HijackThis log for review please

RichD · November 2007

Hi There

I have just started working in a new bar and they have been having a few problems.

So far I have found traces of OIN, SpyShredder and Trojan BHO.BNQ. I think I have cleaned most but I would like someone to have a look at the HijackThis if they could please.

Many thanks,

Rich

Logfile of HijackThis v1.99.1
Scan saved at 6:31:30 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\java.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {69D07D42-E584-C273-F141-9B2B54E5D9C8} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - (no file)
O2 - BHO: (no name) - {B9FE5F57-A291-4F43-AEFF-70BDCF64D74F} - C:\WINDOWS\System32\cewmdmf.dll (file missing)
O2 - BHO: (no name) - {EC0AF991-8DC2-4762-B1A3-BD3BB3E965EA} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Java (VM) v6.2] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat
O4 - HKLM\..\Run: [Java (VM) v6.3] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat
O4 - HKLM\..\Run: [Services] C:\WINDOWS\System32\abeh.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\System32\jsaadpbq.dll",sitypnow
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Java (VM) v6.2] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat
O4 - HKCU\..\Run: [Java (VM) v6.3] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Update_0710_KB100205.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O20 - Winlogon Notify: fccyaxw - fccyaxw.dll (file missing)
O20 - Winlogon Notify: hggffff - hggffff.dll (file missing)
O20 - Winlogon Notify: iifcdaa - iifcdaa.dll (file missing)
O20 - Winlogon Notify: iifdbbx - iifdbbx.dll (file missing)
O20 - Winlogon Notify: iiffdab - iiffdab.dll (file missing)
O20 - Winlogon Notify: iiffgfc - iiffgfc.dll (file missing)
O20 - Winlogon Notify: mljkljk - mljkljk.dll (file missing)
O20 - Winlogon Notify: wvuturs - wvuturs.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DNS Logical Manager - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: wlmsngr - Unknown owner - C:\WINDOWS\wlmsngr.exe (file missing)

peku006 · November 2007

Hi Rich and welcome to Icrontic Spyware & Virus Removal

Please download SDFix by AndyManchesta and save it to your desktop.

Double-click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix).

Please then reboot your computer into Safe Mode by doing the following:

Restart your computer.
After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
Instead of Windows loading as normal, a menu with options should appear.
Select the first option, to run Windows in "Safe Mode", then press "Enter".
Choose your usual account.

Once in Safe Mode, please do the following:

Open the extracted folder and double-click RunThis.bat to start the script.
Type "Y" to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found, then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process, then display "Finished", press any key to end the script and load your desktop icons.
Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Please download the ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that you have to download.

Save it to your desktop.
Double-click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.

After you have completed the above, please provide:
Report.txt
Combofix.txt

RichD · November 2007

Thanks Peku,

Here are the logs as requested.

ComboFix 07-11-08.3 - Runu 2007-11-14 20:18:19.1 - NTFSx86
Running from: C:\Documents and Settings\Runu\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Program Files\outlook
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\dwuwkfua.exe
C:\WINDOWS\system32\nqohqaly.exe
C:\WINDOWS\system32\nugexrca.exe
C:\WINDOWS\system32\sdr.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

\LEGACY_CMDSERVICE

\LEGACY_OWLKLFSH

\owlklfsh

((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-14 20:16 51,200 --a

C:\WINDOWS\NirCmd.exe
2007-11-14 20:05 <DIR> d

C:\WINDOWS\ERUNT
2007-11-11 18:30 218,112 --a

C:\HijackThis.exe
2007-11-11 18:27 212,843 --a

C:\hijackthis_199.zip
2007-11-11 17:18 <DIR> d

C:\SmitfraudFix
2007-11-11 17:02 <DIR> d

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-11 16:45 1,043,074 --a

C:\SmitfraudFix.exe
2007-11-11 16:44 2,708 --a

C:\WINDOWS\system32\tmp.reg
2007-11-10 21:51 <DIR> d

C:\Documents and Settings\Staff\Application Data\AVG7
2007-11-06 16:26 <DIR> d

C:\WINDOWS\system32\LogFiles
2007-11-06 14:43 <DIR> d

C:\Program Files\Common Files\Adobe
2007-11-05 12:15 <DIR> d

C:\WINDOWS\Downloaded Installations
2007-11-05 12:15 <DIR> d

C:\Program Files\HP
2007-11-03 17:08 19,000 --a

C:\Documents and Settings\Runu\Application Data\GDIPFONTCACHEV1.DAT
2007-11-02 12:52 584,192

