WMF infection causing Spybot to take 3 hrs 35 mins?

[Buster G]

1.99GHz Celeron, Win XP SP2
AVG 7.1.371, Definitions 267.14.12/220
Spybot S&D 1.4, Definitions 2005-12-30

Downloaded and MD5sum'd Spybot and current definitions Dec 28 2005 - ran like a dream, very quick.

Suspect that the pc took a hit from the current WMF exploit - scanned a couple of times with the latest AVG definitions this morning with zero virus's found. Scanned with Spybot - took 3 hrs 35 mins when it was the only application loaded.

Any thoughts on what I should do next?
thx

 

[tashi]

Hello.
Please go here and follow instructions.
Before you post a log

Post the log in this thread.

Someone will then take a look at the system and advise you as soon as available to do so.

Regards.

 

[Buster G]

Bit Defender Virus Scan cleared out a number of virus threats that AVG had 'deliberately' ignored (eg emails deleted before being read but not emptied from Trash) and Spybot ran considerably faster this time, sub 15 minutes.

In between original posting and above scans, AVG identified sphlp32.exe in C:\Windows\system32\ as a Clicker.FR virus threat on system restart, yet did not find it when system scanned (just as it did not show itself in Windows Explorer). Removed sphlp32.exe through the Windows Recovery Console and DOS commands which also took out the mouse driver (nice touch)

Hijack This Log reads

Logfile of HijackThis v1.99.1
Scan saved at 07:05:52, on 05/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
E:\AVG\avgamsvr.exe
E:\AVG\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
F:\Temp\winvnc4.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\khooker.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
E:\AVG\avgcc.exe
E:\AVG\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
E:\winkey\WinKey.exe
E:\Open Office 2.0\program\soffice.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
E:\Open Office 2.0\program\soffice.BIN
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
E:\Firefox\firefox.exe
E:\Antispyware\HijackThis.exe

R3 - URLSearchHook: (no name) - {02A418A1-0A78-DF1F-BE8D-47B9FE9C9924} - utsgmon.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [iTunesHelper] "E:\Apple iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\AVG\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NSYSCPLSTR] 321102.exe
O4 - HKLM\..\Run: [ExchangeMaster] TemplateDongle.exe
O4 - HKLM\..\Run: [dmyyv.exe] C:\WINDOWS\system32\dmyyv.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\system32\hgqhp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [Preliminary] KeywordFinder.exe
O4 - HKCU\..\Run: [StatusCheck] Bogobot.exe
O4 - HKCU\..\Run: [trycrt] mozilla-text.exe
O4 - Startup: OpenOffice.org 2.0.lnk = E:\Open Office 2.0\program\quickstart.exe
O4 - User Startup: OpenOffice.org 2.0.lnk = E:\Open Office 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinKey.lnk = E:\winkey\WinKey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://J:\ms\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://demo.kaseya.co.uk/inc/kaxRemote.dll
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {DECCF968-C279-40E8-97CF-9FECCEFB0EDE} (INVC Participant Console 1.54) - http://www.intechnologies.net/in/clients/participant/bin/INParticipant.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pssoft.webex.com/client/v_mywebex/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E2FEA55-258A-4271-AD41-32E68A7B5E72}: NameServer = 85.255.116.19,85.255.112.180
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\AVG\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - E:\ipod\bin\iPodService.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - F:\Temp\winvnc4.exe" -service (file missing)
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe

 

[LonnyRJones]

Hi, Good job so far.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan,
and check the following items(if there):
R3 - URLSearchHook: (no name) - {02A418A1-0A78-DF1F-BE8D-47B9FE9C9924} - utsgmon.dll (file missing)
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [NSYSCPLSTR] 321102.exe
O4 - HKLM\..\Run: [ExchangeMaster] TemplateDongle.exe
O4 - HKLM\..\Run: [dmyyv.exe] C:\WINDOWS\system32\dmyyv.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\system32\hgqhp.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E2FEA55-258A-4271-AD41-32E68A7B5E72}: NameServer = 85.255.116.19,85.255.112.180

If you see an entry as well in your O4 lines in hijackthis, starting with dm... for example:
O4 - HKLM\..\Run: [dm***.exe] C:\WINDOWS\system32\dm***.exe (the *** stand for random letters)
or starting with hg... for example:
O4 - HKLM\..\Run: [hg***.exe] C:\Windows\System32\hg***.exe
Check it as well. If not sure, leave it and only check the ones I asked you to check
===========================================================
Click Fix Checked. Close HijackThis, and click OK to proceed.

