Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 19 of 19 Posts

·
Registered
Joined
·
10 Posts
Discussion Starter · #1 ·
Hi All,

Having problems with Sysprotect, System Doctors and WinAntiVirusPro 2006 popups.

Have ran Spybot - Search & Destroy and a-squared Security Center with removed some files but the problem is still there.

Have downloaded VundoFix.exe and ran it...see log below for VundoFix and HijackThis Log.

I have tried updating windows but not working.

Any help would be appreciated. Thanks, N.

Logfile of HijackThis v1.99.1
Scan saved at 12:37:37, on 31/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\vcmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\WINDOWS\System32\svcchost.exe
C:\WINDOWS\System32\mysvcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Huawei technologies\Vodafone 3G Broadband Modem\Vodafone 3G Broadband Modem.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Tom King\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [DF15F63D] C:\WINDOWS\System32\mlsdf8h6781714.exe
O4 - HKLM\..\Run: [rsy32] C:\WINDOWS\System32\rsy32.exe
O4 - HKLM\..\Run: [msvcc25] svcchost.exe
O4 - HKLM\..\Run: [mysvcig38] mysvcc.exe
O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe
O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167502477920
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/sp3.02r/spyspottercabinstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33D677FD-3DD0-4CCC-A80C-83F881A4CE5E}: NameServer = 213.233.128.1 213.233.128.19
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Print Spooler Service (ov2jusaqzu) - Unknown owner - C:\WINDOWS\System32\mlsdf8h6781714.exe (file missing)
O23 - Service: Remote Windows Services - Unknown owner - C:\WINDOWS\system32\vcmon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

-----------------------------------------------------------------------------------------------

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 22:07:58 29/12/2006

Listing files found while scanning....

C:\WINDOWS\System32\pmklk.dll
C:\WINDOWS\System32\klkmp.ini
C:\WINDOWS\System32\klkmp.bak1
C:\WINDOWS\System32\klkmp.bak2
C:\WINDOWS\System32\klkmp.ini2
C:\WINDOWS\System32\klkmp.tmp

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 19:29:38 30/12/2006

Listing files found while scanning....

C:\WINDOWS\System32\pmklk.dll
C:\WINDOWS\System32\klkmp.ini
C:\WINDOWS\System32\klkmp.bak1
C:\WINDOWS\System32\klkmp.bak2
C:\WINDOWS\System32\klkmp.ini2
C:\WINDOWS\System32\klkmp.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\System32\pmklk.dll
C:\WINDOWS\System32\pmklk.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\klkmp.ini
C:\WINDOWS\System32\klkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\klkmp.bak1
C:\WINDOWS\System32\klkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\klkmp.bak2
C:\WINDOWS\System32\klkmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\klkmp.ini2
C:\WINDOWS\System32\klkmp.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\klkmp.tmp
C:\WINDOWS\System32\klkmp.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 21:32:12 30/12/2006

Listing files found while scanning....

C:\WINDOWS\System32\pmnop.dll
C:\WINDOWS\System32\ponmp.ini
C:\WINDOWS\System32\ponmp.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\System32\pmnop.dll
C:\WINDOWS\System32\pmnop.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\ponmp.ini
C:\WINDOWS\System32\ponmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\ponmp.bak1
C:\WINDOWS\System32\ponmp.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 22:40:21 30/12/2006

Listing files found while scanning....

C:\WINDOWS\System32\hgggf.dll
C:\WINDOWS\System32\fgggh.ini
C:\WINDOWS\System32\fgggh.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\System32\hgggf.dll
C:\WINDOWS\System32\hgggf.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\fgggh.ini
C:\WINDOWS\System32\fgggh.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\fgggh.bak1
C:\WINDOWS\System32\fgggh.bak1 Has been deleted!

Performing Repairs to the registry.
Done!
 

·
Registered
Joined
·
4,699 Posts
Go to the folder where Hijackthis is kept and rename the hijackthis application to "showme". This can be done by right clicking on the program and clicking "rename". Press enter, then open "showme.exe" by double clicking. Post a new Hijackthis log from the newly named application.
 

·
Registered
Joined
·
10 Posts
Discussion Starter · #3 ·
Hi,

Have the exe saved on to the desktop, renamed it to showme.exe...here is the new log.

Cheers, N.

Logfile of HijackThis v1.99.1
Scan saved at 19:41:41, on 31/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\vcmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\svcchost.exe
C:\WINDOWS\System32\mysvcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Huawei technologies\Vodafone 3G Broadband Modem\Vodafone 3G Broadband Modem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\salvage.exe
C:\Documents and Settings\Tom King\Desktop\showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O2 - BHO: (no name) - {05041043-0C5F-46A4-A959-58D2A1F73262} - C:\WINDOWS\System32\hgghihg.dll
O2 - BHO: (no name) - {06DB96CF-D269-4A02-861F-20421F97EC9C} - C:\WINDOWS\System32\vtust.dll
O2 - BHO: (no name) - {1E9C1A0B-4B36-4789-9420-37CA83C2B9C8} - C:\WINDOWS\System32\pmnop.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6094B2FC-461F-44E8-A206-469EE08D6492} - C:\WINDOWS\System32\pmklk.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\System32\gitfmbsb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9FD4F985-49D4-45B1-AD48-6BCCAEF5119B} - C:\WINDOWS\System32\hgggf.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [DF15F63D] C:\WINDOWS\System32\mlsdf8h6781714.exe
O4 - HKLM\..\Run: [rsy32] C:\WINDOWS\System32\rsy32.exe
O4 - HKLM\..\Run: [msvcc25] svcchost.exe
O4 - HKLM\..\Run: [mysvcig38] mysvcc.exe
O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe
O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167502477920
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/sp3.02r/spyspottercabinstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33D677FD-3DD0-4CCC-A80C-83F881A4CE5E}: NameServer = 213.233.128.1 213.233.128.19
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: hgghihg - C:\WINDOWS\SYSTEM32\hgghihg.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O20 - Winlogon Notify: vtust - C:\WINDOWS\System32\vtust.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Print Spooler Service (ov2jusaqzu) - Unknown owner - C:\WINDOWS\System32\mlsdf8h6781714.exe (file missing)
O23 - Service: Remote Windows Services - Unknown owner - C:\WINDOWS\system32\vcmon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 

