Need Help Cleaning ISHOST.EXE
Hello there
I just sorta... kinda... made a rather dangerous gamble... and lost.
I downloaded an unknown program from an unknown site and then proceeded to install it on my computer... I'm just going to have to quote How I Met Your Mother and go with, "You should never make any decisions after 2am... nothing will ever come of it." Fortunately I came to my senses right after installing it and removed the internet connection, so it's trapped within the confines of my computer with only the 30k that came with it to play with.
So, I came across this great site on a secondary computer and noticed that your fine team has smacked the ISHOST malware out previously. I read through all of the posts I could find that I thought might be useful, but I've found that I can't really make enough sense of the log files that ya'll request to do anything by myself.
Here's what I've done:
1. I unplugged the internet cable within 3 minutes of infection.
2. I read through many posts in these forums and a few others.
3. I downloaded and installed Ad-Aware SE Personal with the newest definitions found on the home page (r-1 I think?)
4. Scanned using Ad-Aware and quarantined the 505 tracking cookies, 2 Registry Key Identified, and 1 Processor Identified.
5. Downloaded and installed Hijack-this.
6. Ran Ad-Aware and Hijack-this once more and saved the logs.
I have kept my task manager open while I was doing all of this and noticed that ISHOST.EXE and ismini.exe keep alternating movement and occasionally the IE7 will pop up a window saying that it's trying to access the web. Also, the XP Firewall was disabled immediately after I installed the program and I am unable to enable it, which was my first clue that something was wrong.
For organization and ease of reading I will now post the Ad-Aware log and Hijack-this log one after the other in separate posts.
I sincerely hope that somebody is able to offer assistance sometime in the near future and I thank you for your time! This is a great service!
-
Logfile of HijackThis v1.99.1
Scan saved at 3:56:58 AM, on 12/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\GE\98056 Keyboard and Mouse\mouse32a.exe
C:\Program Files\GE\98056 Keyboard and Mouse\kbdap32a.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\COMMON~1\SKS~1\msiexec.exe
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ishost.exe
C:\Program Files\High-Jack This\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38ADB~1\Bar888.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38ADB~1\Bar888.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\GE\98056 Keyboard and Mouse\mouse32a.exe
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\GE\98056 Keyboard and Mouse\kbdap32a.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzut.dll,startup
O4 - HKCU\..\Run: [Nclb] "C:\PROGRA~1\COMMON~1\SKS~1\msiexec.exe" -vt yazb
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [iNTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160498708034
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\SYSTEM32\winrkp32.dll
O20 - Winlogon Notify: xxyxywt - C:\WINDOWS\SYSTEM32\xxyxywt.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
0 -
Ad-Aware SE Build 1.06r1
Logfile Created on:Wednesday, December 13, 2006 3:40:44 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R139 12.12.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):30 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
12-13-2006 3:40:44 AM - Scan started. (Full System Scan)
MRU List Object Recognized!
Location: : C:\Documents and Settings\Aaron\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office
MRU List Object Recognized!
Location: : C:\Documents and Settings\Aaron\recent
Description : list of recently opened documents
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\ahead\cover designer\recent file list
Description : list of recently used files in ahead cover designer
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X
MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\mediaplayer\preferences
Description : last cd record path used in microsoft windows media player
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\office\11.0\common\general
Description : list of recently used symbols in microsoft office
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\office\11.0\common\open find\microsoft office word\settings\open\file name mru
Description : list of recent documents opened by microsoft word
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\office\11.0\common\open find\microsoft office word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk
MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk
MRU List Object Recognized!