Finally, please post the contents of report.txt (it should open), along with a new HijackThis log.

 

[Buster G]

not quite sure what happened to 'report.txt, below is the new HijackThis Log after running fixwareout.exe and checking to repair the files listed

Logfile of HijackThis v1.99.1
Scan saved at 18:20:29, on 08/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
E:\AVG\avgamsvr.exe
E:\AVG\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
F:\Temp\winvnc4.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\khooker.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
E:\AVG\avgcc.exe
E:\AVG\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
E:\winkey\WinKey.exe
E:\Open Office 2.0\program\soffice.exe
C:\Apps\ActivBoard\TrayMon.exe
E:\Open Office 2.0\program\soffice.BIN
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
E:\Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
E:\Antispyware\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [iTunesHelper] "E:\Apple iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\AVG\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [Preliminary] KeywordFinder.exe
O4 - HKCU\..\Run: [StatusCheck] Bogobot.exe
O4 - HKCU\..\Run: [trycrt] mozilla-text.exe
O4 - Startup: OpenOffice.org 2.0.lnk = E:\Open Office 2.0\program\quickstart.exe
O4 - User Startup: OpenOffice.org 2.0.lnk = E:\Open Office 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinKey.lnk = E:\winkey\WinKey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://J:\ms\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136536632515
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://demo.kaseya.co.uk/inc/kaxRemote.dll
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {DECCF968-C279-40E8-97CF-9FECCEFB0EDE} (INVC Participant Console 1.54) - http://www.intechnologies.net/in/clients/participant/bin/INParticipant.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pssoft.webex.com/client/v_mywebex/webex/ieatgpc.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\AVG\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - E:\ipod\bin\iPodService.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - F:\Temp\winvnc4.exe" -service (file missing)
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe​

 

[LonnyRJones]

Look in the c:\fixwareout folder for report txt please
Have hijackthis fix these items
O4 - HKCU\..\Run: [Preliminary] KeywordFinder.exe
O4 - HKCU\..\Run: [StatusCheck] Bogobot.exe
O4 - HKCU\..\Run: [trycrt] mozilla-text.exe
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
===============
Then restart the pc

 

[Buster G]

fixwareout report.txt prior to hjt log 8 Jan 06

Fixwareout ver 1.003
Last edited 12/5/2005
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\DMMPX.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool​

fixwareout report.txt prior to hjt log 9 Jan 06 below

Fixwareout ver 1.003
Last edited 12/5/2005
Post this report in the forums please

Reg Entries that were deleted

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\DMMPX.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool​

9 Jan 06 hjt log (after O4 - HKCU\..\Run: [Preliminary] KeywordFinder.exe, O4 - HKCU\..\Run: [StatusCheck] Bogobot.exe, O4 - HKCU\..\Run: [trycrt] mozilla-text.exe & O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) fixed and pc restarted)

Logfile of HijackThis v1.99.1
Scan saved at 09:57:14, on 09/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
E:\AVG\avgamsvr.exe
E:\AVG\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
F:\Temp\winvnc4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\khooker.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
E:\AVG\avgcc.exe
E:\AVG\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Apps\ActivBoard\TrayMon.exe
E:\winkey\WinKey.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
E:\Open Office 2.0\program\soffice.exe
E:\Open Office 2.0\program\soffice.BIN
E:\Antispyware\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [iTunesHelper] "E:\Apple iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\AVG\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - Startup: OpenOffice.org 2.0.lnk = E:\Open Office 2.0\program\quickstart.exe
O4 - User Startup: OpenOffice.org 2.0.lnk = E:\Open Office 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinKey.lnk = E:\winkey\WinKey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://J:\ms\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136536632515
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://demo.kaseya.co.uk/inc/kaxRemote.dll
O16 - DPF: {DECCF968-C279-40E8-97CF-9FECCEFB0EDE} (INVC Participant Console 1.54) - http://www.intechnologies.net/in/clients/participant/bin/INParticipant.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pssoft.webex.com/client/v_mywebex/webex/ieatgpc.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\AVG\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - E:\ipod\bin\iPodService.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - F:\Temp\winvnc4.exe" -service (file missing)
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe
​

part of the early advice to contain the WMF outbreak was to unregister SHIMGVW.DLL - any thoughts on how to reregister it, particularly as it no longer appears to reside on my pc
thx
bg