·
Registered
Joined
·
4,699 Posts
Hello there and welcome to TSG's security forum. :up:
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions.
There is a possibility some of the instructions will need to be carried out where internet access is not available.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and that you don't miss out any steps.
If you have any queries about the process or just general questions, just ask.

You have a Troj/Spabot-O infection, you have this file on your system: rpcc.dll. This infection:
1) Allows others to access the computer
2) Uses its own emailing engine
3) Downloads code from the internet
4) Installs itself in the Registry

Due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately. Disconnect the infected computer from the internet until the computer can be cleaned. From a clean computer, change your online passwords-- for email, for banks, eBay, forums etc.... Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information.

Please download VundoFix.exe to your desktop
Double-click VundoFix.exe to run it.
When VundoFix re-opens, click "Scan for Vundo" button.
Once the scan is complete, right Click inside the listbox (white box) and click "add more files"
Copy and paste the 2 entries below into the top 2 boxes (no arrows):

--> C:\WINDOWS\System32\vtust.dll
--> C:\WINDOWS\SYSTEM32\hgghihg.dll

Click "Add Files" and click "Close Window".
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo - this is normal.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

David
 

·
Registered
Joined
·
10 Posts
Discussion Starter · #5 ·
Hi David,

Firstly, I really appreciate your help on this, Thank you.

I had ran VundoFix before I posted here, these runs are in the log too.

Here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 18:39:03, on 01/01/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\svcchost.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\System32\mysvcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\Huawei technologies\Vodafone 3G Broadband Modem\Vodafone 3G Broadband Modem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Tom King\Desktop\showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O2 - BHO: (no name) - {05041043-0C5F-46A4-A959-58D2A1F73262} - C:\WINDOWS\System32\hgghihg.dll (file missing)
O2 - BHO: (no name) - {1E9C1A0B-4B36-4789-9420-37CA83C2B9C8} - C:\WINDOWS\System32\pmnop.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6094B2FC-461F-44E8-A206-469EE08D6492} - C:\WINDOWS\System32\pmklk.dll (file missing)
O2 - BHO: (no name) - {7000908F-9872-40B7-ADC6-3F6DBBEA90B0} - C:\WINDOWS\System32\vtust.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\System32\gitfmbsb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9FD4F985-49D4-45B1-AD48-6BCCAEF5119B} - C:\WINDOWS\System32\hgggf.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [DF15F63D] C:\WINDOWS\System32\mlsdf8h6781714.exe
O4 - HKLM\..\Run: [rsy32] C:\WINDOWS\System32\rsy32.exe
O4 - HKLM\..\Run: [msvcc25] svcchost.exe
O4 - HKLM\..\Run: [mysvcig38] mysvcc.exe
O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe
O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167502477920
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/sp3.02r/spyspottercabinstall.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Print Spooler Service (ov2jusaqzu) - Unknown owner - C:\WINDOWS\System32\mlsdf8h6781714.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TCP Spooler Service - Unknown owner - C:\WINDOWS\system32\spoolsc.exe

-------------------------------------------------------------------------------------------

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 22:07:58 29/12/2006

Listing files found while scanning....

C:\WINDOWS\System32\pmklk.dll
C:\WINDOWS\System32\klkmp.ini
C:\WINDOWS\System32\klkmp.bak1
C:\WINDOWS\System32\klkmp.bak2
C:\WINDOWS\System32\klkmp.ini2
C:\WINDOWS\System32\klkmp.tmp

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 19:29:38 30/12/2006

Listing files found while scanning....

C:\WINDOWS\System32\pmklk.dll
C:\WINDOWS\System32\klkmp.ini
C:\WINDOWS\System32\klkmp.bak1
C:\WINDOWS\System32\klkmp.bak2
C:\WINDOWS\System32\klkmp.ini2
C:\WINDOWS\System32\klkmp.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\System32\pmklk.dll
C:\WINDOWS\System32\pmklk.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\klkmp.ini
C:\WINDOWS\System32\klkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\klkmp.bak1
C:\WINDOWS\System32\klkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\klkmp.bak2
C:\WINDOWS\System32\klkmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\klkmp.ini2
C:\WINDOWS\System32\klkmp.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\klkmp.tmp
C:\WINDOWS\System32\klkmp.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 21:32:12 30/12/2006

Listing files found while scanning....