Location: : S-1-5-21-583907252-1303643608-839522115-1003\software\microsoft\windows media\wmsdk\general
Description : windows media sdk
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 460
ThreadCreationTime : 12-13-2006 2:45:03 AM
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 672
ThreadCreationTime : 12-13-2006 2:45:06 AM
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 696
ThreadCreationTime : 12-13-2006 2:45:06 AM
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 740
ThreadCreationTime : 12-13-2006 2:45:07 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 752
ThreadCreationTime : 12-13-2006 2:45:07 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 916
ThreadCreationTime : 12-13-2006 2:45:08 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 964
ThreadCreationTime : 12-13-2006 2:45:08 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1004
ThreadCreationTime : 12-13-2006 2:45:08 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1088
ThreadCreationTime : 12-13-2006 2:45:08 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1120
ThreadCreationTime : 12-13-2006 2:45:08 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:11 [brsvc01a.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1428
ThreadCreationTime : 12-13-2006 2:45:09 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
ProductName : brother Industries Ltd brsvc01a
CompanyName : brother Industries Ltd
FileDescription : brsvc01a
InternalName : brsvc01a
LegalCopyright : Copyright © Brother Industries, Ltd 2001
OriginalFilename : brsvc01a.exe
#:12 [brss01a.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1444
ThreadCreationTime : 12-13-2006 2:45:09 AM
BasePriority : Normal
FileVersion : 1.004
ProductVersion : 1, 0, 0, 4
ProductName : brother Industries Ltd brss01a.exe
CompanyName : brother Industries Ltd
FileDescription : brss01a.exe
InternalName : brss01a.exe
LegalCopyright : Copyright ? 2001
OriginalFilename : brss01a.exe
Comments : Brsplproc XP wrapper
#:13 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1452
ThreadCreationTime : 12-13-2006 2:45:09 AM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
#:14 [lssrvc.exe]
FilePath : C:\Program Files\Common Files\LightScribe\
ProcessID : 1648
ThreadCreationTime : 12-13-2006 2:45:09 AM
BasePriority : Normal
FileVersion : 1.4.52.1
ProductName : LightScribe
CompanyName : Hewlett-Packard Company
LegalCopyright : © Copyright 2003-2005 Hewlett-Packard Development Company, LP
OriginalFilename : LSSrvc.exe
#:15 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\
ProcessID : 1688
ThreadCreationTime : 12-13-2006 2:45:09 AM
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe
#:16 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1712
ThreadCreationTime : 12-13-2006 2:45:09 AM
BasePriority : Normal
FileVersion : 6.14.10.8466
ProductVersion : 6.14.10.8466
ProductName : NVIDIA Driver Helper Service, Version 84.66
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 84.66
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe
#:17 [wdfmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1764
ThreadCreationTime : 12-13-2006 2:45:09 AM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe
#:18 [rthdcpl.exe]
FilePath : C:\WINDOWS\
ProcessID : 1024
ThreadCreationTime : 12-13-2006 2:45:15 AM
BasePriority : Normal
FileVersion : 2.0.4.4
ProductVersion : 2.0.4.4
ProductName : Realtek HD Audio Sound Effect Manager
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek HD Audio Control Panel
LegalCopyright : Copyright © 2004 Realtek Semiconductor Corp.
OriginalFilename : RTHDCPL.EXE
#:19 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1188
ThreadCreationTime : 12-13-2006 2:45:15 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE
#:20 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 1196
ThreadCreationTime : 12-13-2006 2:45:15 AM
BasePriority : Normal
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe
#:21 [mouse32a.exe]
FilePath : C:\Program Files\GE\98056 Keyboard and Mouse\
ProcessID : 1208
ThreadCreationTime : 12-13-2006 2:45:15 AM
BasePriority : Normal
FileVersion : 3.0.1.0
ProductVersion : 3.0.0.0
LegalCopyright : Copyright 2001 by LEE,WEI-BIN.
#:22 [kbdap32a.exe]
FilePath : C:\Program Files\GE\98056 Keyboard and Mouse\
ProcessID : 1244
ThreadCreationTime : 12-13-2006 2:45:15 AM
BasePriority : Normal
FileVersion : 2.9.1.0
ProductVersion : 2.0.0.0
FileDescription : Multi-Media Keyboard Application
LegalCopyright : Copyright 2001 by LEE,WEI-BIN.