c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-02 03:00 <DIR> d--h

C:\WINDOWS\$hf_mig$
2007-10-31 20:27 221,184 --a

C:\WINDOWS\system32\wmpns.dll
2007-10-31 20:24 <DIR> d

C:\WINDOWS\provisioning
2007-10-31 20:24 <DIR> d

C:\WINDOWS\peernet
2007-10-31 20:19 <DIR> d

C:\WINDOWS\ServicePackFiles
2007-10-31 20:13 22,752 --a

C:\WINDOWS\system32\spupdsvc.exe
2007-10-31 20:06 <DIR> d

C:\WINDOWS\EHome
2007-10-27 00:06 11,776

C:\WINDOWS\system32\spnpinst.exe
2007-10-27 00:06 4,569

C:\WINDOWS\system32\secupd.dat
2007-10-26 23:47 9,600 -ra

C:\WINDOWS\system32\BUFADPT.SYS
2007-10-25 10:07 614,912 --a

C:\WINDOWS\system32\h323msp.dll
2007-10-25 10:07 331,264 --a

C:\WINDOWS\system32\ipnathlp.dll
2007-10-25 10:07 77,312 --a

C:\WINDOWS\system32\browser.dll
2007-10-25 10:07 40,960 --a

C:\WINDOWS\system32\mf3216.dll
2007-10-25 10:02 239,104 --a

C:\WINDOWS\system32\srrstr.dll
2007-10-25 10:00 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2007-10-25 10:00 26,112 --a