C:\WINDOWS\System32\pmnop.dll
C:\WINDOWS\System32\ponmp.ini
C:\WINDOWS\System32\ponmp.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\System32\pmnop.dll
C:\WINDOWS\System32\pmnop.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\ponmp.ini
C:\WINDOWS\System32\ponmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\ponmp.bak1
C:\WINDOWS\System32\ponmp.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 22:40:21 30/12/2006

Listing files found while scanning....

C:\WINDOWS\System32\hgggf.dll
C:\WINDOWS\System32\fgggh.ini
C:\WINDOWS\System32\fgggh.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\System32\hgggf.dll
C:\WINDOWS\System32\hgggf.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\fgggh.ini
C:\WINDOWS\System32\fgggh.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\fgggh.bak1
C:\WINDOWS\System32\fgggh.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 18:28:50 01/01/2007

Listing files found while scanning....

C:\WINDOWS\System32\vtust.dll
C:\WINDOWS\System32\tsutv.ini
C:\WINDOWS\System32\tsutv.bak1
C:\WINDOWS\System32\tsutv.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\System32\vtust.dll
C:\WINDOWS\System32\vtust.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\tsutv.ini
C:\WINDOWS\System32\tsutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\tsutv.bak1
C:\WINDOWS\System32\tsutv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\tsutv.bak2
C:\WINDOWS\System32\tsutv.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\hgghihg.dll
C:\WINDOWS\SYSTEM32\hgghihg.dll Has been deleted!

Performing Repairs to the registry.
Done!
 

·
Registered
Joined
·
4,699 Posts
Hello there, you're welcome for the help! :up:

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {05041043-0C5F-46A4-A959-58D2A1F73262} - C:\WINDOWS\System32\hgghihg.dll (file missing)
O2 - BHO: (no name) - {1E9C1A0B-4B36-4789-9420-37CA83C2B9C8} - C:\WINDOWS\System32\pmnop.dll (file missing)
O2 - BHO: (no name) - {6094B2FC-461F-44E8-A206-469EE08D6492} - C:\WINDOWS\System32\pmklk.dll (file missing)
O2 - BHO: (no name) - {7000908F-9872-40B7-ADC6-3F6DBBEA90B0} - C:\WINDOWS\System32\vtust.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\System32\gitfmbsb.dll
O2 - BHO: (no name) - {9FD4F985-49D4-45B1-AD48-6BCCAEF5119B} - C:\WINDOWS\System32\hgggf.dll (file missing)
O4 - HKLM\..\Run: [DF15F63D] C:\WINDOWS\System32\mlsdf8h6781714.exe
O4 - HKLM\..\Run: [rsy32] C:\WINDOWS\System32\rsy32.exe
O4 - HKLM\..\Run: [msvcc25] svcchost.exe
O4 - HKLM\..\Run: [mysvcig38] mysvcc.exe
O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe
O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spysp...cabinstall.cab
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O23 - Service: Print Spooler Service (ov2jusaqzu) - Unknown owner - C:\WINDOWS\System32\mlsdf8h6781714.exe (file missing)
O23 - Service: TCP Spooler Service - Unknown owner - C:\WINDOWS\system32\spoolsc.exe


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\System32\gitfmbsb.dll
C:\WINDOWS\System32\mlsdf8h6781714.exe
C:\WINDOWS\System32\rsy32.exe
C:\WINDOWS\System32\svcchost.exe
C:\WINDOWS\System32\mysvcc.exe
C:\WINDOWS\System32\rpcc.dll
C:\WINDOWS\system32\spoolsc.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Open notepad and copy and paste the following text in the quote box into the window:
sc stop "TCP Spooler Service"
sc delete "TCP Spooler Service"
sc stop "ov2jusaqzu"
sc delete "ov2jusaqzu"
Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards:

Doubleclick fix.bat and let the program run.
A small black dos window will flash, this is normal.

Download and save Blacklight to your desktop.
Double-click blbeta.exe then accept the agreement.
Click on scan then click next,
You'll see a list of all items found.
Do not choose for rename yet! I want to see the log first; legitimate items can also be present.
There is a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Don't forget the Blacklight log.... :)
 

·
Registered
Joined
·
10 Posts
Discussion Starter · #7 ·
Hi, Here we go:

Logfile of HijackThis v1.99.1
Scan saved at 22:24:22, on 01/01/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Huawei technologies\Vodafone 3G Broadband Modem\Vodafone 3G Broadband Modem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Tom King\Desktop\showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O2 - BHO: (no name) - {3609E29A-2E20-40D8-9FEF-C68A41A99365} - C:\WINDOWS\System32\xxyxu.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167502477920
O17 - HKLM\System\CCS\Services\Tcpip\..\{33D677FD-3DD0-4CCC-A80C-83F881A4CE5E}: NameServer = 213.233.128.1 213.233.128.19
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll (file missing)
O20 - Winlogon Notify: xxyxu - C:\WINDOWS\System32\xxyxu.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

-----------------------------------------------------------------------------------------------

Blacklight stated no files found.