#:23 [daemon.exe]
FilePath : C:\Program Files\DAEMON Tools\
ProcessID : 1240
ThreadCreationTime : 12-13-2006 2:45:15 AM
BasePriority : Normal
#:24 [jusched.exe]
FilePath : C:\Program Files\Java\jre1.5.0_09\bin\
ProcessID : 1304
ThreadCreationTime : 12-13-2006 2:45:15 AM
BasePriority : Normal
#:25 [trillian.exe]
FilePath : C:\Program Files\Trillian\
ProcessID : 1872
ThreadCreationTime : 12-13-2006 2:50:13 AM
BasePriority : Normal
FileVersion : 3.1.0.121
ProductVersion : 3.1.0.121
ProductName : Trillian
CompanyName : Cerulean Studios
FileDescription : Trillian
InternalName : Trillian
LegalCopyright : © Cerulean Studios, LLC. All rights reserved.
OriginalFilename : Trillian.exe
#:26 [wscntfy.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3528
ThreadCreationTime : 12-13-2006 10:04:55 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Security Center Notification App
InternalName : wscntfy.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wscntfy.exe
#:27 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1912
ThreadCreationTime : 12-13-2006 10:05:52 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
#:28 [msiexec.exe]
FilePath : C:\PROGRA~1\COMMON~1\SKS~1\
ProcessID : 1984
ThreadCreationTime : 12-13-2006 10:06:25 AM
BasePriority : Normal
#:29 [ismini.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1464
ThreadCreationTime : 12-13-2006 10:06:29 AM
BasePriority : Normal
#:30 [taskmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2612
ThreadCreationTime : 12-13-2006 10:13:20 AM
BasePriority : High
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows TaskManager
InternalName : taskmgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : taskmgr.exe
#:31 [ishost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2172
ThreadCreationTime : 12-13-2006 11:17:55 AM
BasePriority : Normal
#:32 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2356
ThreadCreationTime : 12-13-2006 11:27:48 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 30
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 30
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 30
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 30
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 30
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 30
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 30
3:50:42 AM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:09:57.891
Objects scanned:181324
Objects identified:0
Objects ignored:0
New critical objects:0
0 -
Hello,jardonblackbane & Welcome
Click here to download SmitfraudFix (by S!Ri). Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
( Do not run it Yet )
Download ATF (Atribune Temp File) Cleaner© by Atribune
Download and Install AVG Anti-Spyware© by Grisoft
Launch AVG Anti-Spyware, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update AVG Anti-Spyware to the latest definition files.
On the main screen select the icon Update then select the Update now link
Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
Close AVG Anti-Spyware
( Do not run it Yet)
Please print out or copy these instructions to Notepad as the internet will not be available to you at certain points of the removal process (whilst in Safe Mode). If there's anything that you don't understand, ask your question(s) before moving on with the fix.
Reboot into Safe Mode. You can get there by restarting your computer and continually tapping F8 until a menu appears. Use your arrow to highlight Safe Mode then hit enter.
Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.
When back in Normal Mode, click Start>Settings>Control Panel>Display>Desktop>Customize Desktop>Web and uncheck "Security Info" if present.
Please post the newrapport.txt log along with a new HijackThis Log in your next reply.
Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program
Run AVG Anti-Spyware
Click on Scanner at top
Click on Settings
Once in the Settings screen click on Recommended actions and then select Quarantine
Under Reports, Select Automatically generate report after every scan
Un-Select Only if threats were found
Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time
Once the scan is complete do the following :
If you have any infections you will prompted, then select Apply all actions
Next select the Reports icon at the top.
Select the Save report as button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Now close AVG Anti-Spyware
Reboot into Normal Mode
Please run Panda's ActiveScan and perform a full system scan.
Once you are on the Panda site click the Scan your PC button (be sure to disable your popup blocker first )
A new window will open...click the big Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
Click on Local Disks to start the scan
Click on see report Then click Save report
Post a fresh HijackThis log, the AVG Anti-Spyware log and the Panda Scan log here
(You may need to use several replies as the logs may be cut off)
Gogo
0 -
HJThis,
Thanks a lot for the swift and informative reply!
