If geeks love it, we’re on it

Howdy, Stranger!

You found the friendliest gaming & tech geeks around. Say hello!

HijackThis log for review please

RichDRichD Essex, UK
edited Nov 2007 in Spyware & Virus Removal
Hi There

I have just started working in a new bar and they have been having a few problems.

So far I have found traces of OIN, SpyShredder and Trojan BHO.BNQ. I think I have cleaned most but I would like someone to have a look at the HijackThis if they could please.

Many thanks,

Rich

Logfile of HijackThis v1.99.1
Scan saved at 6:31:30 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\java.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {69D07D42-E584-C273-F141-9B2B54E5D9C8} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - (no file)
O2 - BHO: (no name) - {B9FE5F57-A291-4F43-AEFF-70BDCF64D74F} - C:\WINDOWS\System32\cewmdmf.dll (file missing)
O2 - BHO: (no name) - {EC0AF991-8DC2-4762-B1A3-BD3BB3E965EA} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Java (VM) v6.2] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat
O4 - HKLM\..\Run: [Java (VM) v6.3] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat
O4 - HKLM\..\Run: [Services] C:\WINDOWS\System32\abeh.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\System32\jsaadpbq.dll",sitypnow
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Java (VM) v6.2] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat
O4 - HKCU\..\Run: [Java (VM) v6.3] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Update_0710_KB100205.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O20 - Winlogon Notify: fccyaxw - fccyaxw.dll (file missing)
O20 - Winlogon Notify: hggffff - hggffff.dll (file missing)
O20 - Winlogon Notify: iifcdaa - iifcdaa.dll (file missing)
O20 - Winlogon Notify: iifdbbx - iifdbbx.dll (file missing)
O20 - Winlogon Notify: iiffdab - iiffdab.dll (file missing)
O20 - Winlogon Notify: iiffgfc - iiffgfc.dll (file missing)
O20 - Winlogon Notify: mljkljk - mljkljk.dll (file missing)
O20 - Winlogon Notify: wvuturs - wvuturs.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DNS Logical Manager - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: wlmsngr - Unknown owner - C:\WINDOWS\wlmsngr.exe (file missing)

Comments

  • edited Nov 2007
    Hi Rich and welcome to Icrontic Spyware & Virus Removal

    Please download SDFix by AndyManchesta and save it to your desktop.

    Double-click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix).

    Please then reboot your computer into Safe Mode by doing the following:
    • Restart your computer.
    • After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
    • Instead of Windows loading as normal, a menu with options should appear.
    • Select the first option, to run Windows in "Safe Mode", then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, please do the following:
    • Open the extracted folder and double-click RunThis.bat to start the script.
    • Type "Y" to begin the cleanup process.
    • It will remove any Trojan Services or Registry Entries found, then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process, then display "Finished", press any key to end the script and load your desktop icons.
    • Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).



    Please download the ComboFix by sUBs:

    NOTE: In the event you already have ComboFix, this is a new version that you have to download.
    • Save it to your desktop.
    • Double-click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.

    After you have completed the above, please provide:
    Report.txt
    Combofix.txt
  • RichDRichD Essex, UK
    edited Nov 2007
    Thanks Peku,

    Here are the logs as requested.

    ComboFix 07-11-08.3 - Runu 2007-11-14 20:18:19.1 - NTFSx86
    Running from: C:\Documents and Settings\Runu\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\check_LSA7.txt
    C:\Documents and Settings\All Users\Application Data.\salesmonitor
    C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
    C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
    C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
    C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
    C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
    C:\Program Files\outlook
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\system32\dwuwkfua.exe
    C:\WINDOWS\system32\nqohqaly.exe
    C:\WINDOWS\system32\nugexrca.exe
    C:\WINDOWS\system32\sdr.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    \LEGACY_CMDSERVICE
    \LEGACY_OWLKLFSH
    \owlklfsh


    ((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
    .