01/01/07 22:13:40 [Info]: BlackLight Engine 1.0.55 initialized
01/01/07 22:13:40 [Info]: OS: 5.1 build 2600 ()
01/01/07 22:13:40 [Note]: 7019 4
01/01/07 22:13:40 [Note]: 7005 0
01/01/07 22:13:43 [Note]: 7006 0
01/01/07 22:13:43 [Note]: 7011 1884
01/01/07 22:13:43 [Note]: 7026 0
01/01/07 22:13:43 [Note]: 7026 0
01/01/07 22:13:45 [Note]: FSRAW library version 1.7.1021
01/01/07 22:18:02 [Note]: 7007 0

--------------------------------------------------------------------------------------------------

ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Tom King\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-01 to 2007-01-01 ))))))))))))))))))))))))))))))))))

2007-01-01 22:01 d-------- C:\!KillBox
2007-01-01 21:49 648,424 ---hs---- C:\WINDOWS\system32\uxyxx.bak1
2007-01-01 21:48 277,044 ---hs---- C:\WINDOWS\system32\xxyxu.dll
2007-01-01 21:44 22,541 ---hs---- C:\WINDOWS\system32\ddcywwv.dll
2007-01-01 18:39 22,541 ---hs---- C:\WINDOWS\system32\ddcbbyv.dll
2007-01-01 14:22 22,541 ---hs---- C:\WINDOWS\system32\tuvwuvt.dll
2007-01-01 14:16 22,541 ---hs---- C:\WINDOWS\system32\byxuuvt.dll
2007-01-01 03:46 22,541 ---hs---- C:\WINDOWS\system32\ddccyya.dll
2006-12-31 20:34 22,541 ---hs---- C:\WINDOWS\system32\fccbcby.dll
2006-12-31 19:40 22,541 ---hs---- C:\WINDOWS\system32\wvwxxvw.dll
2006-12-31 10:34 22,541 ---hs---- C:\WINDOWS\system32\gebxutt.dll
2006-12-30 23:07 22,541 ---hs---- C:\WINDOWS\system32\qomnmjg.dll
2006-12-30 23:04 14,303 --a------ C:\WINDOWS\system32\ljjig.dll
2006-12-30 23:00 22,541 ---hs---- C:\WINDOWS\system32\hggfdcy.dll
2006-12-30 22:47 22,541 ---hs---- C:\WINDOWS\system32\urqqnol.dll
2006-12-30 22:44 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2006-12-30 21:46 22,541 ---hs---- C:\WINDOWS\system32\gebxwvu.dll
2006-12-30 21:38 24,523 --a------ C:\WINDOWS\system32\byxxu.dll
2006-12-30 21:29 22,541 ---hs---- C:\WINDOWS\system32\vtuvtts.dll
2006-12-30 19:58 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-12-30 19:54 22,541 ---hs---- C:\WINDOWS\system32\gebcyab.dll
2006-12-30 19:46 d-------- C:\WINDOWS\system32\bits
2006-12-30 19:45 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2006-12-30 19:45 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2006-12-30 19:45 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2006-12-30 19:45 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-12-30 19:45 158,720 --------- C:\WINDOWS\system32\xpob2res.dll
2006-12-30 19:36 22,541 ---hs---- C:\WINDOWS\system32\ddcaxxx.dll
2006-12-30 18:16 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-12-30 18:16 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-12-30 18:16 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-12-30 18:16 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2006-12-30 18:16 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-12-30 18:16 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2006-12-30 18:15 d-------- C:\WINDOWS\SoftwareDistribution
2006-12-30 16:58 22,541 ---hs---- C:\WINDOWS\system32\ssqrqno.dll
2006-12-30 13:21 22,541 ---hs---- C:\WINDOWS\system32\ljjkjji.dll
2006-12-30 12:22 22,541 ---hs---- C:\WINDOWS\system32\gebxwts.dll
2006-12-30 12:19 d-------- C:\Program Files\a-squared Anti-Malware
2006-12-30 11:48 22,541 ---hs---- C:\WINDOWS\system32\wvuuuts.dll
2006-12-30 11:44 22,541 ---hs---- C:\WINDOWS\system32\yaywvwx.dll
2006-12-30 11:42 22,541 ---hs---- C:\WINDOWS\system32\ssqopol.dll
2006-12-30 11:38 22,541 ---hs---- C:\WINDOWS\system32\khfgggf.dll
2006-12-30 11:31 22,541 ---hs---- C:\WINDOWS\system32\mljhffd.dll
2006-12-30 11:25 22,541 ---hs---- C:\WINDOWS\system32\tuvssqr.dll
2006-12-29 22:55 67,584 --a------ C:\WINDOWS\system32\eraseme_40555.exe
2006-12-29 22:30 81,684 --a------ C:\WINDOWS\system32\tmqnvhko.dll
2006-12-29 22:26 d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-29 22:26 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-29 22:07 d-------- C:\VundoFix Backups
2006-12-29 21:31 22,541 ---hs---- C:\WINDOWS\system32\iifebcc.dll
2006-12-29 20:31 22,541 ---hs---- C:\WINDOWS\system32\pmnkihf.dll
2006-12-29 17:13 22,541 ---hs---- C:\WINDOWS\system32\efcabxu.dll
2006-12-29 15:55 22,541 ---hs---- C:\WINDOWS\system32\ssqnolk.dll
2006-12-29 15:50 22,541 ---hs---- C:\WINDOWS\system32\opnkiif.dll
2006-12-29 15:32 22,541 ---hs---- C:\WINDOWS\system32\ssqqqnl.dll
2006-12-29 15:02 d-------- C:\Program Files\Symantec Technical Support
2006-12-29 14:45 22,541 ---hs---- C:\WINDOWS\system32\qommmjj.dll
2006-12-29 02:56 22,541 ---hs---- C:\WINDOWS\system32\qomnlif.dll
2006-12-28 19:36 22,541 ---hs---- C:\WINDOWS\system32\qomjgfd.dll
2006-12-28 19:25 22,541 ---hs---- C:\WINDOWS\system32\cbxxvwt.dll
2006-12-28 14:31 22,541 ---hs---- C:\WINDOWS\system32\iifeccd.dll
2006-12-28 10:54 22,541 ---hs---- C:\WINDOWS\system32\vtusttr.dll
2006-12-28 09:55 22,541 ---hs---- C:\WINDOWS\system32\pmnklki.dll
2006-12-27 18:06 81,684 --a------ C:\WINDOWS\system32\mwuvgdyw.dll
2006-12-27 18:01 22,541 ---hs---- C:\WINDOWS\system32\gebcaay.dll
2006-12-24 17:11 0 --a------ C:\WINDOWS\system32\eraseme_20027.exe
2006-12-22 21:41 0 --a------ C:\WINDOWS\system32\eraseme_83125.exe
2006-12-19 16:09 0 --a------ C:\WINDOWS\system32\svchostz.exe
2006-12-18 22:10 75,766 --a------ C:\WINDOWS\system32\recsl.exe
2006-12-17 08:48 d---s---- C:\Documents and Settings\Tom King\UserData
2006-12-16 23:18 76,308 --a------ C:\WINDOWS\system32\salvage.exe
2006-12-15 16:51 d----c--- C:\WINDOWS\system32\DRVSTORE
2006-12-15 16:51 d-------- C:\Documents and Settings\Tom King\Contacts
2006-12-15 16:50 d-------- C:\Program Files\MSN Messenger
2006-12-10 19:29 d--h----- C:\WINDOWS\PIF
2006-12-10 16:47 40,584 -r-hs---- C:\WINDOWS\system32\vcmon.exe
2006-12-10 16:45 0 --a------ C:\WINDOWS\system32\eraseme_76062.exe
2006-12-10 16:36 d-------- C:\Documents and Settings\Tom King\Application Data\Macromedia
2006-12-10 16:29 88,960 --a------ C:\WINDOWS\system32\drivers\ewusbmdm.sys
2006-12-10 16:28 d-------- C:\Program Files\Huawei technologies