I've completed all of the steps up to running the AVG scan, all while keeping that computer offline. You seem to have requested the rapport log and HijackThis log prior to the cleaning scans, so I've prepared them for upload. It looks like the visible culprits were taken out (ismini and ISHOST), but IE7 is still attempting to connect to the web by itself, so there must be more hidden. Hopefully we can track it down before I reconnect to do the PandaLive Scan.
Here is the rapport.txt log, HijackThis will follow:
SmitFraudFix v2.130
Scan done at 10:04:25.35, Wed 12/13/2006
Run from C:\Documents and Settings\Aaron\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismini.exe Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
0 -
Logfile of HijackThis v1.99.1
Scan saved at 10:17:38 AM, on 12/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\GE\98056 Keyboard and Mouse\mouse32a.exe
C:\Program Files\GE\98056 Keyboard and Mouse\kbdap32a.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\COMMON~1\SKS~1\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\High-Jack This\HijackThis.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {9B0C7A02-A17A-4C81-BD7D-30A622701C36} - C:\WINDOWS\system32\xxyxywt.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38ADB~1\Bar888.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38ADB~1\Bar888.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\GE\98056 Keyboard and Mouse\mouse32a.exe
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\GE\98056 Keyboard and Mouse\kbdap32a.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Nclb] "C:\PROGRA~1\COMMON~1\SKS~1\msiexec.exe" -vt yazb
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [iNTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160498708034
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\SYSTEM32\winrkp32.dll
O20 - Winlogon Notify: xxyxywt - C:\WINDOWS\SYSTEM32\xxyxywt.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
0 -
Hi,jardonblackbane
Yes you have more to do please.
First have a look in ControlPanel Add/Remove Programs look for this item here
Bar888 if there Uninstall/Remove it
Please download VundoFix.exe to your C:\.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Run HijackThis
Scan and when it finishes, put a check mark only next to these following items : (if present)
O2 - BHO: (no name) - {9B0C7A02-A17A-4C81-BD7D-30A622701C36} - C:\WINDOWS\system32\xxyxywt.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38ADB~1\Bar888.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38ADB~1\Bar888.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\SYSTEM32\winrkp32.dll
O20 - Winlogon Notify: xxyxywt - C:\WINDOWS\SYSTEM32\xxyxywt.dll
Close all browsers and any open Windows, making sure that only HijackThis is open
Click Fix Checked
Close HijackThis
Gogo
0 -
Logfile of HijackThis v1.99.1
Scan saved at 11:28:36 AM, on 12/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\GE\98056 Keyboard and Mouse\mouse32a.exe
C:\Program Files\GE\98056 Keyboard and Mouse\kbdap32a.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\COMMON~1\SKS~1\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\High-Jack This\HijackThis.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {9B0C7A02-A17A-4C81-BD7D-30A622701C36} - C:\WINDOWS\system32\xxyxywt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\GE\98056 Keyboard and Mouse\mouse32a.exe
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\GE\98056 Keyboard and Mouse\kbdap32a.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Nclb] "C:\PROGRA~1\COMMON~1\SKS~1\msiexec.exe" -vt yazb
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [iNTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160498708034
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O20 - Winlogon Notify: xxyxywt - C:\WINDOWS\SYSTEM32\xxyxywt.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
0 -
HJThis,
Alright, just completed all that you have suggested except for the PandaLive Scan. The AVG scan found 42 infected items and quarantined them; I have a log file coming up next from that. VundoFix found 1 file and disposed of it without a problem. HijackThis found all of the files that you listed except for winrkp32 and was able to delete all but the xxyxywt enrties; I have a current log for this as well.
