CastleCops® can't access security sites

Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Forum FAQ

Usergroups

Profile

Select FavForums

[FIXED]can't access security sites
Goto page 1, 2, 3 Next

All -> FavForums -> Trend Micro HijackThis Logs

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

weegeordie

Sergeant

Joined: Jun 21, 2004
Posts: 77
Location: Canada

Posted: Sun Jul 20, 2008 7:23 pm Post subject: can't access security sites

Brother in law called about slow system. AVG database is out of date and gets errors when trying to update. Log shows 6 occurances of HTML/Framer and 1 occurance of JS/Psyme. Adaware database is of date and gets errors when I try to update. It does not clean anything. Tried to go to a couple of security sites to run online anti-virus scans but all come up 404 not found. I can get to most sites, problem seems to be security sites only, (can't get to CastleCops either). Lots of pop-ups and pop-unders even though IE popup blocker is enabled. Also getting error when trying to use Task Manager, "Task Manager has been disabled by your administrator". When I Google the task manager or JS/Psyme problems and select the hits I get redirected to another page that looks like some sort of search engine. I have run out of ideas how to clean this thing. Ran HJT and got this log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:06:45 PM, on 20/07/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\fxssvc.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NI.UERS_9999_N91S2507] "c:\documents and settings\mickey chenette\application data\errorsafenewreleaseinstall[1].exe" -nag O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [081818b9] rundll32.exe "C:\WINDOWS\system32\fvjlagse.dll",b O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Broadband Networking.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O21 - SSODL: vpssup - {3037EBD8-1FEF-4A3E-A6A0-9C7556FEA4BF} - C:\WINDOWS\vpssup.dll (file missing) O21 - SSODL: expro - {6E5701CB-1695-4A9A-9149-9385E3EC5747} - C:\WINDOWS\expro.dll (file missing) O21 - SSODL: E404Helper - {49424af8-531d-4aa5-a006-b5bee900ecad} - e404d.dll (file missing) O21 - SSODL: AlrtAlrt - {2aa75662-a1d6-4528-b350-0b01493f7c1c} - C:\WINDOWS\Installer\{2aa75662-a1d6-4528-b350-0b01493f7c1c}\AlrtAlrt.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- End of file - 6085 bytes

Prince_Serendip

Site Moderator

Joined: Sep 07, 2002
Posts: 17542

Posted: Thu Jul 24, 2008 3:54 pm Post subject:

You're Ready for cleaning. At CastleCops we screen all HijackThis logs for errors, out-of-date versions, unupdated operating systems, omissions and P2P applications; getting you [READY] for cleaning by our 1st Responders and Security Experts. Now you wait for one of them to come help you.

weegeordie

Sergeant

Joined: Jun 21, 2004
Posts: 77
Location: Canada

Posted: Sun Aug 10, 2008 5:59 pm Post subject:

I tried the unhandled logs process but nothing has happened for a couple of weeks now. I'm having major problems accessing this site. Are there problems with the site?

Prince_Serendip

Site Moderator

Joined: Sep 07, 2002
Posts: 17542

Posted: Thu Aug 21, 2008 2:53 pm Post subject:

Yes there were problems with the site. Seems to be fixed now. Hope it stays that way. If you are still interested in getting help to clean up your computer, please post a fresh log here. Thanks. _________________ Microsoft MVP Consumer Security 2006, 2007 & 2008

weegeordie

Sergeant

Joined: Jun 21, 2004
Posts: 77
Location: Canada

Posted: Thu Aug 21, 2008 6:23 pm Post subject:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:08:58 PM, on 17/08/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\fxssvc.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe C:\Program Files\DellSupport\DSAgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [081818b9] rundll32.exe "C:\WINDOWS\system32\schcfprm.dll",b O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Broadband Networking.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - AppInit_DLLs: brrtlk.dll O21 - SSODL: vpssup - {3037EBD8-1FEF-4A3E-A6A0-9C7556FEA4BF} - C:\WINDOWS\vpssup.dll (file missing) O21 - SSODL: expro - {6E5701CB-1695-4A9A-9149-9385E3EC5747} - C:\WINDOWS\expro.dll (file missing) O21 - SSODL: E404Helper - {49424af8-531d-4aa5-a006-b5bee900ecad} - e404d.dll (file missing) O21 - SSODL: AlrtAlrt - {2aa75662-a1d6-4528-b350-0b01493f7c1c} - C:\WINDOWS\Installer\{2aa75662-a1d6-4528-b350-0b01493f7c1c}\AlrtAlrt.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- End of file - 5798 bytes

AbuIbrahim

Security Expert
Special Response Team

Joined: Jan 18, 2006
Posts: 1924

Posted: Sat Aug 23, 2008 3:27 am Post subject:

Welcome to Castlecops!