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-01 22:07 -------- d-------- C:\Program Files\Common Files
2006-12-30 18:16 -------- d--h----- C:\Program Files\WindowsUpdate
2006-12-29 15:12 -------- d---s---- C:\Documents and Settings\Tom King\Application Data\Microsoft
2006-12-15 21:30 -------- d-------- C:\Program Files\Windows Media Player
2006-12-15 21:30 -------- d-------- C:\Program Files\Messenger
2006-12-15 16:51 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-12-10 16:28 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-10 16:26 -------- d-------- C:\Program Files\Common Files\InstallShield

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Spyware Cleaner"="\"C:\\Program Files\\Spyware Cleaner\\SpywareCleaner.Exe\" /boot"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Advanced Tools Check"="C:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"Dell AIO Printer A940"="\"C:\\Program Files\\Dell AIO Printer A940\\dlbabmgr.exe\""
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,18,01,00,00,00,00,00,00,60,04,00,00,fc,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxu

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Tom King.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job

Completion time: 07-01-01 22:19:02.27
C:\ComboFix.txt ... 07-01-01 22:19
 

·
Registered
Joined
·
4,699 Posts
Oh my, you have quite a lot of infected files leftover. :0
You have also been reinfected, which isn't really that surprising.

Double-click VundoFix.exe to run it.
When VundoFix re-opens, click "Scan for Vundo" button.
Once the scan is complete, right Click inside the listbox (white box) and click "add more files"
Copy and paste the 2 entries below into the top 2 boxes (no arrows):