C:\WINDOWS\system32\xpsp1hfm.exe
2007-10-23 19:23 <DIR> d

C:\WINDOWS\system32\bits
2007-10-21 19:45 <DIR> d

C:\Documents and Settings\Runu\Application Data\AVG7
2007-10-21 19:43 <DIR> d

C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-21 19:41 <DIR> d

C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-21 19:41 75,248 --a

C:\WINDOWS\zllsputility.exe
2007-10-21 19:40 1,086,952 --a

C:\WINDOWS\system32\zpeng24.dll
2007-10-21 13:59 <DIR> d

C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-21 13:32 438,784

C:\WINDOWS\system32\xpob2res.dll
2007-10-21 13:32 351,232 --a

C:\WINDOWS\system32\winhttp.dll
2007-10-21 13:32 18,944 --a

C:\WINDOWS\system32\qmgrprxy.dll
2007-10-21 13:32 8,192

C:\WINDOWS\system32\bitsprx2.dll
2007-10-21 13:32 7,168

C:\WINDOWS\system32\bitsprx3.dll
2007-10-21 13:29 549,720 --a

C:\WINDOWS\system32\wuapi.dll
2007-10-21 13:29 325,976 --a

C:\WINDOWS\system32\wucltui.dll
2007-10-21 13:29 203,096 --a

C:\WINDOWS\system32\wuweb.dll
2007-10-21 13:29 186,136 --a

C:\WINDOWS\system32\wuaueng1.dll
2007-10-21 13:29 167,704 --a

C:\WINDOWS\system32\wuauclt1.exe
2007-10-21 13:29 33,624 --a

C:\WINDOWS\system32\wups.dll
2007-10-19 18:36 <DIR> d

C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-19 18:11 <DIR> d

C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-19 18:09 4,212 ---h

C:\WINDOWS\system32\zllictbl.dat
2007-10-19 18:08 <DIR> d

C:\Program Files\Lavasoft
2007-10-19 18:08 <DIR> d

C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-19 18:08 11,264 --a

C:\WINDOWS\system32\SpOrder.dll
2007-10-19 18:04 <DIR> d

C:\WINDOWS\system32\ZoneLabs
2007-10-19 18:02 <DIR> d

C:\Program Files\Common Files\Wise Installation Wizard
2007-10-19 18:00 <DIR> d

C:\WINDOWS\Internet Logs
2007-10-18 22:49 <DIR> d-a

C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-18 22:48 626,688 --a

C:\WINDOWS\system32\msvcr80.dll
2007-10-18 22:36 <DIR> d

C:\Program Files\Google
2007-10-18 22:22 6,505 ---hs---- C:\WINDOWS\system32\yycdd.bak1
2007-10-18 18:46 1,060,864 --a

C:\WINDOWS\system32\mfc71.dll
2007-10-18 18:46 499,712 --a

C:\WINDOWS\system32\msvcp71.dll
2007-10-18 18:46 348,160 --a

C:\WINDOWS\system32\msvcr71.dll
2007-10-18 18:46 89,088 --a

C:\WINDOWS\system32\atl71.dll
2007-10-16 23:31 <DIR> d

C:\Documents and Settings\Runu\New Folder
2007-10-16 04:20 114,130 --a

C:\WINDOWS\system32\vcrr.exe
2007-10-16 04:20 15 --a

C:\WINDOWS\system32\jda.exe
2007-10-16 03:59 114,130 --a

C:\WINDOWS\system32\sdcrs.exe
2007-10-16 01:20 114,131 --a

C:\WINDOWS\system32\jxh.exe
2007-10-15 15:45 114,130 --a

C:\WINDOWS\system32\sdrasd.exe
2007-10-15 15:45 114,130 --a

C:\WINDOWS\system32\sdcd.exe
2007-10-15 15:43 114,131 --a

C:\WINDOWS\system32\jd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 19:24

d

w C:\Documents and Settings\Runu\Application Data\U3
2007-11-11 16:43

d

w C:\Program Files\Thomson
2007-11-11 13:47

d

w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-11 13:35

d--h--w C:\Program Files\InstallShield Installation Information
2007-11-02 14:08

d

w C:\Documents and Settings\Runu\Application Data\LimeWire
2007-11-02 14:05

d

w C:\Program Files\LimeWire
2007-10-19 17:31 224,256 ----a-w C:\WINDOWS\kbclient39.dll
2007-10-18 16:14 633,872 --sha-w C:\WINDOWS\system32\mlnmp.bak2
2007-10-11 23:00 6,465 --sha-w C:\WINDOWS\system32\mlnmp.bak1
2007-10-11 22:57 114,131 ----a-w C:\WINDOWS\system32\jsda.exe
2007-10-10 04:50

d

w C:\Program Files\Java
2007-10-10 04:46

d

w C:\Program Files\Common Files\Java
2007-10-10 02:07

d

w C:\Program Files\Microsoft ActiveSync
2007-10-10 01:35

d

w C:\Documents and Settings\Runu\Application Data\Talkback
2007-10-10 01:06 17,792 ----a-w C:\WINDOWS\system32\drivers\angajusx.dat
2007-10-10 01:05 5,120 ----a-w C:\WINDOWS\system32\drivers\qtfjjoln.dat
2007-10-10 00:24 114,130 ----a-w C:\WINDOWS\system32\sdcrd32.exe
2007-10-09 21:32

d

w C:\Program Files\Labtec
2007-10-09 21:32

d

w C:\Program Files\Common Files\InstallShield
2007-10-06 20:48

d

w C:\Program Files\SpeedTouch
2007-10-06 08:11

d

w C:\Program Files\microsoft frontpage
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\UnVudQ\oBpRxk.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69D07D42-E584-C273-F141-9B2B54E5D9C8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9FE5F57-A291-4F43-AEFF-70BDCF64D74F}]
C:\WINDOWS\System32\cewmdmf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 08:11]
"Java (VM) v6.2"="C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat" [2007-09-19 02:42]
"Java (VM) v6.3"="C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat" [2007-09-27 04:06]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 23:14]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-29 16:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Java (VM) v6.2"="C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat" [2007-09-19 02:42]
"Java (VM) v6.3"="C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat" [2007-09-27 04:06]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Java (VM) v6.2"=
"Java (VM) v6.3"=