 

[LonnyRJones]

Hi

Manualy delete C:\WINDOWS\SYSTEM32\DMMPX.EXE

If SHIMGVW.DLL isnt present either dont worry about it or find someone with the same system as you then register the file, Provided you installed the most recent updates at windows update
Click Start > Run
Paste in this command
regsvr32 SHIMGVW.DLL
And Click OK

 

[Buster G]

C:\WINDOWS\SYSTEM32\DMMPX.EXE manually deleted

Fixwareout.exe run again and report reads

Fixwareout ver 1.003
Last edited 12/5/2005
Post this report in the forums please

Reg Entries that were deleted

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool
​

hjt log now reads

Logfile of HijackThis v1.99.1
Scan saved at 19:24:56, on 09/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
E:\AVG\avgamsvr.exe
E:\AVG\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
F:\Temp\winvnc4.exe
C:\fixwareout\SUB\BFU.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
E:\Antispyware\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [iTunesHelper] "E:\Apple iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\AVG\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - Startup: OpenOffice.org 2.0.lnk = E:\Open Office 2.0\program\quickstart.exe
O4 - User Startup: OpenOffice.org 2.0.lnk = E:\Open Office 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinKey.lnk = E:\winkey\WinKey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://J:\ms\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136536632515
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://demo.kaseya.co.uk/inc/kaxRemote.dll
O16 - DPF: {DECCF968-C279-40E8-97CF-9FECCEFB0EDE} (INVC Participant Console 1.54) - http://www.intechnologies.net/in/clients/participant/bin/INParticipant.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pssoft.webex.com/client/v_mywebex/webex/ieatgpc.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\AVG\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - E:\ipod\bin\iPodService.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - F:\Temp\winvnc4.exe" -service (file missing)
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe
​

 

[LonnyRJones]

Looks good

Try running SpyBot with differant checks(like spyware only) and let us know what times it takes for each
Also see this thread by Yodoma
http://forums.spybot.info/showthread.php?t=1469

 

[Buster G]

Try running SpyBot with differant checks(like spyware only) - where are the settings for this? Is it settings/file sets and run it with only one checked?

Re the link, I read that when I first hit the problem. Setting Settings/Settings/Scan Priority to highest resulted in a similar scan time, 3 1/2 hours plus. Spybot seemed to hang up for a longtime around E2GAIN

 

[LonnyRJones]

where are the settings for this? Is it settings/file sets and run it with only one checked?

Yes try it with only one check selected at a time.

Also lets double check to be sure the wareout/unspypc infection is gone
Download and run blacklite
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
!!Do not rename any files yet

 

[Buster G]

what version of Backlight should I use - your link takes me to a beta version, blbeta.exe, "F-Secure BlackLight Beta", version 2.2.1015.0, file size 611KB, whilst the download link on their web site downloads fs2006f.exe, "F-Secure PEX Installer", version 6.90.11.0 which is a 60.4MB file?

 

[Buster G]

Spybot running with one file set ticked at a time, at "Normal" system scan priority

Cookies 19 secs
Dialers 3 mins 28 secs
Hijackers 7 mins 17 secs
Keyloggers 29 secs
LSP 19 secs
Malware 46 secs
PUPS 1 min 07 secs
Revision 21 secs
Security 24 secs
Spybots 1 min 46 secs
Trojans 43 secs
Tracks 33 secs
total 17 mins 32 secs

compares to 13 mins 32 secs when running with all ticked

 

[LonnyRJones]

Blacklite is a stand alone root detection program and it is beta.
Do not install the regular antivirus program
Go to that link and click the I accept button near the bottom of the page to get the correct item.

 

[Buster G]

Backlite beta log report reads

01/11/06 12:41:42 [Info]: BlackLight Engine 1.0.30 initialized
01/11/06 12:41:42 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/11/06 12:41:43 [Note]: 7019 4
01/11/06 12:41:43 [Note]: 7005 0
01/11/06 12:41:46 [Note]: 7006 0
01/11/06 12:41:46 [Note]: 7011 512
01/11/06 12:41:48 [Note]: FSRAW library version 1.7.1014
01/11/06 12:44:21 [Note]: 7007 0​

 

[LonnyRJones]

"compares to 13 mins 32 secs when running with all ticked"

Thats about normal.

Are there any current problems

 

[Buster G]

everything appears fine, thanks for your help
bg

 

[LonnyRJones]

Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let one of the forum moderators know.