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Fix Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

-- If you receive this error: "Run-time error '339': Component 'comdlg32.ocx' or one its dependencies not correctly registered: a file is missing or invalid", please download [color=blue]Comdlg32.ocx, place it in your C:\Windows\system32 folder and try running VundoFix again.[/color]

Next, please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

weegeordie

Sergeant

Joined: Jun 21, 2004
Posts: 77
Location: Canada

Posted: Sun Aug 24, 2008 4:44 pm Post subject:

SDFix will not run. I double click on it and nothing happens. There is no SDFix folder created. Here are the other logs: VundoFix V7.0.6 Scan started at 11:16:52 AM 24/08/2008 Listing files found while scanning.... C:\Windows\system32\cJjjlnnn.ini C:\Windows\system32\cJjjlnnn.ini2 C:\Windows\system32\nnnljjJc.dll Beginning removal... Attempting to delete C:\Windows\system32\cJjjlnnn.ini C:\Windows\system32\cJjjlnnn.ini Has been deleted! Attempting to delete C:\Windows\system32\cJjjlnnn.ini2 C:\Windows\system32\cJjjlnnn.ini2 Has been deleted! Attempting to delete C:\Windows\system32\nnnljjJc.dll C:\Windows\system32\nnnljjJc.dll Has been deleted! Performing Repairs to the registry. Done! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:50:26 AM, on 24/08/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\system32\fxssvc.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe C:\Program Files\DellSupport\DSAgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ O2 - BHO: {19b913a3-7ff6-150b-4444-c2bfc2d48310} - {01384d2c-fb2c-4444-b051-6ff73a319b91} - C:\WINDOWS\system32\onjbwf.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {2D454E29-431F-4A01-B79E-0B04A0F86691} - C:\WINDOWS\system32\nnnljjJc.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {84C53226-C282-41FE-A4B4-8F05CC5EC24B} - C:\WINDOWS\system32\rqRIYoME.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [081818b9] rundll32.exe "C:\WINDOWS\system32\juawiomi.dll",b O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Broadband Networking.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - AppInit_DLLs: brrtlk.dll zzuemm.dll onjbwf.dll O20 - Winlogon Notify: rqRIYoME - C:\WINDOWS\SYSTEM32\rqRIYoME.dll O21 - SSODL: vpssup - {3037EBD8-1FEF-4A3E-A6A0-9C7556FEA4BF} - C:\WINDOWS\vpssup.dll (file missing) O21 - SSODL: expro - {6E5701CB-1695-4A9A-9149-9385E3EC5747} - C:\WINDOWS\expro.dll (file missing) O21 - SSODL: E404Helper - {49424af8-531d-4aa5-a006-b5bee900ecad} - e404d.dll (file missing) O21 - SSODL: AlrtAlrt - {2aa75662-a1d6-4528-b350-0b01493f7c1c} - C:\WINDOWS\Installer\{2aa75662-a1d6-4528-b350-0b01493f7c1c}\AlrtAlrt.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- End of file - 6576 bytes

AbuIbrahim

Security Expert
Special Response Team

Joined: Jan 18, 2006
Posts: 1924

Posted: Sun Aug 24, 2008 5:48 pm Post subject:

We will run another tool instead of SDFix, since it did not work.

Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1 alternate download link 2

Make sure you are connected to the Internet.
Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
- Make sure the "Perform Quick Scan" option is selected.
- Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.[/i]

Next, download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

weegeordie

Sergeant

Joined: Jun 21, 2004
Posts: 77
Location: Canada

Posted: Sun Aug 31, 2008 4:43 pm Post subject:

I was able to download Malwarebytes from Cnet downloads site but the installer will not run. I select it and get the popup asking to run, which I select, then nothing.

AbuIbrahim

Security Expert
Special Response Team

Joined: Jan 18, 2006
Posts: 1924

Posted: Sun Aug 31, 2008 6:53 pm Post subject:

Were you able to run Combofix.exe?

weegeordie

Sergeant

Joined: Jun 21, 2004
Posts: 77
Location: Canada

Posted: Sun Aug 31, 2008 7:15 pm Post subject:

Neither one does anything. Maybe I should rename them and try again.

weegeordie

Sergeant

Joined: Jun 21, 2004
Posts: 77
Location: Canada

Posted: Sun Aug 31, 2008 7:16 pm Post subject:

Saints preserve us! renaming worked!!

weegeordie

Sergeant

Joined: Jun 21, 2004
Posts: 77
Location: Canada

Posted: Sun Aug 31, 2008 9:48 pm Post subject:

Renamed Malwarebytes program and it ran. Combofix ran after that. Here are the logs. "Mickey Chenette" - 2008-08-31 17:29:40 Service Pack 2 NTFS ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Mickey Chenette\Desktop\" ((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-31 ))))))))))))))))))))))))))))))) 2008-08-31 15:16 <DIR> d-------- C:\DOCUME~1\MICKEY~1\APPLIC~1\Malwarebytes 2008-08-31 15:15 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-31 15:15 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-31 15:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-31 15:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes 2008-08-27 06:57 131,840 --a------ C:\WINDOWS\system32\wtvdwq.dll 2008-08-27 06:57 131,840 --a------ C:\WINDOWS\system32\gxajugrv.dll 2008-08-24 11:54 135,936 --a------ C:\WINDOWS\system32\luhxjdxu.dll 2008-08-24 11:54 135,936 --a------ C:\WINDOWS\system32\guazpd.dll 2008-08-24 11:04 135,936 --a------ C:\WINDOWS\system32\onjbwf.dll 2008-08-24 11:04 135,936 --a------ C:\WINDOWS\system32\lknwthlq.dll 2008-08-22 19:48 135,936 --a------ C:\WINDOWS\system32\zzuemm.dll 2008-08-22 19:48 135,936 --a------ C:\WINDOWS\system32\nqkpkqgv.dll 2008-07-31 07:12 99,200 --a------ C:\WINDOWS\system32\lmgprhfo.dll 2008-07-31 07:09 120,960 --a------ C:\WINDOWS\system32\utvvnrel.dll 2008-07-31 07:09 120,960 --a------ C:\WINDOWS\system32\nndcca.dll 2008-07-29 07:22 120,448 --a------ C:\WINDOWS\system32\lyxecgsy.dll 2008-07-29 07:22 120,448 --a------ C:\WINDOWS\system32\ewitoe.dll 2008-07-20 14:06 <DIR> d-------- C:\Program Files\Trend Micro 2008-07-19 08:26 116,864 --a------ C:\WINDOWS\system32\trbuuu.dll 2008-07-19 08:26 116,864 --a------ C:\WINDOWS\system32\prbcegwj.dll 2008-07-10 21:41 116,352 --a------ C:\WINDOWS\system32\utrwewhb.dll 2008-07-10 21:41 116,352 --a------ C:\WINDOWS\system32\jsucas.dll 2008-07-09 20:03 112,256 --a------ C:\WINDOWS\system32\qkuenp.dll 2008-07-09 20:03 112,256 --a------ C:\WINDOWS\system32\ehygeqtg.dll 2008-07-01 16:32 57,721 --a------ C:\WINDOWS\system32\clbinit.dll (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2008-04-17 11:30:30 104 --sh--r C:\WINDOWS\system32\FC30865C4C.sys 2008-04-17 11:30:30 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 16:17] {2D454E29-431F-4A01-B79E-0B04A0F86691}=C:\WINDOWS\system32\nnnljjJc.dll [] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll [2007-07-12 04:00] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 21:42] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-02-26 11:37] "MMTray"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe" [2005-09-08 21:20] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 21:20] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 12:44] "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 05:12] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 13:06] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 07:22] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24] "DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 17:46] "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "{3037EBD8-1FEF-4A3E-A6A0-9C7556FEA4BF}"="C:\WINDOWS\vpssup.dll" [] "{6E5701CB-1695-4A9A-9149-9385E3EC5747}"="C:\WINDOWS\expro.dll" [] "{49424af8-531d-4aa5-a006-b5bee900ecad}"="e404d.dll" [] "{2aa75662-a1d6-4528-b350-0b01493f7c1c}"="C:\WINDOWS\Installer\{2aa75662-a1d6-4528-b350-0b01493f7c1c}\AlrtAlrt.dll" [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=brrtlk.dll zzuemm.dll guazpd.dll wtvdwq.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\clbdriver.sys] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UERS_9999_N91S2507] "c:\documents and settings\mickey chenette\application data\errorsafenewreleaseinstall[1].exe" -nag [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost netsvcs ************************************************************************ catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-31 17:34:33 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2008-08-31 17:35:45 C:\ComboFix-quarantined-files.txt ... 2008-08-31 17:35 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:41:59 PM, on 31/08/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\fxssvc.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {2D454E29-431F-4A01-B79E-0B04A0F86691} - C:\WINDOWS\system32\nnnljjJc.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Broadband Networking.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - AppInit_DLLs: brrtlk.dll zzuemm.dll guazpd.dll wtvdwq.dll O21 - SSODL: vpssup - {3037EBD8-1FEF-4A3E-A6A0-9C7556FEA4BF} - C:\WINDOWS\vpssup.dll (file missing) O21 - SSODL: expro - {6E5701CB-1695-4A9A-9149-9385E3EC5747} - C:\WINDOWS\expro.dll (file missing) O21 - SSODL: E404Helper - {49424af8-531d-4aa5-a006-b5bee900ecad} - e404d.dll (file missing) O21 - SSODL: AlrtAlrt - {2aa75662-a1d6-4528-b350-0b01493f7c1c} - C:\WINDOWS\Installer\{2aa75662-a1d6-4528-b350-0b01493f7c1c}\AlrtAlrt.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- End of file - 6032 bytes