    2007-11-14 20:16 51,200 --a
    C:\WINDOWS\NirCmd.exe
    2007-11-14 20:05 <DIR> d
    C:\WINDOWS\ERUNT
    2007-11-11 18:30 218,112 --a
    C:\HijackThis.exe
    2007-11-11 18:27 212,843 --a
    C:\hijackthis_199.zip
    2007-11-11 17:18 <DIR> d
    C:\SmitfraudFix
    2007-11-11 17:02 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-11-11 16:45 1,043,074 --a
    C:\SmitfraudFix.exe
    2007-11-11 16:44 2,708 --a
    C:\WINDOWS\system32\tmp.reg
    2007-11-10 21:51 <DIR> d
    C:\Documents and Settings\Staff\Application Data\AVG7
    2007-11-06 16:26 <DIR> d
    C:\WINDOWS\system32\LogFiles
    2007-11-06 14:43 <DIR> d
    C:\Program Files\Common Files\Adobe
    2007-11-05 12:15 <DIR> d
    C:\WINDOWS\Downloaded Installations
    2007-11-05 12:15 <DIR> d
    C:\Program Files\HP
    2007-11-03 17:08 19,000 --a
    C:\Documents and Settings\Runu\Application Data\GDIPFONTCACHEV1.DAT
    2007-11-02 12:52 584,192
    c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
    2007-11-02 03:00 <DIR> d--h
    C:\WINDOWS\$hf_mig$
    2007-10-31 20:27 221,184 --a
    C:\WINDOWS\system32\wmpns.dll
    2007-10-31 20:24 <DIR> d
    C:\WINDOWS\provisioning
    2007-10-31 20:24 <DIR> d
    C:\WINDOWS\peernet
    2007-10-31 20:19 <DIR> d
    C:\WINDOWS\ServicePackFiles
    2007-10-31 20:13 22,752 --a
    C:\WINDOWS\system32\spupdsvc.exe
    2007-10-31 20:06 <DIR> d
    C:\WINDOWS\EHome
    2007-10-27 00:06 11,776
    C:\WINDOWS\system32\spnpinst.exe
    2007-10-27 00:06 4,569
    C:\WINDOWS\system32\secupd.dat
    2007-10-26 23:47 9,600 -ra
    C:\WINDOWS\system32\BUFADPT.SYS
    2007-10-25 10:07 614,912 --a
    C:\WINDOWS\system32\h323msp.dll
    2007-10-25 10:07 331,264 --a
    C:\WINDOWS\system32\ipnathlp.dll
    2007-10-25 10:07 77,312 --a
    C:\WINDOWS\system32\browser.dll
    2007-10-25 10:07 40,960 --a
    C:\WINDOWS\system32\mf3216.dll
    2007-10-25 10:02 239,104 --a
    C:\WINDOWS\system32\srrstr.dll
    2007-10-25 10:00 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
    2007-10-25 10:00 26,112 --a
    C:\WINDOWS\system32\xpsp1hfm.exe
    2007-10-23 19:23 <DIR> d
    C:\WINDOWS\system32\bits
    2007-10-21 19:45 <DIR> d
    C:\Documents and Settings\Runu\Application Data\AVG7
    2007-10-21 19:43 <DIR> d
    C:\Documents and Settings\LocalService\Application Data\AVG7
    2007-10-21 19:41 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Grisoft
    2007-10-21 19:41 75,248 --a
    C:\WINDOWS\zllsputility.exe
    2007-10-21 19:40 1,086,952 --a
    C:\WINDOWS\system32\zpeng24.dll
    2007-10-21 13:59 <DIR> d
    C:\Documents and Settings\All Users\Application Data\SiteAdvisor
    2007-10-21 13:32 438,784
    C:\WINDOWS\system32\xpob2res.dll
    2007-10-21 13:32 351,232 --a
    C:\WINDOWS\system32\winhttp.dll
    2007-10-21 13:32 18,944 --a
    C:\WINDOWS\system32\qmgrprxy.dll
    2007-10-21 13:32 8,192
    C:\WINDOWS\system32\bitsprx2.dll
    2007-10-21 13:32 7,168
    C:\WINDOWS\system32\bitsprx3.dll
    2007-10-21 13:29 549,720 --a
    C:\WINDOWS\system32\wuapi.dll
    2007-10-21 13:29 325,976 --a
    C:\WINDOWS\system32\wucltui.dll
    2007-10-21 13:29 203,096 --a
    C:\WINDOWS\system32\wuweb.dll
    2007-10-21 13:29 186,136 --a
    C:\WINDOWS\system32\wuaueng1.dll
    2007-10-21 13:29 167,704 --a
    C:\WINDOWS\system32\wuauclt1.exe
    2007-10-21 13:29 33,624 --a
    C:\WINDOWS\system32\wups.dll
    2007-10-19 18:36 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Avg7
    2007-10-19 18:11 <DIR> d
    C:\Documents and Settings\All Users\Application Data\MailFrontier
    2007-10-19 18:09 4,212 ---h
    C:\WINDOWS\system32\zllictbl.dat
    2007-10-19 18:08 <DIR> d
    C:\Program Files\Lavasoft
    2007-10-19 18:08 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Lavasoft
    2007-10-19 18:08 11,264 --a
    C:\WINDOWS\system32\SpOrder.dll