Next up, AVG log followed by HijackThis log:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:06:39 AM 12/13/2006
+ Scan result:
HKU\S-1-5-21-583907252-1303643608-839522115-1003\Software\ToolBar -> Adware.WebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-583907252-1303643608-839522115-1003\Software\ToolBar\all -> Adware.WebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-583907252-1303643608-839522115-1003\Software\ToolBar\all\History -> Adware.WebSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@planetfungames.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\aaron@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@ad.admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@media.adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\aaron@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\aaron@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\aaron@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@cz5.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\aaron@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@news.com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@ads.gamershell[1].txt -> TrackingCookie.Gamershell : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@ehg-csaa.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@ehg-viacom.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@kmpads[1].txt -> TrackingCookie.Kmpads : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@image.masterstats[2].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\aaron@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\aaron@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\aaron@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Aaron\Desktop\9.28.06.Tinkerer.Backup\9.28.06.Tinkerer.Backup\Cookies\monkey@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
::Report end
0 -
Hi,jardonblackbane
View hidden files and folders:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Run HijackThis
Scan and when it finishes, put a check mark only next to these following items : (if present)
O2 - BHO: (no name) - {9B0C7A02-A17A-4C81-BD7D-30A622701C36} - C:\WINDOWS\system32\xxyxywt.dll
O20 - Winlogon Notify: xxyxywt - C:\WINDOWS\SYSTEM32\xxyxywt.dll
Close all browsers and any open Windows, making sure that only HijackThis is open
Click Fix Checked
Close HijackThis
Restart your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe Mode.
- Login on your usual account.
If you need further assistance with Safe Mode, see Symantec
Once in Safe Mode do a file Search for this file here if found delete it.
C:\WINDOWS\SYSTEM32\xxyxywt.dll<---This file
reboot show me one more logfile and give me feedback how is the PC doing.
Gogo
0 - If the computer is running, shut down Windows, and then turn off the power.
-
HJThis,
Tried to respond to this before I had to leave, but I ran outta time
I made certain that the Hide protected operating system files (recommended) was unchecked, then I ran HijackThis and selected only those two files for fixing. Next I closed HijackThis and booted up in Safe Mode to delete the file, but every attempt stated that the file was in use. I could make it visible... even find it in the Safe Mode Command prompt, but I couldn't find any way to remove it.
Any other ideas?
0 -
Still struggling with this. Anybody have any ideas what else I can try for removing this file? HijackThis' Fix It doesn't seem to work for this issue.
0 -
Hi,jardonblackbane
Hmm ok do this for me first let's see what if anything comes back at us.
Please go to this site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Choose'
Click the choose button and browse to this file:
C:\WINDOWS\SYSTEM32\xxyxywt.dll
Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.
Gogo
0 -
Great to hear from ya HJThis! Here's the info you requested:
Complete scanning result of "xxyxywt.dll", received in VirusTotal at 12.15.2006, 17:37:31 (CET).
Antivirus Version Update Result
AntiVir 7.3.0.15 12.15.2006 ADSPY/Froeste
Authentium 4.93.8 12.14.2006 no virus found
Avast 4.7.892.0 12.15.2006 no virus found
AVG 386 12.15.2006 Adware Generic.SHM
BitDefender 7.2 12.15.2006 Trojan.Virtumod.DF
CAT-QuickHeal 8.00 12.15.2006 no virus found
ClamAV devel-20060426 12.15.2006 no virus found
DrWeb 4.33 12.15.2006 Trojan.Virtumod
eSafe 7.0.14.0 12.14.2006 no virus found
eTrust-InoculateIT 23.73.86 12.15.2006 Win32/Chisyne.5sd!DLL!Trojan
eTrust-Vet 30.3.3252 12.15.2006 Win32/Chisyne!generic
Ewido 4.0 12.15.2006 Adware.Virtumonde
Fortinet 2.82.0.0 12.15.2006 Adware/Virtumonde
F-Prot 3.16f 12.14.2006 no virus found
F-Prot4 4.2.1.29 12.14.2006 no virus found
Ikarus T3.1.0.26 12.15.2006 not-a-virus:AdWare.Win32.Virtumonde.fn
Kaspersky 4.0.2.24 12.15.2006 not-a-virus:AdWare.Win32.Virtumonde.fn
McAfee 4920 12.15.2006 no virus found
Microsoft 1.1804 12.15.2006 no virus found
NOD32v2 1924 12.15.2006 no virus found
Norman 5.80.02 12.15.2006 W32/Virtumonde.TE
Panda 9.0.0.4 12.15.2006 Spyware/Virtumonde
Prevx1 V2 12.15.2006 SpywareQuake
Sophos 4.12.0 12.14.2006 no virus found
Sunbelt 2.2.907.0 11.30.2006 VIPRE.Suspicious
TheHacker 6.0.3.132 12.14.2006 Adware/Virtumonde.fn
UNA 1.83 12.14.2006 Adware.Virtumonde.4CF5
VBA32 3.11.1 12.14.2006 Trojan.Virtumod
VirusBuster 4.3.19:9 12.15.2006 no virus found
Aditional Information
File size: 40973 bytes
MD5: 79176bc815f90ee7e00a5160940bcd03
SHA1: db0a0f049c11700944cb6e0690534c0981776f5d
packers: PECRYPT
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=cb0b57802336
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
0 -
Hey,jardonblackbane
Ok i think i know why they are stell here you missed doing this for me.
