Brave Sentry - cannot delete [HijackThis included]

Unknown · April 2007

A friend of mine recently brought me a computer that is used in his family's restaurant. It appeared to have a fake anti-virus/anti-spyware program on it. A little investigation revealed that it was Brave Sentry, a notoriously difficult to remove piece of spyware. I first tried to follow a tutorial on the removal of it that involved deleting several files and running the smitRem utility. This failed to completely remove Brave Sentry. I then ran Spybot S&D, SmitFraudFix, AVG Anti-Virus, Ad-Aware SE, and AVG Anti-Spyware, all of which found large amounts of spyware and removed them. However, upon reboot, some of this spyware returned. I decided to run HijackThis and submit the log to HijackThis.de. I checked the items the analyzer recommended, however I had to use LSPfix to remove abcefgh.dll from Winsocks. I also removed several items from startup using msconfig including akira.exe and nnmjig.dll. This seemed to prevent the rest of they spyware from returning upon reboot, however, Brave Sentry stubbornly refuses to go away. I am at my wit's end in dealing with this stubborn piece of spyware, and I want to get if fixed as soon as possible so that my friend's family can use it again. Here is the HijackThis log:

[changed to v1.99.1]

Logfile of HijackThis v1.99.1
Scan saved at 11:22:53 AM, on 4/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\aspi12184.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {a1012244-21e3-4590-b017-643df0b800c6} - C:\WINDOWS\system32\hsfmib.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\Phonetic\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: TouchWare Monitor.lnk = C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi12184.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Macromedia Updater (mmupdate) - Unknown owner - C:\WINDOWS\TEMP\9.tmp".exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Etzo · April 2007

Hi! I'll check your log. Please be patient.

misterchief · April 2007

Don't worry about it. My friend decided to take his computer to a store to have it professionally repaired. You should probably ask a mod to delete this thread, as I no longer have access to the computer in question.

Kentigern · April 2007

Thanks for the update misterchief.

The help you received here was free. Please read through some of these Prevention Tips that Short-Media offers.

This topic is now closed. If you wish it reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.

If you are not the user who started this thread, you must start a new Thread instead

Would you be interested in joining the Short-Media (Team #93) with the Folding@Home Project? More information available here

Trogan · April 2007

Thread reopened due to user request.

misterchief · April 2007

My friend brought his computer back to my house because the computer store he took it to couldn't fix it. Almost nothing has been done since, but I can tell a few more things. The most recent anti-spyware/anti-virus scans found the following:

Spybot S&D:
Microsoft.Windows.ActiveDesktop

Ad-Aware:
None

AVG Anti-Spyware:
Worm.Zhelatin.CG

AVG Anti-Virus:
Downloader.Tibs
SpamTool.OP
Agent.AOU
Downloader.Agent.KCU
Generic2.KMV
Possibly more, but the scan always freezes at C:\WINDOWS\system32\shimgvw.dll

Brave Sentry also still shows up on the task bar when I boot normally
I am also getting errors that seem to be related to various processes running out of memory (i.e. lsass.exe, svchost.exe). In addition, I sometimes get a system shutdown window that says Windows will shutdown in 60 seconds because a service has been unexpectedly terminated.

We would have backed up data files and reinstalled the operating system long ago, but the computer owner does not have the disks for several important pieces of software as well as the OS itself. Please keep in mind that this is a computer is used in a business (a Chinese restaurant) so the sooner I can fix it, the sooner I can give it back to them.

misterchief · April 2007

No one has responded in 72 hours, so I am posting a new log and renewing my request for help. Please note that AVG Free Antivirus and AVG Anti-Spyware are still finding occasional threats. In addition, the system is unstable, with frequent crashes, as well as memory errors for critical system processes.

New log:

Logfile of HijackThis v1.99.1
Scan saved at 7:43:25 PM, on 4/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\aspi41254.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {a1012244-21e3-4590-b017-643df0b800c6} - C:\WINDOWS\system32\hsfmib.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\Phonetic\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: TouchWare Monitor.lnk = C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi41254.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Macromedia Updater (mmupdate) - Unknown owner - C:\WINDOWS\TEMP\9.tmp".exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Trogan · April 2007

Hi misterchief,

Sorry no one got back to you. I will take over.