    2007-10-19 18:04 <DIR> d
    C:\WINDOWS\system32\ZoneLabs
    2007-10-19 18:02 <DIR> d
    C:\Program Files\Common Files\Wise Installation Wizard
    2007-10-19 18:00 <DIR> d
    C:\WINDOWS\Internet Logs
    2007-10-18 22:49 <DIR> d-a
    C:\Documents and Settings\All Users\Application Data\TEMP
    2007-10-18 22:48 626,688 --a
    C:\WINDOWS\system32\msvcr80.dll
    2007-10-18 22:36 <DIR> d
    C:\Program Files\Google
    2007-10-18 22:22 6,505 ---hs---- C:\WINDOWS\system32\yycdd.bak1
    2007-10-18 18:46 1,060,864 --a
    C:\WINDOWS\system32\mfc71.dll
    2007-10-18 18:46 499,712 --a
    C:\WINDOWS\system32\msvcp71.dll
    2007-10-18 18:46 348,160 --a
    C:\WINDOWS\system32\msvcr71.dll
    2007-10-18 18:46 89,088 --a
    C:\WINDOWS\system32\atl71.dll
    2007-10-16 23:31 <DIR> d
    C:\Documents and Settings\Runu\New Folder
    2007-10-16 04:20 114,130 --a
    C:\WINDOWS\system32\vcrr.exe
    2007-10-16 04:20 15 --a
    C:\WINDOWS\system32\jda.exe
    2007-10-16 03:59 114,130 --a
    C:\WINDOWS\system32\sdcrs.exe
    2007-10-16 01:20 114,131 --a
    C:\WINDOWS\system32\jxh.exe
    2007-10-15 15:45 114,130 --a
    C:\WINDOWS\system32\sdrasd.exe
    2007-10-15 15:45 114,130 --a
    C:\WINDOWS\system32\sdcd.exe
    2007-10-15 15:43 114,131 --a
    C:\WINDOWS\system32\jd.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-11 19:24
    d
    w C:\Documents and Settings\Runu\Application Data\U3
    2007-11-11 16:43
    d
    w C:\Program Files\Thomson
    2007-11-11 13:47
    d
    w C:\Documents and Settings\All Users\Application Data\McAfee
    2007-11-11 13:35
    d--h--w C:\Program Files\InstallShield Installation Information
    2007-11-02 14:08
    d
    w C:\Documents and Settings\Runu\Application Data\LimeWire
    2007-11-02 14:05
    d
    w C:\Program Files\LimeWire
    2007-10-19 17:31 224,256 ----a-w C:\WINDOWS\kbclient39.dll
    2007-10-18 16:14 633,872 --sha-w C:\WINDOWS\system32\mlnmp.bak2
    2007-10-11 23:00 6,465 --sha-w C:\WINDOWS\system32\mlnmp.bak1
    2007-10-11 22:57 114,131 ----a-w C:\WINDOWS\system32\jsda.exe
    2007-10-10 04:50
    d
    w C:\Program Files\Java
    2007-10-10 04:46
    d
    w C:\Program Files\Common Files\Java
    2007-10-10 02:07
    d
    w C:\Program Files\Microsoft ActiveSync
    2007-10-10 01:35
    d
    w C:\Documents and Settings\Runu\Application Data\Talkback
    2007-10-10 01:06 17,792 ----a-w C:\WINDOWS\system32\drivers\angajusx.dat
    2007-10-10 01:05 5,120 ----a-w C:\WINDOWS\system32\drivers\qtfjjoln.dat
    2007-10-10 00:24 114,130 ----a-w C:\WINDOWS\system32\sdcrd32.exe
    2007-10-09 21:32
    d
    w C:\Program Files\Labtec
    2007-10-09 21:32
    d
    w C:\Program Files\Common Files\InstallShield
    2007-10-06 20:48
    d
    w C:\Program Files\SpeedTouch
    2007-10-06 08:11
    d
    w C:\Program Files\microsoft frontpage
    2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\UnVudQ\oBpRxk.vbs
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69D07D42-E584-C273-F141-9B2B54E5D9C8}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9FE5F57-A291-4F43-AEFF-70BDCF64D74F}]
    C:\WINDOWS\System32\cewmdmf.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 08:11]
    "Java (VM) v6.2"="C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat" [2007-09-19 02:42]
    "Java (VM) v6.3"="C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat" [2007-09-27 04:06]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 23:14]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-29 16:11]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Java (VM) v6.2"="C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat" [2007-09-19 02:42]
    "Java (VM) v6.3"="C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat" [2007-09-27 04:06]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
    "Java (VM) v6.2"=
    "Java (VM) v6.3"=