Please download VundoFix.exe to your C:\.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Gogo
0 -
HJThis,
I actually ran that before and removed the 1 file it found. Just ran it again and it's not finding and infected files. I'm using version 6.2.13
0 -
Hi,jardonblackbane
Odd do this here please let us know.
Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your Desktop.
Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button,which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:
C:\WINDOWS\SYSTEM32\xxyxywt.dll
Open 'File' in the menu on top and choose Paste from clipboard
You must use the File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click Yes.
Click OK at any Pending File Rename Operations prompt, let me know if they appear.
If you don't get that message, reboot manually.
Your computer should reboot now.
Please make sure to boot your computer into Safe Mode, by pressing F8 at boot/Windows startup, usually right after the beep. Then select Safe Mode from the list.
Gogo
0 -
HJThis,
Alright, finally had time to d/l and run the Killbox program. Followed your instructions and received a Dialog box with the message
PendingFileRenameOperations Registry Data has been Removed by External Process!
When I press "OK" in that box it returns to the Killbox program without rebooting.
0 -
Logfile of HijackThis v1.99.1
Scan saved at 8:54:04 PM, on 12/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\GE\98056 Keyboard and Mouse\mouse32a.exe
C:\Program Files\GE\98056 Keyboard and Mouse\kbdap32a.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\COMMON~1\SKS~1\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\High-Jack This\HijackThis.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {9B0C7A02-A17A-4C81-BD7D-30A622701C36} - C:\WINDOWS\system32\xxyxywt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\GE\98056 Keyboard and Mouse\mouse32a.exe
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\GE\98056 Keyboard and Mouse\kbdap32a.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Nclb] "C:\PROGRA~1\COMMON~1\SKS~1\msiexec.exe" -vt yazb
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [iNTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160498708034
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O20 - Winlogon Notify: xxyxywt - C:\WINDOWS\SYSTEM32\xxyxywt.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
0 -
Hi,jardonblackbane
Please show me new HijackThis logfile.
Gogo
0 -
Hi,jardonblackbane
Please download VirtumondoBegone to your desktop. This needs to be run in Safemode
Restart your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe Mode.
- Login on your usual account.
If you need further assistance with Safe Mode, see Symantec
Doubleclick on VirtumundoBeGone.exe and follow the instructions.
Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.
When it has finished, reboot and post the log that is created on your desktop called VBG.TXT in your next reply.
And could you also run AVG anti-spyware for me.
Gogo
0 - If the computer is running, shut down Windows, and then turn off the power.
-
HJThis,
I can't find VirtumondoBegone in the link that you provided.
0 -
Hey,Bud
Sorry i don't do to well when it comes to links
try the link now it should work.
Gogo
0 -
Sorry i don't do to well when it comes to linkstry the link now it should work.
Heh, np. Got it, and it looks like that may have done it. Ran it in Safe Mode and when it rebooted I checked the System32 folder for the .dll file. The xxyxywt.dll file has been renamed to xxyxywt.dll.vir! Running the AVG scan you requested and will upload that as soon as it finishes.
I have not physically attempted removing the xxyxywt.dll.vir file yet, since I'm trying not to do any actions without first clearing it with you. Will this be picked up by one of the other programs that I'm running or should I just delete the bugger?
0 -
HJThis,
Alright, the AVG scan just completed and the report shows the scan time/info followed by, "Nothing Found". Didn't think there was any use in adding the report here but I can if you think it will be helpful.