--> C:\WINDOWS\system32\xxyxu.dll

Click "Add Files" and click "Close Window".
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo - this is normal.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\uxyxx.bak1
C:\WINDOWS\system32\xxyxu.dll
C:\WINDOWS\system32\ddcywwv.dll
C:\WINDOWS\system32\ddcbbyv.dll
C:\WINDOWS\system32\tuvwuvt.dll
C:\WINDOWS\system32\byxuuvt.dll
C:\WINDOWS\system32\ddccyya.dll
C:\WINDOWS\system32\fccbcby.dll
C:\WINDOWS\system32\wvwxxvw.dll
C:\WINDOWS\system32\gebxutt.dll
C:\WINDOWS\system32\qomnmjg.dll
C:\WINDOWS\system32\ljjig.dll
C:\WINDOWS\system32\hggfdcy.dll
C:\WINDOWS\system32\urqqnol.dll
C:\WINDOWS\system32\gebxwvu.dll
C:\WINDOWS\system32\byxxu.dll
C:\WINDOWS\system32\vtuvtts.dll
C:\WINDOWS\system32\gebcyab.dll
C:\WINDOWS\system32\ddcaxxx.dll
C:\WINDOWS\system32\ssqrqno.dll
C:\WINDOWS\system32\ljjkjji.dll
C:\WINDOWS\system32\gebxwts.dll
C:\WINDOWS\system32\wvuuuts.dll
C:\WINDOWS\system32\yaywvwx.dll
C:\WINDOWS\system32\ssqopol.dll
C:\WINDOWS\system32\khfgggf.dll
C:\WINDOWS\system32\mljhffd.dll
C:\WINDOWS\system32\tuvssqr.dll
C:\WINDOWS\system32\eraseme_40555.exe
C:\WINDOWS\system32\tmqnvhko.dll
C:\WINDOWS\system32\iifebcc.dll
C:\WINDOWS\system32\pmnkihf.dll
C:\WINDOWS\system32\efcabxu.dll
C:\WINDOWS\system32\ssqnolk.dll
C:\WINDOWS\system32\opnkiif.dll
C:\WINDOWS\system32\ssqqqnl.dll
C:\WINDOWS\system32\qommmjj.dll
C:\WINDOWS\system32\qomnlif.dll
C:\WINDOWS\system32\qomjgfd.dll
C:\WINDOWS\system32\cbxxvwt.dll
C:\WINDOWS\system32\iifeccd.dll
C:\WINDOWS\system32\vtusttr.dll
C:\WINDOWS\system32\pmnklki.dll
C:\WINDOWS\system32\mwuvgdyw.dll
C:\WINDOWS\system32\gebcaay.dll
C:\WINDOWS\system32\eraseme_20027.exe
C:\WINDOWS\system32\eraseme_83125.exe
C:\WINDOWS\system32\svchostz.exe
C:\WINDOWS\system32\recsl.exe
C:\WINDOWS\system32\salvage.exe
C:\WINDOWS\system32\vcmon.exe
C:\WINDOWS\system32\eraseme_76062.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)
REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxu]
Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {3609E29A-2E20-40D8-9FEF-C68A41A99365} - C:\WINDOWS\System32\xxyxu.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll (file missing)
O20 - Winlogon Notify: xxyxu - C:\WINDOWS\System32\xxyxu.dll


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Reboot and post a new Hijackthis log,
Also post the new Vundofix log in your next reply.
 

·
Registered
Joined
·
10 Posts
Discussion Starter · #9 ·
Hi again,

Here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 12:23:12, on 02/01/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\System32\mysvcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Huawei technologies\Vodafone 3G Broadband Modem\Vodafone 3G Broadband Modem.exe
C:\Documents and Settings\Tom King\Desktop\showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [mysvcig38] mysvcc.exe
O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167502477920
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

------------------------------------------------------------------------------------

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 22:07:58 29/12/2006

Listing files found while scanning....

C:\WINDOWS\System32\pmklk.dll
C:\WINDOWS\System32\klkmp.ini
C:\WINDOWS\System32\klkmp.bak1
C:\WINDOWS\System32\klkmp.bak2
C:\WINDOWS\System32\klkmp.ini2
C:\WINDOWS\System32\klkmp.tmp

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 19:29:38 30/12/2006

Listing files found while scanning....

C:\WINDOWS\System32\pmklk.dll
C:\WINDOWS\System32\klkmp.ini
C:\WINDOWS\System32\klkmp.bak1
C:\WINDOWS\System32\klkmp.bak2
C:\WINDOWS\System32\klkmp.ini2
C:\WINDOWS\System32\klkmp.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\System32\pmklk.dll
C:\WINDOWS\System32\pmklk.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\klkmp.ini
C:\WINDOWS\System32\klkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\klkmp.bak1
C:\WINDOWS\System32\klkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\klkmp.bak2
C:\WINDOWS\System32\klkmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\klkmp.ini2
C:\WINDOWS\System32\klkmp.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\klkmp.tmp
C:\WINDOWS\System32\klkmp.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 21:32:12 30/12/2006

Listing files found while scanning....

C:\WINDOWS\System32\pmnop.dll
C:\WINDOWS\System32\ponmp.ini
C:\WINDOWS\System32\ponmp.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\System32\pmnop.dll
C:\WINDOWS\System32\pmnop.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\ponmp.ini
C:\WINDOWS\System32\ponmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\ponmp.bak1
C:\WINDOWS\System32\ponmp.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 22:40:21 30/12/2006

Listing files found while scanning....

C:\WINDOWS\System32\hgggf.dll
C:\WINDOWS\System32\fgggh.ini
C:\WINDOWS\System32\fgggh.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\System32\hgggf.dll
C:\WINDOWS\System32\hgggf.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\fgggh.ini
C:\WINDOWS\System32\fgggh.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\fgggh.bak1
C:\WINDOWS\System32\fgggh.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 18:28:50 01/01/2007

Listing files found while scanning....

C:\WINDOWS\System32\vtust.dll
C:\WINDOWS\System32\tsutv.ini
C:\WINDOWS\System32\tsutv.bak1
C:\WINDOWS\System32\tsutv.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\System32\vtust.dll
C:\WINDOWS\System32\vtust.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\tsutv.ini
C:\WINDOWS\System32\tsutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\tsutv.bak1
C:\WINDOWS\System32\tsutv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\tsutv.bak2
C:\WINDOWS\System32\tsutv.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\hgghihg.dll
C:\WINDOWS\SYSTEM32\hgghihg.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 10:42:26 02/01/2007

Listing files found while scanning....

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 12:06:38 02/01/2007

Listing files found while scanning....