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2005-05-07 21:25:36]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccyaxw]
    fccyaxw.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggffff]
    hggffff.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcdaa]
    iifcdaa.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdbbx]
    iifdbbx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffdab]
    iiffdab.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffgfc]
    iiffgfc.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljkljk]
    mljkljk.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuturs]
    wvuturs.dll

    R0 owlklfsh;owlklfsh;C:\WINDOWS\system32\drivers\angajusx.dat
    R2 BUFADPT;BUFADPT;\??\C:\WINDOWS\System32\BUFADPT.SYS
    S2 DNS Logical Manager;DNS Logical Manager;"C:\WINDOWS\system32\svshost.exe"

    *Newly Created Service* - OWLKLFSH

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ViewSonic Meta Enhancer 1.7]
    C:\WINDOWS\nmfcom32.exe
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-14 20:24:49
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Java (VM) v6.2 = C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
    Java (VM) v6.3 = C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    Java (VM) v6.2 = ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
    Java (VM) v6.3 = ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Java (VM) v6.2 = C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
    Java (VM) v6.3 = C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-14 20:31:47 - machine was rebooted
    .
    --- E O F ---



    SDFix: Version 1.114

    Run by Runu on Wed 11/14/2007 at 08:06 PM

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix\SDFix

    Safe Mode:
    Checking Services:

    Name:
    wlmsngr

    Path:
    "C:\WINDOWS\wlmsngr.exe"

    wlmsngr - Deleted



    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...


    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\WINDOWS\SYSTEM32\WMSOFT~1.EXE - Deleted
    C:\Documents and Settings\Runu\Application Data\WinTouch\wintouch.cfg - Deleted
    C:\WINDOWS\rdrive\aff.exe - Deleted
    C:\WINDOWS\rdrive\apm.exe - Deleted
    C:\WINDOWS\rdrive\rrv.exe - Deleted
    C:\WINDOWS\rdrive\system32.bat - Deleted
    C:\a.bat - Deleted
    C:\dmgr.exe - Deleted
    C:\WINDOWS\b104.exe - Deleted
    C:\WINDOWS\system32\i - Deleted
    C:\WINDOWS\Temp\removalfile.bat - Deleted


    Folder C:\Documents and Settings\Runu\Application Data\WinTouch - Removed
    Folder C:\Program Files\Temporary - Removed
    Folder C:\Program Files\WinAble - Removed
    Folder C:\WINDOWS\rdrive - Removed

    Removing Temp Files...

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32\ntoskrnl.exe
    No streams found.



    Final Check:

    catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-14 20:11:38
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services:



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

    Remaining Files:

    File Backups: - C:\SDFix\SDFix\backups\backups.zip

    Files with Hidden Attributes:

    Thu 11 Oct 2007 6,465 A.SH. --- "C:\WINDOWS\system32\mlnmp.bak1"
    Thu 18 Oct 2007 633,872 A.SH. --- "C:\WINDOWS\system32\mlnmp.bak2"
    Thu 18 Oct 2007 6,505 ..SH. --- "C:\WINDOWS\system32\yycdd.bak1"
    Wed 14 Nov 2007 3,109,928 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab9217b6e5750f9481b4ee261d21b730\BIT5.tmp"
    Sat 3 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT8.tmp"
    Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Runu\Application Data\U3\temp\Launchpad Removal.exe"
    Fri 30 Jul 2004 24,576 A..H. --- "C:\Documents and Settings\Runu\Desktop\runie\ELAN LOUNE\Phone Scripts\~WRL0001.tmp"
    Fri 30 Jul 2004 25,600 A..H. --- "C:\Documents and Settings\Runu\Desktop\runie\ELAN LOUNE\Phone Scripts\~WRL0379.tmp"

    Finished!

    You didn't ask for it but I thought I would add a new hijackthis log too

    Logfile of HijackThis v1.99.1
    Scan saved at 8:39:49 PM, on 11/14/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\java.exe
    C:\WINDOWS\system32\java.exe
    C:\WINDOWS\system32\java.exe
    C:\WINDOWS\system32\java.exe
    C:\WINDOWS\system32\java.exe
    C:\WINDOWS\system32\java.exe
    C:\WINDOWS\system32\java.exe
    C:\WINDOWS\system32\java.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {69D07D42-E584-C273-F141-9B2B54E5D9C8} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {B9FE5F57-A291-4F43-AEFF-70BDCF64D74F} - C:\WINDOWS\System32\cewmdmf.dll (file missing)
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [Java (VM) v6.2] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat
    O4 - HKLM\..\Run: [Java (VM) v6.3] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [Java (VM) v6.2] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat
    O4 - HKCU\..\Run: [Java (VM) v6.3] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
    O20 - Winlogon Notify: fccyaxw - fccyaxw.dll (file missing)
    O20 - Winlogon Notify: hggffff - hggffff.dll (file missing)
    O20 - Winlogon Notify: iifcdaa - iifcdaa.dll (file missing)
    O20 - Winlogon Notify: iifdbbx - iifdbbx.dll (file missing)
    O20 - Winlogon Notify: iiffdab - iiffdab.dll (file missing)
    O20 - Winlogon Notify: iiffgfc - iiffgfc.dll (file missing)
    O20 - Winlogon Notify: mljkljk - mljkljk.dll (file missing)
    O20 - Winlogon Notify: wvuturs - wvuturs.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: DNS Logical Manager - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