The connection attempts seem to have stopped since running the Virtumondo program, but I'm still unable to turn my Windows XP Firewall back on. There's still something lingering in here somewhere.
0 -
Hey,jardonblackbane
Great to hear it if you can show me one more HijackThis logfile.
as for the FireWall please don't use winXP Firewall it stops
things from going in but not out.
you would be better off with say ZoneAlarm free once i see
the last logfile i have one last step for you to take and in the
last step i have a link for some great free FireWalls.
Gogo
0 -
HJThis,
Hmm, kk. I'd be willing to give a different Firewall a try, but the problems with the XP firewall started at the exact time I installed these viruses. Since I'm unable to reactivate them, doesn't that mean that there are still infected files preventing it?
Here's the latest HijackThis report:
Logfile of HijackThis v1.99.1
Scan saved at 12:27:23 PM, on 12/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\GE\98056 Keyboard and Mouse\mouse32a.exe
C:\Program Files\GE\98056 Keyboard and Mouse\kbdap32a.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\COMMON~1\SKS~1\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\High-Jack This\HijackThis.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\GE\98056 Keyboard and Mouse\mouse32a.exe
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\GE\98056 Keyboard and Mouse\kbdap32a.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Nclb] "C:\PROGRA~1\COMMON~1\SKS~1\msiexec.exe" -vt yazb
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [iNTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160498708034
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
0 -
Hi,jardonblackbane
Hmm good point but i can only go by what i see in the logfiles
and i don't see anything in this last logfile.
but let me ask what happens when you try to use the
WinXP FireWall do you get any errors or will it start then
stop and how are you going about turning it back on.
give me some feedback as to what you are trying
with the FireWall so i may look something up for you
but i don't think you have anything more on the PC.
You know let's give this a try maybe we can pick something up.
Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.
Gogo
0 -
HJThis,
When I press the bubble warning in the XP Security Center I get a message that states that the Security Center could not enable it and then it requests that I attempt enabling it from the Windows Firewall in the Control Panel. When I double click the Windows Firewall in the Control Panel I get a message that reads:
Due to an unidentified problem, Windows cannot display Windows Firewall Settings.
Here is that log you requested:
12/19/06 19:58:01 [info]: BlackLight Engine 1.0.47 initialized
12/19/06 19:58:01 [info]: OS: 5.1 build 2600 (Service Pack 2)
12/19/06 19:58:01 [Note]: 7019 4
12/19/06 19:58:01 [Note]: 7005 0
12/19/06 19:58:09 [Note]: 7006 0
12/19/06 19:58:09 [Note]: 7011 1948
12/19/06 19:58:09 [Note]: 7026 0
12/19/06 19:58:10 [Note]: 7026 0
12/19/06 19:58:14 [Note]: FSRAW library version 1.7.1020
12/19/06 20:02:15 [Note]: 2000 1012
12/19/06 20:15:55 [Note]: 7007 0
0 -
Hey,jardonblackbane
First
The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.
Backup the Registry:
Navigate to Start | Run and paste the following:
regedit /e c:\registrybackup.reg
Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.
Next
NOTE: You may need to right click and Save As
Download sharedaccess.reg (only for systems running Windows XP Service Pack 2) and save to Desktop. Then double-click the file to merge the contents to the registry. The Services entry will be created. Restart Windows (mandatory step, otherwise the following NETSH command will display an error message).
After restarting Windows, run this from Command Prompt (cmd.exe)
NETSH FIREWALL RESET
Launch firewall applet from Control Panel, and then configure your Windows Firewall settings.
Tell me if this was any help to you
Gogo
0 -
HJThis,
Yay! That did it
Thanks a lot for all the wonderful assistance! I would probably have had to resort to a reformat without you
I'm going to run that Panda Anti-Virus scan now, as requested before, because I'm a lot more comfortable going online now. I would be very interested in hearing your suggestions for a better firewall than the XP version and I thank you again for your time and expertise!
0
Please sign in to leave a comment.
Comments
41 comments