C:\WINDOWS\System32\xxyxu.dll
C:\WINDOWS\System32\uxyxx.ini
C:\WINDOWS\System32\uxyxx.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\System32\xxyxu.dll
C:\WINDOWS\System32\xxyxu.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\uxyxx.ini
C:\WINDOWS\System32\uxyxx.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\uxyxx.bak1
C:\WINDOWS\System32\uxyxx.bak1 Has been deleted!

Performing Repairs to the registry.
Done!
 

·
Registered
Joined
·
4,699 Posts
Hello there, let's continue...:up:

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'. In the field, copy and paste the filepath a few lines below.
Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes.:
C:\WINDOWS\System32\mysvcc.exe

After the reboot, Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O4 - HKLM\..\Run: [mysvcig38] mysvcc.exe
O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please perform this online scan: Kaspersky Webscan
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.
When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

David
 

·
Registered
Joined
·
10 Posts
Discussion Starter · #11 ·
Hi David,

The pop ups have stopped so something must be going right...here are the logs:

I didn't go any further with Kaspersky other then save the log...Let me know if it has to be run again.

Logfile of HijackThis v1.99.1
Scan saved at 11:45:42, on 03/01/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\Huawei technologies\Vodafone 3G Broadband Modem\Vodafone 3G Broadband Modem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svcchost.exe
C:\Documents and Settings\Tom King\Desktop\showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [msvcc25] svcchost.exe
O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167502477920
O17 - HKLM\System\CCS\Services\Tcpip\..\{33D677FD-3DD0-4CCC-A80C-83F881A4CE5E}: NameServer = 213.233.128.1 213.233.128.19
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

---------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 03, 2007 11:45:09 AM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 3/01/2007
Kaspersky Anti-Virus database records: 241379
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 27189
Number of viruses found: 6
Number of infected objects: 28 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:44:23

Infected Object Name / Virus Name / Last Action
C:\!KillBox\mwuvgdyw.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\!KillBox\mysvcc.exe Infected: Backdoor.Win32.Rbot.bjp skipped
C:\!KillBox\salvage.exe Infected: Backdoor.Win32.Rbot.bjp skipped
C:\!KillBox\svcchost.exe Infected: Backdoor.Win32.SdBot.awk skipped
C:\!KillBox\tmqnvhko.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\!KillBox\vcmon.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-01-03_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tom King\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tom King\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tom King\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tom King\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tom King\Local Settings\Temp\JET95B1.tmp Object is locked skipped
C:\Documents and Settings\Tom King\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tom King\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tom King\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped
C:\Program Files\Huawei technologies\Vodafone 3G Broadband Modem\vWTP.mdb Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\024D3C18 Infected: Backdoor.Win32.Rbot.bom skipped
C:\Program Files\Norton AntiVirus\Quarantine\084B2D6E Infected: Backdoor.Win32.SdBot.aad skipped
C:\Program Files\Norton AntiVirus\Quarantine\147662A7 Infected: Backdoor.Win32.SdBot.aad skipped
C:\Program Files\Norton AntiVirus\Quarantine\21047D89 Infected: Backdoor.Win32.SdBot.aad skipped
C:\Program Files\Norton AntiVirus\Quarantine\35001ECA Infected: Backdoor.Win32.SdBot.aad skipped
C:\Program Files\Norton AntiVirus\Quarantine\556A6CA7.exe Infected: Backdoor.Win32.Rbot.gen skipped
C:\Program Files\Norton AntiVirus\Quarantine\592A7EC8 Infected: Backdoor.Win32.SdBot.aad skipped
C:\Program Files\Norton AntiVirus\Quarantine\5DEC2B8B Infected: Backdoor.Win32.SdBot.aad skipped
C:\Program Files\Norton AntiVirus\Quarantine\5E6F3AFB Infected: Backdoor.Win32.SdBot.aad skipped
C:\Program Files\Norton AntiVirus\Quarantine\5EC154A2 Infected: Backdoor.Win32.SdBot.aad skipped
C:\Program Files\Norton AntiVirus\Quarantine\6F9B638B Infected: Backdoor.Win32.SdBot.aad skipped
C:\RECYCLER\NPROTECT\00024838.exe Infected: Backdoor.Win32.Rbot.bjp skipped
C:\RECYCLER\NPROTECT\00025182.exe Infected: Backdoor.Win32.Rbot.bjp skipped
C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
C:\System Volume Information\_restore{E87F59B5-9B4B-4327-B3FC-3B7F4F037520}\RP23\A0024796.exe Infected: Backdoor.Win32.SdBot.awk skipped
C:\System Volume Information\_restore{E87F59B5-9B4B-4327-B3FC-3B7F4F037520}\RP23\A0024797.exe Infected: Backdoor.Win32.Rbot.bjp skipped
C:\System Volume Information\_restore{E87F59B5-9B4B-4327-B3FC-3B7F4F037520}\RP23\A0025298.exe Infected: Backdoor.Win32.Rbot.bjp skipped
C:\System Volume Information\_restore{E87F59B5-9B4B-4327-B3FC-3B7F4F037520}\RP23\A0025558.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\System Volume Information\_restore{E87F59B5-9B4B-4327-B3FC-3B7F4F037520}\RP23\A0025572.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\System Volume Information\_restore{E87F59B5-9B4B-4327-B3FC-3B7F4F037520}\RP23\A0025577.exe Infected: Backdoor.Win32.Rbot.bjp skipped
C:\System Volume Information\_restore{E87F59B5-9B4B-4327-B3FC-3B7F4F037520}\RP23\A0025578.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{E87F59B5-9B4B-4327-B3FC-3B7F4F037520}\RP23\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem #2.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mysvcc.exe Infected: Backdoor.Win32.Rbot.bjp skipped
C:\WINDOWS\system32\svcchost.exe Infected: Backdoor.Win32.Rbot.bjp skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
 

·
Registered
Joined
·
4,699 Posts
Ok, good to hear the popups have stopped, let's continue...

Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'. In the field, copy and paste the filepath a few lines below.
Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes.:
C:\WINDOWS\System32\svcchost.exe

Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O4 - HKLM\..\Run: [msvcc25] svcchost.exe
O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Post back with a new Hijackthis log and the sdfix log..
 

·
Registered
Joined
·
10 Posts
Discussion Starter · #13 ·
These were not available to be checked on the HijeckThis program:

O4 - HKLM\..\Run: [msvcc25] svcchost.exe
O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe

Here are the new logs:

Logfile of HijackThis v1.99.1
Scan saved at 18:44:25, on 03/01/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Documents and Settings\Tom King\Desktop\showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167502477920
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

----------------------------------------------------------------------------

SDFix: Version 1.53
****************

03/01/2007 - 18:41:19.60

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Stage One - Safe Mode

Checking Services...

Service Name:

File Path:

Starting Registry Repairs...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

C:\WINDOWS\system32\i
C:\WINDOWS\system32\mysvcc.exe
C:\WINDOWS\system32\svcchost.exe

Backing Up and Removing any Files Found...

Alternate Stream Check:

C:\WINDOWS\system32
No streams found.
Final Check:

Remaining Services:
------------------

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys

FINISHED!
 

·
Registered
Joined
·
4,699 Posts
Hey there,

Open Norton AntiVirus by double clicking the 'Shield' icon located in the right hand bottom corner of your computer screen.
Double click the 'View' folder. It is located on the left side of the Norton AntiVirus window. This will expand the folder and display the contents.
Click on the 'Quarantine' icon. The right side of the Norton AntiVirus window will now list the contents of your quarantine folder.

Select the item you wish to remove and click on RED 'X' icon to delete it.
This will open the 'Take Action' window. Click the 'Start Delete' button to remove the infected file from your computer.
Repeat for any other quarantined files you want to remove.

When you are done removing files, click the 'Exit' button in the bottom left hand corner of the Norton AntiVirus window.

We need to purge your infected system restore points.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Check Turn off System Restore, click Apply, and then click OK.

We want to create a new, clean restore point. Please first reboot your computer.
You will be asked to turn system restore on again, click "yes".
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Check Turn off System Restore, click Apply, and then click OK.

Click Start > All Programs > Accessories > System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create, and after it has created the restore point, click "Close".

Reboot a final time and let me know how the PC is running... :up:
 

·
Registered
Joined
·
10 Posts
Discussion Starter · #15 ·
Right, Firstly there is no sheild, Norton hasn't been working since the virus infected the pc.

When I open it though the icon on the desktop there is no View folders option.

When I go in to view the quarantine report, there is no items in the quarantine folder to see.

Have lost the cd to reinstall Norton Anti Virus and my subscription ran out on the 31 of Dec!

Can I access the quarantined files any other way?
 

·
Registered
Joined
·
10 Posts
Discussion Starter · #18 ·
Hi David,

Sorry for the delay in replying...Have been away from the PC over the last couple of days.

The popups seemed to have stopped when I emptied the quarantine folder, but logged on to it today and they seem to have started again (...i am just short of putting on a fresh build again)

Here is the Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 11:37:20, on 06/01/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\spoolsc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\WINDOWS\System32\svcchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Huawei technologies\Vodafone 3G Broadband Modem\Vodafone 3G Broadband Modem.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\eraseme_88828.exe
C:\Documents and Settings\Tom King\Desktop\showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\System32\rdjklphj.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E044DE35-5D44-4486-9944-F61AEA72CF46} - C:\WINDOWS\System32\hggdb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [msvcc25] svcchost.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\dedpawkr.dll",setvm
O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167502477920
O17 - HKLM\System\CCS\Services\Tcpip\..\{33D677FD-3DD0-4CCC-A80C-83F881A4CE5E}: NameServer = 213.233.128.1 213.233.128.19
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: hggdb - C:\WINDOWS\System32\hggdb.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Remote Print Spooler - Unknown owner - C:\WINDOWS\system32\spoolsc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 

·
Registered
Joined
·
4,699 Posts
I've just realised something that would explain why you keep getting reinfected.

Any reason why your windows isn't up to date? You don't have even ServicePack1 installed!
Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems.
Please visit http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx and update to Service Pack 1. Without this update, you're wide open to re-infection, and we're both just wasting our time.
When your system is clean afterwards, then update to SP2, because updating to SP2 CAN cause problems as long as you are infected.

As long as your windows stays unpatched, there is no point me trying to help you.
Every time we fix it you will just get reinfected again..

Update to SP1, and post back with a new Hijackthis log.
 
1 - 19 of 19 Posts
Status
Not open for further replies.
Top