    Thanks Again

    Rich
  • edited Nov 2007
    Hi Rich
    Do you know what these directories or programs are?
    C:\WINDOWS\UnVudQ\oBpRxk.vbs

    You currently are running HijackThis from here:
    C:\HijackThis.exe

    Please make a folder here:
    C:\HJT
    and place HijackThis in that folder.

    DO NOT follow the steps below until you have moved HijackThis.

    • Run HijackThis
    • Click on the Scan button
    • Put a check beside all of the items listed below (if present):

      O2 - BHO: (no name) - {69D07D42-E584-C273-F141-9B2B54E5D9C8} - (no file)
      O2 - BHO: (no name) - {B9FE5F57-A291-4F43-AEFF-70BDCF64D74F} - C:\WINDOWS\System32\cewmdmf.dll (file missing)
      O4 - HKLM\..\Run: [Java (VM) v6.2] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat
      O4 - HKLM\..\Run: [Java (VM) v6.3] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat
      O4 - HKCU\..\Run: [Java (VM) v6.2] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat
      O4 - HKCU\..\Run: [Java (VM) v6.3] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat
      O20 - Winlogon Notify: fccyaxw - fccyaxw.dll (file missing)
      O20 - Winlogon Notify: hggffff - hggffff.dll (file missing)
      O20 - Winlogon Notify: iifcdaa - iifcdaa.dll (file missing)
      O20 - Winlogon Notify: iifdbbx - iifdbbx.dll (file missing)
      O20 - Winlogon Notify: iiffdab - iiffdab.dll (file missing)
      O20 - Winlogon Notify: iiffgfc - iiffgfc.dll (file missing)
      O20 - Winlogon Notify: mljkljk - mljkljk.dll (file missing)
      O20 - Winlogon Notify: wvuturs - wvuturs.dll (file missing)
      O23 - Service: DNS Logical Manager - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.



    Open notepad and copy/paste the text in the quotebox below into it:
    File::
    C:\WINDOWS\system32\yycdd.bak1
    C:\WINDOWS\system32\vcrr.exe
    C:\WINDOWS\system32\jda.exe
    C:\WINDOWS\system32\sdcrs.exe
    C:\WINDOWS\system32\jxh.exe
    C:\WINDOWS\system32\sdrasd.exe
    C:\WINDOWS\system32\sdcd.exe
    C:\WINDOWS\system32\jd.exe
    C:\WINDOWS\kbclient39.dll
    C:\WINDOWS\system32\mlnmp.bak2
    C:\WINDOWS\system32\mlnmp.bak1
    C:\WINDOWS\system32\jsda.exe
    C:\WINDOWS\system32\drivers\angajusx.dat
    C:\WINDOWS\system32\drivers\qtfjjoln.dat
    C:\WINDOWS\system32\sdcrd32.exe
    C:\WINDOWS\System32\cewmdmf.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69D07D42-E584-C273-F141-9B2B54E5D9C8}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9FE5F57-A291-4F43-AEFF-70BDCF64D74F}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccyaxw]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggffff]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcdaa]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdbbx]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffdab]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffgfc]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljkljk]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuturs]
    
    
    Save this as "CFScript"

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

    CFScript.gif

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • RichDRichD Essex, UK
    edited Nov 2007
    Sorry Peku,

    I have no idea what those files are. I haven't used this computer so have no knowledge of its past use. The bar has recently changed owner so its history is a little merky!

    I will do the above tonight if I get chance. I wil move HJT too but I am just curious as to why it should not be run from C:\

    Thanks for your help
  • edited Nov 2007
    Hi Rich
    That UnVudQ\oBpRxk.vbs......... we remove it later

    Put Hijackthis to its won folder; C:/Hijackthis/Hijackthis.exe This is importatnt for the backups!"

  • RichDRichD Essex, UK
    edited Nov 2007
    Hi Peku,

    Thanks, Logs attached.