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2005-05-07 21:25:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccyaxw]
fccyaxw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggffff]
hggffff.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcdaa]
iifcdaa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdbbx]
iifdbbx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffdab]
iiffdab.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffgfc]
iiffgfc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljkljk]
mljkljk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuturs]
wvuturs.dll

R0 owlklfsh;owlklfsh;C:\WINDOWS\system32\drivers\angajusx.dat
R2 BUFADPT;BUFADPT;\??\C:\WINDOWS\System32\BUFADPT.SYS
S2 DNS Logical Manager;DNS Logical Manager;"C:\WINDOWS\system32\svshost.exe"

*Newly Created Service* - OWLKLFSH

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ViewSonic Meta Enhancer 1.7]
C:\WINDOWS\nmfcom32.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 20:24:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Java (VM) v6.2 = C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Java (VM) v6.3 = C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Java (VM) v6.2 = ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Java (VM) v6.3 = ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Java (VM) v6.2 = C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Java (VM) v6.3 = C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-14 20:31:47 - machine was rebooted
.
--- E O F ---

SDFix: Version 1.114

Run by Runu on Wed 11/14/2007 at 08:06 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:

Name:
wlmsngr

Path:
"C:\WINDOWS\wlmsngr.exe"

wlmsngr - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\WMSOFT~1.EXE - Deleted
C:\Documents and Settings\Runu\Application Data\WinTouch\wintouch.cfg - Deleted
C:\WINDOWS\rdrive\aff.exe - Deleted
C:\WINDOWS\rdrive\apm.exe - Deleted
C:\WINDOWS\rdrive\rrv.exe - Deleted
C:\WINDOWS\rdrive\system32.bat - Deleted
C:\a.bat - Deleted
C:\dmgr.exe - Deleted
C:\WINDOWS\b104.exe - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted

Folder C:\Documents and Settings\Runu\Application Data\WinTouch - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Program Files\WinAble - Removed
Folder C:\WINDOWS\rdrive - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 20:11:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:

File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 11 Oct 2007 6,465 A.SH. --- "C:\WINDOWS\system32\mlnmp.bak1"
Thu 18 Oct 2007 633,872 A.SH. --- "C:\WINDOWS\system32\mlnmp.bak2"
Thu 18 Oct 2007 6,505 ..SH. --- "C:\WINDOWS\system32\yycdd.bak1"
Wed 14 Nov 2007 3,109,928 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab9217b6e5750f9481b4ee261d21b730\BIT5.tmp"
Sat 3 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT8.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Runu\Application Data\U3\temp\Launchpad Removal.exe"
Fri 30 Jul 2004 24,576 A..H. --- "C:\Documents and Settings\Runu\Desktop\runie\ELAN LOUNE\Phone Scripts\~WRL0001.tmp"
Fri 30 Jul 2004 25,600 A..H. --- "C:\Documents and Settings\Runu\Desktop\runie\ELAN LOUNE\Phone Scripts\~WRL0379.tmp"

Finished!