AbuIbrahim

Security Expert
Special Response Team

Joined: Jan 18, 2006
Posts: 1924

Posted: Mon Sep 01, 2008 10:45 am Post subject:

Great job on getting combofix and MBAM to work. Yes renaming the executable sometimes makes them work as some malware may try to hinder any removal from security tools.

If Malwarebytes ran successfully, can you please post the MBAM log as indicated in my previous instructions.

First, open hijackthis and select 'do a system scan only', and then place a checkmark beside each of these entries:
O20 - AppInit_DLLs: brrtlk.dll zzuemm.dll guazpd.dll wtvdwq.dll
O21 - SSODL: vpssup - {3037EBD8-1FEF-4A3E-A6A0-9C7556FEA4BF} - C:\WINDOWS\vpssup.dll (file missing)
O21 - SSODL: expro - {6E5701CB-1695-4A9A-9149-9385E3EC5747} - C:\WINDOWS\expro.dll (file missing)
O21 - SSODL: E404Helper - {49424af8-531d-4aa5-a006-b5bee900ecad} - e404d.dll (file missing)
O21 - SSODL: AlrtAlrt - {2aa75662-a1d6-4528-b350-0b01493f7c1c} - C:\WINDOWS\Installer\{2aa75662-a1d6-4528-b350-0b01493f7c1c}\AlrtAlrt.dll (file missing)
After placing all the checkmarks, close all windows (except HJT), and then hit 'Fix Checked'. When it finishes, exit HJT and reboot the computer.

Please rename hijackthis.exe to h.exe and post a new logfile using h.exe .

There is still a lot of infected to files to cleanup, but before I do so, I would like to make sure you are not infected with a rootkit.

Second, please download GMER Rootkit Detector from any of the following links:

GMER
GMER
GMER
GMER

Unzip it and double click the gmer.exe file
Select rootkit tab.
Make sure all the boxes on the right of the screen are checked,
EXCEPT for �Show All�.
Press scan.
When it has finished press save & post back the log it makes.

Third, please download Rootkit Revealer

Unzip it to your desktop.
Open the rootkitrevealer folder and double-click rootkitrevealer.exe
Click the Scan button (bottom right)
It may take a while to scan (don't do anything while it's running)
When it's done, go up to File > Save. Choose to save it to your desktop.
Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here.

** NOTEBefore performing a scan it is recommended to do the following.
1. Physically unplug the cable from the PC to the internet connection.
2. Close down All Scheduling/Updating + Running Background tasks etc.
3. Launch and run the program.
4. While it is scanning DO NOT use your computer at ALL until the scan has been completed.
5. Save your Log File, and then Enable those things you closed down, or Reboot, and ONLY then Reconnect to the Internet.

This will ensure you have a simpler and clearer log file to analyze.

weegeordie

Sergeant

Joined: Jun 21, 2004
Posts: 77
Location: Canada

Posted: Mon Sep 01, 2008 1:33 pm Post subject:

Malwarebytes' Anti-Malware 1.25 Database version: 1062 Windows 5.1.2600 Service Pack 2 5:22:29 PM 31/08/2008 mbam-log-08-31-2008 (17-22-29).txt Scan type: Quick Scan Objects scanned: 60712 Time elapsed: 15 minute(s), 30 second(s) Memory Processes Infected: 0 Memory Modules Infected: 5 Registry Keys Infected: 15 Registry Values Infected: 2 Registry Data Items Infected: 3 Folders Infected: 1 Files Infected: 55 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\geBuSMdb.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\hekhilmg.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\rqRIYoME.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\brrtlk.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\nvpjsg.dll (Trojan.Vundo.H) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{425e60e3-ec58-4580-acf3-63c20c392812} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{425e60e3-ec58-4580-acf3-63c20c392812} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84c53226-c282-41fe-a4b4-8f05cc5ec24b} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqriyome (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{84c53226-c282-41fe-a4b4-8f05cc5ec24b} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\E