    ComboFix 07-11-08.3 - Runu 2007-11-17 12:16:54.2 - NTFSx86
    Running from: C:\Documents and Settings\Runu\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Runu\Desktop\CFScript.txt
    * Created a new restore point

    FILE
    C:\WINDOWS\kbclient39.dll
    C:\WINDOWS\System32\cewmdmf.dll
    C:\WINDOWS\system32\drivers\angajusx.dat
    C:\WINDOWS\system32\drivers\qtfjjoln.dat
    C:\WINDOWS\system32\jd.exe
    C:\WINDOWS\system32\jda.exe
    C:\WINDOWS\system32\jsda.exe
    C:\WINDOWS\system32\jxh.exe
    C:\WINDOWS\system32\mlnmp.bak1
    C:\WINDOWS\system32\mlnmp.bak2
    C:\WINDOWS\system32\sdcd.exe
    C:\WINDOWS\system32\sdcrd32.exe
    C:\WINDOWS\system32\sdcrs.exe
    C:\WINDOWS\system32\sdrasd.exe
    C:\WINDOWS\system32\vcrr.exe
    C:\WINDOWS\system32\yycdd.bak1
    .

    Unable to gain System Privileges

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\kbclient39.dll
    C:\WINDOWS\system32\jd.exe
    C:\WINDOWS\system32\jda.exe
    C:\WINDOWS\system32\jsda.exe
    C:\WINDOWS\system32\jxh.exe
    C:\WINDOWS\system32\mlnmp.bak1
    C:\WINDOWS\system32\mlnmp.bak2
    C:\WINDOWS\system32\sdcd.exe
    C:\WINDOWS\system32\sdcrd32.exe
    C:\WINDOWS\system32\sdcrs.exe
    C:\WINDOWS\system32\sdrasd.exe
    C:\WINDOWS\system32\vcrr.exe
    C:\WINDOWS\system32\yycdd.bak1
    C:\WINDOWS\system32\drivers\angajusx.dat . . . . failed to delete
    C:\WINDOWS\system32\drivers\qtfjjoln.dat . . . . failed to delete

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    \LEGACY_OWLKLFSH
    \owlklfsh


    ((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
    .