However, I have some bad news.

The computer is infected by multiple infections that have Backdoor capabilities. This can give intruders complete control of your computer, logging key strokes, stealing information, etc.

You are strongly advised to do the following immediately!:

Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.
Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
From a clean computer, change *all* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
- Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

Because of its backdoor functionality, your PC is very likely compromised and there is no way to be sure it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you make a more informed decision, please read the following articles:

Should you have any questions, please feel free to ask

Please let me know your decision and we'll get started with clean up if that's what you choose.

misterchief · April 2007

The situation is both better and worse than I previously thought. This is not actually my computer. It is used at a Chinese foods restaurant to take customer orders and make menus. The restaurant itself stored no financial or other personal information on the computer, however this is not the problem. The reason the computer is so badly infected is because employees, friends of employees, and relatives of employees used it to surf the Internet without any anti-virus or anti-spyware protection. No one knows for sure exactly what they did or if they ever entered any person or financial information. I have passed this information on to the restaurant owner, and she will hopefully pass it on to those who used the computer.

As of now, I would like to try to clean the computer because the owner does not have install disks for the OS (OEM Windows XP) or any of the software used for the customer check-in (such as the touch screen.) As I have said before, both the restaurant owner and I greatly appreciate all of the help you are giving us.

Trogan · April 2007

Hi misterchief,

Let's see if we can get the PC cleaned.

Please do the following...

1. Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Paste the contents of the Report.txt back here in your next reply.

2. I need to see another log from HijackThis.

Run Hijackthis.
Click on Open the Misc Tools section.
Next click on Open uninstall manager.
Press the Save list button.
Save the file to your desktop, with the default name of uninstall_list
Copy & Paste the entire contents of that file in your in your next post.

3. Please post the following...

Report.txt from SDFix
Uninstall list
New HijackThis log

Is there an active Firewall on this computer?

misterchief · April 2007

First SDFix:

SDFix: Version 1.78

Run by Administrator - 04/11/2004 Sun - 22:34:53.53

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
aspi113210
Client IP-IPX
kprof
ldrsvc
mmupdate
poof

ImagePath:

Trojan Subkey Found:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\origami

Filepath:
C:\WINDOWS\system32\prn64.dll

prn64.dll will be moved on reboot to SDFix\Backups
Notify Key Permissions will be repaired after Reboot...

Trojan Subkey Found:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\origami

Filepath:

.dll will be moved on reboot to SDFix\Backups
Notify Key Permissions will be repaired after Reboot...