You didn't ask for it but I thought I would add a new hijackthis log too

Logfile of HijackThis v1.99.1
Scan saved at 8:39:49 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {69D07D42-E584-C273-F141-9B2B54E5D9C8} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {B9FE5F57-A291-4F43-AEFF-70BDCF64D74F} - C:\WINDOWS\System32\cewmdmf.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Java (VM) v6.2] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat
O4 - HKLM\..\Run: [Java (VM) v6.3] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Java (VM) v6.2] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat
O4 - HKCU\..\Run: [Java (VM) v6.3] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O20 - Winlogon Notify: fccyaxw - fccyaxw.dll (file missing)
O20 - Winlogon Notify: hggffff - hggffff.dll (file missing)
O20 - Winlogon Notify: iifcdaa - iifcdaa.dll (file missing)
O20 - Winlogon Notify: iifdbbx - iifdbbx.dll (file missing)
O20 - Winlogon Notify: iiffdab - iiffdab.dll (file missing)
O20 - Winlogon Notify: iiffgfc - iiffgfc.dll (file missing)
O20 - Winlogon Notify: mljkljk - mljkljk.dll (file missing)
O20 - Winlogon Notify: wvuturs - wvuturs.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DNS Logical Manager - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks Again

Rich

peku006 · November 2007

Hi Rich
Do you know what these directories or programs are?
C:\WINDOWS\UnVudQ\oBpRxk.vbs

You currently are running HijackThis from here:
C:\HijackThis.exe

Please make a folder here:
C:\HJT
and place HijackThis in that folder.

DO NOT follow the steps below until you have moved HijackThis.

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):

O2 - BHO: (no name) - {69D07D42-E584-C273-F141-9B2B54E5D9C8} - (no file)
O2 - BHO: (no name) - {B9FE5F57-A291-4F43-AEFF-70BDCF64D74F} - C:\WINDOWS\System32\cewmdmf.dll (file missing)
O4 - HKLM\..\Run: [Java (VM) v6.2] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat
O4 - HKLM\..\Run: [Java (VM) v6.3] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat
O4 - HKCU\..\Run: [Java (VM) v6.2] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i389-pp\jdk.bat
O4 - HKCU\..\Run: [Java (VM) v6.3] C:\WINDOWS\system32\jdk-1_5_0_12-windows-i390-pp\jav.bat
O20 - Winlogon Notify: fccyaxw - fccyaxw.dll (file missing)
O20 - Winlogon Notify: hggffff - hggffff.dll (file missing)
O20 - Winlogon Notify: iifcdaa - iifcdaa.dll (file missing)
O20 - Winlogon Notify: iifdbbx - iifdbbx.dll (file missing)
O20 - Winlogon Notify: iiffdab - iiffdab.dll (file missing)
O20 - Winlogon Notify: iiffgfc - iiffgfc.dll (file missing)
O20 - Winlogon Notify: mljkljk - mljkljk.dll (file missing)
O20 - Winlogon Notify: wvuturs - wvuturs.dll (file missing)
O23 - Service: DNS Logical Manager - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\vcrr.exe
C:\WINDOWS\system32\jda.exe
C:\WINDOWS\system32\sdcrs.exe
C:\WINDOWS\system32\jxh.exe
C:\WINDOWS\system32\sdrasd.exe
C:\WINDOWS\system32\sdcd.exe
C:\WINDOWS\system32\jd.exe
C:\WINDOWS\kbclient39.dll
C:\WINDOWS\system32\mlnmp.bak2
C:\WINDOWS\system32\mlnmp.bak1
C:\WINDOWS\system32\jsda.exe
C:\WINDOWS\system32\drivers\angajusx.dat
C:\WINDOWS\system32\drivers\qtfjjoln.dat
C:\WINDOWS\system32\sdcrd32.exe
C:\WINDOWS\System32\cewmdmf.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69D07D42-E584-C273-F141-9B2B54E5D9C8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9FE5F57-A291-4F43-AEFF-70BDCF64D74F}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccyaxw]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggffff]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcdaa]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdbbx]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffdab]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffgfc]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljkljk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuturs]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

RichD · November 2007

Sorry Peku,

I have no idea what those files are. I haven't used this computer so have no knowledge of its past use. The bar has recently changed owner so its history is a little merky!