    2007-11-17 11:49 <DIR> d
    C:\HiJackThis
    2007-11-14 20:16 51,200 --a
    C:\WINDOWS\NirCmd.exe
    2007-11-14 20:05 <DIR> d
    C:\WINDOWS\ERUNT
    2007-11-11 18:27 212,843 --a
    C:\hijackthis_199.zip
    2007-11-11 17:18 <DIR> d
    C:\SmitfraudFix
    2007-11-11 17:02 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-11-11 16:45 1,043,074 --a
    C:\SmitfraudFix.exe
    2007-11-11 16:44 2,708 --a
    C:\WINDOWS\system32\tmp.reg
    2007-11-10 21:51 <DIR> d
    C:\Documents and Settings\Staff\Application Data\AVG7
    2007-11-06 16:26 <DIR> d
    C:\WINDOWS\system32\LogFiles
    2007-11-06 14:43 <DIR> d
    C:\Program Files\Common Files\Adobe
    2007-11-05 12:15 <DIR> d
    C:\WINDOWS\Downloaded Installations
    2007-11-05 12:15 <DIR> d
    C:\Program Files\HP
    2007-11-03 17:08 19,000 --a
    C:\Documents and Settings\Runu\Application Data\GDIPFONTCACHEV1.DAT
    2007-11-02 12:52 584,192
    c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
    2007-11-02 03:00 <DIR> d--h
    C:\WINDOWS\$hf_mig$
    2007-10-31 20:27 221,184 --a
    C:\WINDOWS\system32\wmpns.dll
    2007-10-31 20:24 <DIR> d
    C:\WINDOWS\provisioning
    2007-10-31 20:24 <DIR> d
    C:\WINDOWS\peernet
    2007-10-31 20:19 <DIR> d
    C:\WINDOWS\ServicePackFiles
    2007-10-31 20:13 22,752 --a
    C:\WINDOWS\system32\spupdsvc.exe
    2007-10-31 20:06 <DIR> d
    C:\WINDOWS\EHome
    2007-10-27 00:06 11,776
    C:\WINDOWS\system32\spnpinst.exe
    2007-10-27 00:06 4,569
    C:\WINDOWS\system32\secupd.dat
    2007-10-26 23:47 9,600 -ra
    C:\WINDOWS\system32\BUFADPT.SYS
    2007-10-25 10:07 614,912 --a
    C:\WINDOWS\system32\h323msp.dll
    2007-10-25 10:07 331,264 --a
    C:\WINDOWS\system32\ipnathlp.dll
    2007-10-25 10:07 77,312 --a
    C:\WINDOWS\system32\browser.dll
    2007-10-25 10:07 40,960 --a
    C:\WINDOWS\system32\mf3216.dll
    2007-10-25 10:02 239,104 --a
    C:\WINDOWS\system32\srrstr.dll
    2007-10-25 10:00 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
    2007-10-25 10:00 26,112 --a
    C:\WINDOWS\system32\xpsp1hfm.exe
    2007-10-23 19:23 <DIR> d
    C:\WINDOWS\system32\bits
    2007-10-21 19:45 <DIR> d
    C:\Documents and Settings\Runu\Application Data\AVG7
    2007-10-21 19:43 <DIR> d
    C:\Documents and Settings\LocalService\Application Data\AVG7
    2007-10-21 19:41 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Grisoft
    2007-10-21 19:41 75,248 --a
    C:\WINDOWS\zllsputility.exe
    2007-10-21 19:40 1,086,952 --a
    C:\WINDOWS\system32\zpeng24.dll
    2007-10-21 13:59 <DIR> d
    C:\Documents and Settings\All Users\Application Data\SiteAdvisor
    2007-10-21 13:32 438,784
    C:\WINDOWS\system32\xpob2res.dll
    2007-10-21 13:32 351,232 --a
    C:\WINDOWS\system32\winhttp.dll
    2007-10-21 13:32 18,944 --a
    C:\WINDOWS\system32\qmgrprxy.dll
    2007-10-21 13:32 8,192
    C:\WINDOWS\system32\bitsprx2.dll
    2007-10-21 13:32 7,168
    C:\WINDOWS\system32\bitsprx3.dll
    2007-10-21 13:29 549,720 --a
    C:\WINDOWS\system32\wuapi.dll
    2007-10-21 13:29 325,976 --a
    C:\WINDOWS\system32\wucltui.dll
    2007-10-21 13:29 203,096 --a
    C:\WINDOWS\system32\wuweb.dll
    2007-10-21 13:29 186,136 --a
    C:\WINDOWS\system32\wuaueng1.dll
    2007-10-21 13:29 167,704 --a
    C:\WINDOWS\system32\wuauclt1.exe
    2007-10-21 13:29 33,624 --a
    C:\WINDOWS\system32\wups.dll
    2007-10-19 18:36 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Avg7
    2007-10-19 18:11 <DIR> d
    C:\Documents and Settings\All Users\Application Data\MailFrontier
    2007-10-19 18:09 4,212 ---h
    C:\WINDOWS\system32\zllictbl.dat
    2007-10-19 18:08 <DIR> d
    C:\Program Files\Lavasoft
    2007-10-19 18:08 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Lavasoft
    2007-10-19 18:08 11,264 --a
    C:\WINDOWS\system32\SpOrder.dll
    2007-10-19 18:04 <DIR> d
    C:\WINDOWS\system32\ZoneLabs
    2007-10-19 18:02 <DIR> d
    C:\Program Files\Common Files\Wise Installation Wizard
    2007-10-19 18:00 <DIR> d
    C:\WINDOWS\Internet Logs
    2007-10-18 22:49 <DIR> d-a
    C:\Documents and Settings\All Users\Application Data\TEMP
    2007-10-18 22:48 626,688 --a
    C:\WINDOWS\system32\msvcr80.dll
    2007-10-18 22:36 <DIR> d
    C:\Program Files\Google
    2007-10-18 18:46 1,060,864 --a
    C:\WINDOWS\system32\mfc71.dll
    2007-10-18 18:46 499,712 --a
    C:\WINDOWS\system32\msvcp71.dll
    2007-10-18 18:46 348,160 --a
    C:\WINDOWS\system32\msvcr71.dll
    2007-10-18 18:46 89,088 --a
    C:\WINDOWS\system32\atl71.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-11 19:24
    d
    w C:\Documents and Settings\Runu\Application Data\U3
    2007-11-11 16:43
    d
    w C:\Program Files\Thomson
    2007-11-11 13:47
    d
    w C:\Documents and Settings\All Users\Application Data\McAfee
    2007-11-11 13:35
    d--h--w C:\Program Files\InstallShield Installation Information
    2007-11-02 14:08
    d
    w C:\Documents and Settings\Runu\Application Data\LimeWire
    2007-11-02 14:05
    d
    w C:\Program Files\LimeWire
    2007-10-10 04:50
    d
    w C:\Program Files\Java
    2007-10-10 04:46
    d
    w C:\Program Files\Common Files\Java
    2007-10-10 02:07
    d
    w C:\Program Files\Microsoft ActiveSync
    2007-10-10 01:35
    d
    w C:\Documents and Settings\Runu\Application Data\Talkback
    2007-10-10 01:06 17,792 ----a-w C:\WINDOWS\system32\drivers\angajusx.dat
    2007-10-10 01:05 5,120 ----a-w C:\WINDOWS\system32\drivers\qtfjjoln.dat
    2007-10-09 21:32
    d
    w C:\Program Files\Labtec
    2007-10-09 21:32
    d
    w C:\Program Files\Common Files\InstallShield
    2007-10-06 20:48
    d
    w C:\Program Files\SpeedTouch
    2007-10-06 08:11
    d
    w C:\Program Files\microsoft frontpage
    2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\UnVudQ\oBpRxk.vbs
    .