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\prn64.dll - Deleted
C:\WINDOWS\system32\aspi41254.exe - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\01U7S1M3\ALIVE_~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\01U7S1M3\ALIVE_~2.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\01U7S1M3\ALIVE_~3.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\01U7S1M3\ALIVE_~4.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\01U7S1M3\AL64FC~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\01U7S1M3\AL68FC~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\01U7S1M3\RUNNED~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\01U7S1M3\RUNNED~2.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\0PQ7WXEF\RUF7B0~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\0PQ7WXEF\RUF7B2~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\0PQ7WXEF\RUF7B6~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\0PQ7WXEF\RUNNED~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\0PQ7WXEF\RUNNED~2.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\0PQ7WXEF\RUNNED~3.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\0PQ7WXEF\RUNNED~4.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C1ENSDIV\ALIVE_~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C1ENSDIV\RUF7B2~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C1ENSDIV\RUNNED~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C1ENSDIV\RUNNED~2.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C1ENSDIV\RUNNED~3.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C1ENSDIV\RUNNED~4.HTM - Deleted
C:\WINDOWS\SYSTEM32\PFB0E0~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\PFCA7F~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\SFXZMT~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\SFXZMT~2.DLL - Deleted
C:\WINDOWS\SYSTEM32\SFXZMT~3.DLL - Deleted
C:\WINDOWS\SYSTEM32\SFXZMT~4.DLL - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\01U7S1M3\TASK_1~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\01U7S1M3\TASK_2~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\01U7S1M3\TASK_3~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\01U7S1M3\TASK_4~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\01U7S1M3\TASK_5~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\01U7S1M3\TASK_6~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\01U7S1M3\TASK_7~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C1ENSDIV\TASK_1~2.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C1ENSDIV\TASK_1~3.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C1ENSDIV\TASK_1~4.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C1ENSDIV\TASK_1~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C1ENSDIV\TASK_2~2.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C1ENSDIV\TASK_2~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C1ENSDIV\TASK_3~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C1ENSDIV\TASK_4~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C1ENSDIV\TASK_5~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C1ENSDIV\TASK_6~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C1ENSDIV\TASK_7~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C1ENSDIV\TASK_8~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\C1ENSDIV\TASK_9~1.HTM - Deleted
C:\WINDOWS\system32\ma.exe.exe - Deleted
C:\WINDOWS\system32\pep.exe.exe - Deleted
C:\WINDOWS\system32\zoom.exe.exe - Deleted
C:\WINDOWS\s32.txt - Deleted
C:\WINDOWS\system32\ipv6mons.dll - Deleted
C:\WINDOWS\system32\unsvchosts.exe - Deleted
C:\WINDOWS\Temp\_check32.bat - Deleted
C:\WINDOWS\Temp\_td10.tmp - Deleted
C:\WINDOWS\Temp\_td11.tmp - Deleted
C:\WINDOWS\Temp\_td12.tmp - Deleted
C:\WINDOWS\Temp\_td13.tmp - Deleted
C:\WINDOWS\Temp\_td14.tmp - Deleted
C:\WINDOWS\Temp\_td15.tmp - Deleted
C:\WINDOWS\Temp\_td16.tmp - Deleted
C:\WINDOWS\Temp\_td17.tmp - Deleted
C:\WINDOWS\Temp\_td18.tmp - Deleted
C:\WINDOWS\Temp\_td19.tmp - Deleted
C:\WINDOWS\Temp\_td1A.tmp - Deleted
C:\WINDOWS\Temp\_td1B.tmp - Deleted
C:\WINDOWS\Temp\_td1C.tmp - Deleted
C:\WINDOWS\Temp\_td1D.tmp - Deleted
C:\WINDOWS\Temp\_td1E.tmp - Deleted
C:\WINDOWS\Temp\_td1F.tmp - Deleted
C:\WINDOWS\Temp\_td2.tmp - Deleted
C:\WINDOWS\Temp\_td20.tmp - Deleted
C:\WINDOWS\Temp\_td21.tmp - Deleted
C:\WINDOWS\Temp\_td22.tmp - Deleted
C:\WINDOWS\Temp\_td23.tmp - Deleted
C:\WINDOWS\Temp\_td24.tmp - Deleted
C:\WINDOWS\Temp\_td25.tmp - Deleted
C:\WINDOWS\Temp\_td26.tmp - Deleted
C:\WINDOWS\Temp\_td27.tmp - Deleted
C:\WINDOWS\Temp\_td28.tmp - Deleted
C:\WINDOWS\Temp\_td29.tmp - Deleted
C:\WINDOWS\Temp\_td2A.tmp - Deleted
C:\WINDOWS\Temp\_td2B.tmp - Deleted
C:\WINDOWS\Temp\_td2D.tmp - Deleted
C:\WINDOWS\Temp\_td2E.tmp - Deleted
C:\WINDOWS\Temp\_td3.tmp - Deleted
C:\WINDOWS\Temp\_td30.tmp - Deleted
C:\WINDOWS\Temp\_td31.tmp - Deleted
C:\WINDOWS\Temp\_td4.tmp - Deleted
C:\WINDOWS\Temp\_td4D.tmp - Deleted
C:\WINDOWS\Temp\_td4F.tmp - Deleted
C:\WINDOWS\Temp\_td5.tmp - Deleted
C:\WINDOWS\Temp\_td50.tmp - Deleted
C:\WINDOWS\Temp\_td6.tmp - Deleted
C:\WINDOWS\Temp\_td7.tmp - Deleted
C:\WINDOWS\Temp\_td8.tmp - Deleted
C:\WINDOWS\Temp\_td9.tmp - Deleted
C:\WINDOWS\Temp\_td90.tmp - Deleted
C:\WINDOWS\Temp\_td93.tmp - Deleted
C:\WINDOWS\Temp\_tdA.tmp - Deleted
C:\WINDOWS\Temp\_tdB.tmp - Deleted
C:\WINDOWS\Temp\_tdC.tmp - Deleted
C:\WINDOWS\Temp\_tdD.tmp - Deleted
C:\WINDOWS\Temp\_tdDB.tmp - Deleted
C:\WINDOWS\Temp\_tdDC.tmp - Deleted
C:\WINDOWS\Temp\_tdE.tmp - Deleted
C:\WINDOWS\Temp\_tdF.tmp - Deleted
C:\WINDOWS\Temp\_tdF4.tmp - Deleted
C:\WINDOWS\Temp\_tdF5.tmp - Deleted
C:\WINDOWS\ws386.ini - Deleted
C:\WINDOWS\system32\.dll - Deleted

Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Final Check:

Remaining Services:

Rootkit PE386 Active, Use a Rootkit scanner !

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\smt.exe"="C:\\WINDOWS\\system32\\smt.exe:*:Enabled:enable"
"C:\\WINDOWS\\system32\\vexga3me2.exe"="C:\\WINDOWS\\system32\\vexga3me2.exe:*:Enabled:taskmgr32"
"C:\\WINDOWS\\TEMP\\19.tmp.exe"="C:\\WINDOWS\\TEMP\\19.tmp.exe:*:Enabled:qwertybot"
"C:\\WINDOWS\\system32\\vexga4m1et4.exe"="C:\\WINDOWS\\system32\\vexga4m1et4.exe:*:Enabled:enable"
"C:\\WINDOWS\\TEMP\\20.tmp.exe"="C:\\WINDOWS\\TEMP\\20.tmp.exe:*:Enabled:qwertybot"
"C:\\WINDOWS\\system32\\qwertybot.exe"="C:\\WINDOWS\\system32\\qwertybot.exe:*:Enabled:qwertybot"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:

Checking For Files with Hidden Attributes:

Finished

HijackThis uninstall log:

·L3n·sa`-μ?e?Jak 2003
Acronis?True?Image
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
AOL Instant Messenger
AOpen FM56-PLX Controllerless PCI Modem
AVG 7.5
AVG Anti-Spyware 7.5
DAEMON Tools
HijackThis 1.99.1
Intel(R) 537EP Modem
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
ITE 887x PCI Multi-I/O Controller
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft MapPoint North America 2004
Microsoft Office Professional Edition 2003
Mozilla Firefox (2.0.0.3)
MSN
MySQL Administrator 1.1
MySQL Query Browser 1.1
MySQL Server 5.0
NetMos Multi-IO Controller
NetZero
NetZero HiSpeed (remove only)
Qwest QuickCare
SoundMAX
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Symantec pcAnywhere
TouchWare 5.64 SR5
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar
WinRAR archiver

Finally new HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 10:43:00 PM, on 4/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {a1012244-21e3-4590-b017-643df0b800c6} - C:\WINDOWS\system32\hsfmib.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\Phonetic\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: TouchWare Monitor.lnk = C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: hsfmib - hsfmib.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

As of now, Windows Firewall is turned ON, however there is no other firewall software. In addition, it should be noted that when I booted into Safe Mode to run SDFix, I got a system shutdown warning (something about DCOM service prematurely terminated.) However I was able to get around this by setting the clock back one year so that instead of only having 1:00 minute until shutdown, I have 365 days. I am guessing that this problem is related to the spyware, but I just wanted you to know in case that helps.