I will do the above tonight if I get chance. I wil move HJT too but I am just curious as to why it should not be run from C:\

Thanks for your help

peku006 · November 2007

Hi Rich
That UnVudQ\oBpRxk.vbs......... we remove it later

Put Hijackthis to its won folder; C:/Hijackthis/Hijackthis.exe This is importatnt for the backups!"

RichD · November 2007

Hi Peku,

Thanks, Logs attached.

ComboFix 07-11-08.3 - Runu 2007-11-17 12:16:54.2 - NTFSx86
Running from: C:\Documents and Settings\Runu\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Runu\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\kbclient39.dll
C:\WINDOWS\System32\cewmdmf.dll
C:\WINDOWS\system32\drivers\angajusx.dat
C:\WINDOWS\system32\drivers\qtfjjoln.dat
C:\WINDOWS\system32\jd.exe
C:\WINDOWS\system32\jda.exe
C:\WINDOWS\system32\jsda.exe
C:\WINDOWS\system32\jxh.exe
C:\WINDOWS\system32\mlnmp.bak1
C:\WINDOWS\system32\mlnmp.bak2
C:\WINDOWS\system32\sdcd.exe
C:\WINDOWS\system32\sdcrd32.exe
C:\WINDOWS\system32\sdcrs.exe
C:\WINDOWS\system32\sdrasd.exe
C:\WINDOWS\system32\vcrr.exe
C:\WINDOWS\system32\yycdd.bak1
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\kbclient39.dll
C:\WINDOWS\system32\jd.exe
C:\WINDOWS\system32\jda.exe
C:\WINDOWS\system32\jsda.exe
C:\WINDOWS\system32\jxh.exe
C:\WINDOWS\system32\mlnmp.bak1
C:\WINDOWS\system32\mlnmp.bak2
C:\WINDOWS\system32\sdcd.exe
C:\WINDOWS\system32\sdcrd32.exe
C:\WINDOWS\system32\sdcrs.exe
C:\WINDOWS\system32\sdrasd.exe
C:\WINDOWS\system32\vcrr.exe
C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\drivers\angajusx.dat . . . . failed to delete
C:\WINDOWS\system32\drivers\qtfjjoln.dat . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

\LEGACY_OWLKLFSH

\owlklfsh

((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-17 11:49 <DIR> d

C:\HiJackThis
2007-11-14 20:16 51,200 --a

C:\WINDOWS\NirCmd.exe
2007-11-14 20:05 <DIR> d

C:\WINDOWS\ERUNT
2007-11-11 18:27 212,843 --a

C:\hijackthis_199.zip
2007-11-11 17:18 <DIR> d

C:\SmitfraudFix
2007-11-11 17:02 <DIR> d

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-11 16:45 1,043,074 --a

C:\SmitfraudFix.exe
2007-11-11 16:44 2,708 --a

C:\WINDOWS\system32\tmp.reg
2007-11-10 21:51 <DIR> d

C:\Documents and Settings\Staff\Application Data\AVG7
2007-11-06 16:26 <DIR> d

C:\WINDOWS\system32\LogFiles
2007-11-06 14:43 <DIR> d

C:\Program Files\Common Files\Adobe
2007-11-05 12:15 <DIR> d

C:\WINDOWS\Downloaded Installations
2007-11-05 12:15 <DIR> d

C:\Program Files\HP
2007-11-03 17:08 19,000 --a

C:\Documents and Settings\Runu\Application Data\GDIPFONTCACHEV1.DAT
2007-11-02 12:52 584,192