    ((((((((((((((((((((((((((((( snapshot@2007-11-14_20.30.57.03 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2006-12-19 21:52:18 8,453,632 -c----w C:\WINDOWS\system32\dllcache\shell32.dll
    + 2007-10-26 03:36:51 8,454,656 -c----w C:\WINDOWS\system32\dllcache\shell32.dll
    - 2007-09-27 22:19:40 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
    + 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
    - 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\shell32.dll
    + 2007-10-26 03:36:51 8,454,656 ----a-w C:\WINDOWS\system32\shell32.dll
    - 2007-08-21 10:20:02 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
    + 2007-10-29 10:26:53 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9FE5F57-A291-4F43-AEFF-70BDCF64D74F}]
    C:\WINDOWS\System32\cewmdmf.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 08:11]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 23:14]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-29 16:11]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2005-05-07 21:25:36]

    R0 owlklfsh;owlklfsh;C:\WINDOWS\system32\drivers\angajusx.dat
    R2 BUFADPT;BUFADPT;\??\C:\WINDOWS\System32\BUFADPT.SYS
    S4 DNS Logical Manager;DNS Logical Manager;"C:\WINDOWS\system32\svshost.exe"

    *Newly Created Service* - OWLKLFSH

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ViewSonic Meta Enhancer 1.7]
    C:\WINDOWS\nmfcom32.exe
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-17 12:23:52
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-17 12:27:39 - machine was rebooted
    C:\ComboFix2.txt ... 2007-11-14 20:31
    .
    --- E O F ---

    Logfile of HijackThis v1.99.1
    Scan saved at 12:33:35 PM, on 11/17/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\HiJackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {B9FE5F57-A291-4F43-AEFF-70BDCF64D74F} - C:\WINDOWS\System32\cewmdmf.dll (file missing)
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • edited Nov 2007
    Hi Rich
    Looks much better
    • Run HijackThis
    • Click on the Scan button
    • Put a check beside all of the items listed below (if present):

      O2 - BHO: (no name) - {B9FE5F57-A291-4F43-AEFF-70BDCF64D74F} - C:\WINDOWS\System32\cewmdmf.dll (file missing)
      O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.



    Please visit Virustotal
    • Click the Browse... button
    • Navigate to the file C:\WINDOWS\system32\drivers\angajusx.dat
    • Click the Open button
    • Click the Send button
    • Do the same for the following File:
    • C:\WINDOWS\system32\drivers\qtfjjoln.dat
    • Copy and paste the results back here please.



    Please download ATF Cleaner by Atribune.
    • Save it to your desktop
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.

      If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.

      If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    • Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.



    Download Superantispyware (SAS) free home version
    • Install it and double-click the icon on your desktop to run it.
    • It will ask if you want to update the program definitions, click Yes.
    • Under Configuration and Preferences, click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
    • On the main screen, under Scan for Harmful Software click Scan your computer.
    • On the left check C:\Fixed Drive.
    • On the right, under Complete Scan, choose Perform Complete Scan.
    • Click Next to start the scan. Please be patient while it scans your computer.
    • After the scan is complete a summary box will appear. Click OK.
    • Make sure everything in the white box has a check next to it, then click Next.
    • It will quarantine what it found and if it asks if you want to reboot, click Yes.
    • To retrieve the removal information for me please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose copy.
    • Click close and close again to exit the program.
    So in your next reply, please include the following:
    VirusTotal results.
    SUPERAntispyware.log
    new HijackThis log

    Please let me know how your pc is now.
  • edited Nov 2007
    Whilst we appreciate that you may be busy, it has been 5 days or more since we heard from you.

    Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the [url="http://icrontic.com/forum/forumdisplay.php?f=57]Spyware & Virus Removal Forum[/url]

    If you wish this topic reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

    Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
    If you are not the user who started this thread, you must start a new Thread instead :)
Sign In or Register to comment.