Trogan · April 2007

Hi misterchief,

In addition, it should be noted that when I booted into Safe Mode to run SDFix, I got a system shutdown warning (something about DCOM service prematurely terminated.) However I was able to get around this by setting the clock back one year so that instead of only having 1:00 minute until shutdown, I have 365 days.

Thanks for letting me know. We'll see what we can do about this.

Please do the following...

1. Download RustBFix from one of the following locations...

http://www.uploads.ejvindh.net/rustbfix.exe

http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe

...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles in your next reply.

2. Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

3. Download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller if needed

4. Please post the following...

RustBFix logs
VundoFix.txt
New HijackThis log

The computer seems to be lacking Critical Windows Update. Please update Windows via Windows Update and then post a new Uninstall list also.

misterchief · April 2007

I've got all of the logs you need. However, Windows Update keeps freezing when the updates try to install and I have to close it with the task manager.

First RustBFix:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hmwqwxvf

*******************

Script file located at: \??\C:\Program Files\ctvqrqdu.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

************************* Rustock.b-fix -- By ejvindh *************************
04/12/2007 Thu 16:35:58.06

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
No streams found.

Looking for Rustock.b-files in the System32-folder:
system32\lzx32.sys FOUND!
attempting to delete lzx32.sys from system32-folder

******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************************* End of Logfile ********************************

Now VundoFix (Note that it did not actually find anything):

VundoFix V6.3.19

Checking Java version...

Sun Java not detected
Scan started at 4:42:40 PM 4/12/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

Next is HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 9:43:31 PM, on 4/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {a1012244-21e3-4590-b017-643df0b800c6} - C:\WINDOWS\system32\hsfmib.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\Phonetic\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: TouchWare Monitor.lnk = C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: hsfmib - hsfmib.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Finally, the uninstall list:

·L3n·sa`-μ?e?Jak 2003
Acronis?True?Image
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
AOL Instant Messenger
AOpen FM56-PLX Controllerless PCI Modem
AVG 7.5
AVG Anti-Spyware 7.5
DAEMON Tools
HijackThis 1.99.1
Intel(R) 537EP Modem
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
ITE 887x PCI Multi-I/O Controller
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft MapPoint North America 2004
Microsoft Office Professional Edition 2003
Mozilla Firefox (2.0.0.3)
MSN
MySQL Administrator 1.1
MySQL Query Browser 1.1
MySQL Server 5.0
NetMos Multi-IO Controller
NetZero
NetZero HiSpeed (remove only)
Qwest QuickCare
Security Update for Windows XP (KB928843)
SoundMAX
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Symantec pcAnywhere
TouchWare 5.64 SR5
Update for Windows XP (KB898461)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar
Windows Installer 3.1 (KB893803)
WinRAR archiver

Trogan · April 2007

Hi misterchief, sorry for the delay.

Please do the following...

1. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: (no name) - {a1012244-21e3-4590-b017-643df0b800c6} - C:\WINDOWS\system32\hsfmib.dll (file missing)

O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: hsfmib - hsfmib.dll (file missing)

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

2. Run HijackThis and click on Open the Misc Tools section.
Click on Delete a file on reboot...
Copy and paste the following into the "File name:" text box and then click Open:

C:\WINDOWS\system32\a3dxq.dll

When you are asked "Do you want to restart your computer now?", click OK.

Your PC MUST reboot to delete the file!

3. Please do an online scan with Panda ActiveScan

- Once you are on the Panda site, click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log

misterchief · April 2007

The computer owner has informed me that the company that originally provided them the computer is willing to reinstall the operating system and needed software for free. If there are any files you would like me to upload for research purposes, please tell me within 24 hours as that is when they will be getting the computer from me. Both they and I are very grateful for the help you have provided, and I am glad that I will be able to follow the industry recommendation of wiping the computer and doing a fresh install. And this time they will be making sure to install protection!

Trogan · April 2007

No files need uploading, thanks. Hope the fresh install goes smoothly.

Brave Sentry - cannot delete [HijackThis included]

Comments