c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-02 03:00 <DIR> d--h

C:\WINDOWS\$hf_mig$
2007-10-31 20:27 221,184 --a

C:\WINDOWS\system32\wmpns.dll
2007-10-31 20:24 <DIR> d

C:\WINDOWS\provisioning
2007-10-31 20:24 <DIR> d

C:\WINDOWS\peernet
2007-10-31 20:19 <DIR> d

C:\WINDOWS\ServicePackFiles
2007-10-31 20:13 22,752 --a

C:\WINDOWS\system32\spupdsvc.exe
2007-10-31 20:06 <DIR> d

C:\WINDOWS\EHome
2007-10-27 00:06 11,776

C:\WINDOWS\system32\spnpinst.exe
2007-10-27 00:06 4,569

C:\WINDOWS\system32\secupd.dat
2007-10-26 23:47 9,600 -ra

C:\WINDOWS\system32\BUFADPT.SYS
2007-10-25 10:07 614,912 --a

C:\WINDOWS\system32\h323msp.dll
2007-10-25 10:07 331,264 --a

C:\WINDOWS\system32\ipnathlp.dll
2007-10-25 10:07 77,312 --a

C:\WINDOWS\system32\browser.dll
2007-10-25 10:07 40,960 --a

C:\WINDOWS\system32\mf3216.dll
2007-10-25 10:02 239,104 --a

C:\WINDOWS\system32\srrstr.dll
2007-10-25 10:00 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2007-10-25 10:00 26,112 --a

C:\WINDOWS\system32\xpsp1hfm.exe
2007-10-23 19:23 <DIR> d

C:\WINDOWS\system32\bits
2007-10-21 19:45 <DIR> d

C:\Documents and Settings\Runu\Application Data\AVG7
2007-10-21 19:43 <DIR> d

C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-21 19:41 <DIR> d

C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-21 19:41 75,248 --a

C:\WINDOWS\zllsputility.exe
2007-10-21 19:40 1,086,952 --a

C:\WINDOWS\system32\zpeng24.dll
2007-10-21 13:59 <DIR> d

C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-21 13:32 438,784

C:\WINDOWS\system32\xpob2res.dll
2007-10-21 13:32 351,232 --a

C:\WINDOWS\system32\winhttp.dll
2007-10-21 13:32 18,944 --a

C:\WINDOWS\system32\qmgrprxy.dll
2007-10-21 13:32 8,192

C:\WINDOWS\system32\bitsprx2.dll
2007-10-21 13:32 7,168

C:\WINDOWS\system32\bitsprx3.dll
2007-10-21 13:29 549,720 --a

C:\WINDOWS\system32\wuapi.dll
2007-10-21 13:29 325,976 --a

C:\WINDOWS\system32\wucltui.dll
2007-10-21 13:29 203,096 --a

C:\WINDOWS\system32\wuweb.dll
2007-10-21 13:29 186,136 --a

C:\WINDOWS\system32\wuaueng1.dll
2007-10-21 13:29 167,704 --a

C:\WINDOWS\system32\wuauclt1.exe
2007-10-21 13:29 33,624 --a

C:\WINDOWS\system32\wups.dll
2007-10-19 18:36 <DIR> d

C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-19 18:11 <DIR> d

C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-19 18:09 4,212 ---h

C:\WINDOWS\system32\zllictbl.dat
2007-10-19 18:08 <DIR> d

C:\Program Files\Lavasoft
2007-10-19 18:08 <DIR> d

C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-19 18:08 11,264 --a

C:\WINDOWS\system32\SpOrder.dll
2007-10-19 18:04 <DIR> d

C:\WINDOWS\system32\ZoneLabs
2007-10-19 18:02 <DIR> d

C:\Program Files\Common Files\Wise Installation Wizard
2007-10-19 18:00 <DIR> d

C:\WINDOWS\Internet Logs
2007-10-18 22:49 <DIR> d-a

C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-18 22:48 626,688 --a

C:\WINDOWS\system32\msvcr80.dll
2007-10-18 22:36 <DIR> d

C:\Program Files\Google
2007-10-18 18:46 1,060,864 --a

C:\WINDOWS\system32\mfc71.dll
2007-10-18 18:46 499,712 --a

C:\WINDOWS\system32\msvcp71.dll
2007-10-18 18:46 348,160 --a

C:\WINDOWS\system32\msvcr71.dll
2007-10-18 18:46 89,088 --a

C:\WINDOWS\system32\atl71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 19:24

