cleaner if you still have it if not use: http://spyware-free.us/tutorials/cleanmgr/
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Rstart and they should be gone. If they are not then uninstall Spybot S&D completely, reboot then do the removal again. Reboot, make sure the stuff is gone, then reinstall Spybot S&D.

For your information:
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Thanks

 

[Reck325]

Problem with reseting Teatimer?

I have completed the steps including running resetteatimer.bat. The command window opens and says to make sure S&D and Teatimer is not running (which they aren't), pressing Enter starts the process and I get the message

C:\documents and settings\ship\desktop\getpaths.vbx(16, 1) Wscript.creatobjects: Could not create object named "wscript.shell".

and

'setpaths.bat' is not recognized as an internal or external command, operable program or batch file. Could not find C:\documents and settings\ship\desktop\setpaths.bat

Finished.


I did a google search for a guide or info on this program but came up with very little. I have not proceeded because I am unsure if it accomplished what we needed it to. If this has not done the job we hoped should I uninstall S&D all together?

 

[pskelley]

I have no idea why you got that message, it should have just happened. If the junk is still there, use the uninstall/reinstall method. The stuff is just clutter, not malware.

Thanks

 

[Reck325]

All Seems Good!

I followed all of the procedures you suggested. I did an uninstall of S&D, verified that ALL of the junk files were removed, reinstalled S&D, ran an AVG scan and S&D scan, both of which came back clean, reconnected to the internet and surfed around for a minute or so and there appears to be no issue here. As a final step I have produced a final HJT log (I hope). Hope it passes.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:39, on 2007-11-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\Software\..\Telephony: DomainName = sawyerproducts.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sawyerproducts.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{37CC4B60-8000-4B08-AEA8-0F193C1DEAE9}: NameServer = 192.168.0.10,192.168.0.100
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6156 bytes

 

[pskelley]

Looks good:bigthumb:
Safe surfing

 

[Reck325]

All Is Good

Good morning Phil. A bit foggy this morning isn't it (I'm in Clearwater too). I have reversed all of the changes you made to accomplish this project (re-hidden folders, turned on AVG, S&D, etc.) and everythings seems to be alright. Thanks for all of the help again and keep up the fight :bigthumb:.