d

w C:\Documents and Settings\Runu\Application Data\U3
2007-11-11 16:43

d

w C:\Program Files\Thomson
2007-11-11 13:47

d

w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-11 13:35

d--h--w C:\Program Files\InstallShield Installation Information
2007-11-02 14:08

d

w C:\Documents and Settings\Runu\Application Data\LimeWire
2007-11-02 14:05

d

w C:\Program Files\LimeWire
2007-10-10 04:50

d

w C:\Program Files\Java
2007-10-10 04:46

d

w C:\Program Files\Common Files\Java
2007-10-10 02:07

d

w C:\Program Files\Microsoft ActiveSync
2007-10-10 01:35

d

w C:\Documents and Settings\Runu\Application Data\Talkback
2007-10-10 01:06 17,792 ----a-w C:\WINDOWS\system32\drivers\angajusx.dat
2007-10-10 01:05 5,120 ----a-w C:\WINDOWS\system32\drivers\qtfjjoln.dat
2007-10-09 21:32

d

w C:\Program Files\Labtec
2007-10-09 21:32

d

w C:\Program Files\Common Files\InstallShield
2007-10-06 20:48

d

w C:\Program Files\SpeedTouch
2007-10-06 08:11

d

w C:\Program Files\microsoft frontpage
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\UnVudQ\oBpRxk.vbs
.

((((((((((((((((((((((((((((( snapshot@2007-11-14_20.30.57.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-12-19 21:52:18 8,453,632 -c----w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 -c----w C:\WINDOWS\system32\dllcache\shell32.dll
- 2007-09-27 22:19:40 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 ----a-w C:\WINDOWS\system32\shell32.dll
- 2007-08-21 10:20:02 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:26:53 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9FE5F57-A291-4F43-AEFF-70BDCF64D74F}]
C:\WINDOWS\System32\cewmdmf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 08:11]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 23:14]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-29 16:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2005-05-07 21:25:36]

R0 owlklfsh;owlklfsh;C:\WINDOWS\system32\drivers\angajusx.dat
R2 BUFADPT;BUFADPT;\??\C:\WINDOWS\System32\BUFADPT.SYS
S4 DNS Logical Manager;DNS Logical Manager;"C:\WINDOWS\system32\svshost.exe"

*Newly Created Service* - OWLKLFSH

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ViewSonic Meta Enhancer 1.7]
C:\WINDOWS\nmfcom32.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 12:23:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-17 12:27:39 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-14 20:31
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 12:33:35 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {B9FE5F57-A291-4F43-AEFF-70BDCF64D74F} - C:\WINDOWS\System32\cewmdmf.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

peku006 · November 2007

Hi Rich
Looks much better

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):

O2 - BHO: (no name) - {B9FE5F57-A291-4F43-AEFF-70BDCF64D74F} - C:\WINDOWS\System32\cewmdmf.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

Please visit Virustotal

Click the Browse... button
Navigate to the file C:\WINDOWS\system32\drivers\angajusx.dat
Click the Open button
Click the Send button
Do the same for the following File:
C:\WINDOWS\system32\drivers\qtfjjoln.dat
Copy and paste the results back here please.

Please download ATF Cleaner by Atribune.

Save it to your desktop
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Download Superantispyware (SAS) free home version

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining.
Please leave the others unchecked.
Click the Close button to leave the control center screen.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
To retrieve the removal information for me please do the following:
After reboot, double-click the SUPERAntispyware icon on your desktop
Click Preferences. Click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
It will open in your default text editor (such as Notepad/Wordpad).
Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

So in your next reply, please include the following:
VirusTotal results.
SUPERAntispyware.log
new HijackThis log
Please let me know how your pc is now.

peku006 · November 2007

Whilst we appreciate that you may be busy, it has been 5 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the [url="http://icrontic.com/forum/forumdisplay.php?f=57]Spyware & Virus Removal Forum[/url]

If you wish this topic reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
If you are not the user who started this thread, you must start a new Thread instead

HijackThis log for review please

Comments