Jump to content

computer just reboots after running Malwarebytes

swetbak
 Share

Recommended Posts

swetbak

swetbak

Posted
Posted

Coming over from PC Help forum: http://www.malwarebytes.org/forums/index.php?showtopic=5205

Here are the Malwarebytes and HJT logs:

Malwarebytes' Anti-Malware 1.19

Database version: 938

Windows 5.1.2600 Service Pack 1

8:36:06 PM 7/16/2008

mbam-log-7-16-2008 (20-36-06).txt

Scan type: Quick Scan

Objects scanned: 42231

Time elapsed: 3 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 5

Registry Data Items Infected: 18

Folders Infected: 8

Files Infected: 17

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winnt32 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0069830 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c009DC24 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\zangosa (Adware.Zango) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.43 85.255.112.135 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{42E7B7E0-2272-4695-B7F6-A8B6A143859A}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.43,85.255.112.135 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D7AD1C86-AB85-46FD-8B61-01BF20F0EFB1}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.43,85.255.112.135 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FA1EC96F-EFDB-4C2F-BB51-5F8EA029CBF4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.43,85.255.112.135 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FA1EC96F-EFDB-4C2F-BB51-5F8EA029CBF4}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.43,85.255.112.135 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.43 85.255.112.135 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{42E7B7E0-2272-4695-B7F6-A8B6A143859A}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.43,85.255.112.135 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{D7AD1C86-AB85-46FD-8B61-01BF20F0EFB1}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.43,85.255.112.135 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{FA1EC96F-EFDB-4C2F-BB51-5F8EA029CBF4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.43,85.255.112.135 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{FA1EC96F-EFDB-4C2F-BB51-5F8EA029CBF4}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.43,85.255.112.135 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.43 85.255.112.135 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{42E7B7E0-2272-4695-B7F6-A8B6A143859A}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.43,85.255.112.135 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{D7AD1C86-AB85-46FD-8B61-01BF20F0EFB1}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.43,85.255.112.135 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{FA1EC96F-EFDB-4C2F-BB51-5F8EA029CBF4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.43,85.255.112.135 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{FA1EC96F-EFDB-4C2F-BB51-5F8EA029CBF4}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.43,85.255.112.135 -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

H:\Documents and Settings\Owner\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\Owner\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\All Users\Application Data\SalesMon (Rogue.Multiple) -> Quarantined and deleted successfully.

H:\Documents and Settings\All Users\Application Data\SalesMon\Data (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:

H:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\WINDOWS\system32\WinNt32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

H:\WINDOWS\BM6b36fd6c.xml (Trojan.Vundo) -> Quarantined and deleted successfully.

H:\WINDOWS\BM6b36fd6c.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

H:\Documents and Settings\Owner\Application Data\TmpRecentIcons\Ultimate Cleaner.lnk (Rogue.Link) -> Quarantined and deleted successfully.

H:\Documents and Settings\Owner\Application Data\TmpRecentIcons\Ultimate Defender.lnk (Rogue.Link) -> Quarantined and deleted successfully.

H:\Documents and Settings\Owner\Desktop\WinIFixer.lnk (Rogue.WinIFixer) -> Quarantined and deleted successfully.

H:\Documents and Settings\Owner\Application Data\Install.dat (Trojan.Agent) -> Quarantined and deleted successfully.

H:\Documents and Settings\Owner\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.

H:\Documents and Settings\Owner\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.

H:\Documents and Settings\Owner\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:37:31 PM, on 7/16/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

H:\WINDOWS\System32\smss.exe

H:\WINDOWS\system32\winlogon.exe

H:\WINDOWS\system32\services.exe

H:\WINDOWS\system32\lsass.exe

H:\WINDOWS\system32\svchost.exe

H:\WINDOWS\system32\svchost.exe

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\system32\spoolsv.exe

H:\WINDOWS\System32\nvsvc32.exe

H:\WINDOWS\System32\WgaTray.exe

H:\WINDOWS\Explorer.EXE

H:\WINDOWS\SOUNDMAN.EXE

H:\WINDOWS\System32\RUNDLL32.EXE

H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: (no name) - {E4FFD1CB-D8A7-44BB-A3F1-C177AE513988} - H:\WINDOWS\system32\mljjj.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - H:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - H:\WINDOWS\web\related.htm

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - H:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - http://imikimi.com/download/imikimi_plugin_0.5.1.cab

O20 - Winlogon Notify: mlJCTmKa - mlJCTmKa.dll (file missing)

O20 - Winlogon Notify: pgjrawnu - H:\WINDOWS\

O21 - SSODL: CheckAlrt - {5f7b7b43-7742-4f33-83ba-7952324a36d4} - H:\WINDOWS\Resources\CheckAlrt.dll (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - H:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\System32\nvsvc32.exe

O24 - Desktop Component 0: (no name) - http://www.natureartists.com/art/resized/6...ush_snook-1.jpg

O24 - Desktop Component 1: (no name) - http://www.natureartists.com/art/resized/6...ngroveroots.jpg

O24 - Desktop Component 2: (no name) - http://myspace-271.vo.llnwd.net/00400/17/27/400557271_l.jpg

O24 - Desktop Component 3: Privacy Protection - file:///H:\WINDOWS\privacy_danger\index.htm

--

End of file - 3328 bytes

Link to post
Share on other sites
swetbak

swetbak

Posted
  • Author
Posted
OK, first get MBAM updated, your definitions and the version of the program are way outdated. Do another quick scan with it and post that log and a new HJT.

I know that my previous thread in the PC Help forum is long, but there is pertinent info there. One is that I don't have Internet on the computer in question. Is there an update file I can download and get it to the computer via flash disk? I thought i was using version 1.20. I will reinstall and post a new scan, but still don't have any way to update.

Link to post
Share on other sites
swetbak

swetbak

Posted
  • Author
Posted

Here are my new logs. FYI, since my last log post I've installed and run Avira AV.

Malwarebytes' Anti-Malware 1.20

Database version: 930

Windows 5.1.2600 Service Pack 1

3:38:23 PM 7/16/2008

mbam-log-7-16-2008 (15-38-23).txt

Scan type: Quick Scan

Objects scanned: 42746

Time elapsed: 3 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32 (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

=========

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:39:19 PM, on 7/16/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

H:\WINDOWS\System32\smss.exe

H:\WINDOWS\system32\winlogon.exe

H:\WINDOWS\system32\services.exe

H:\WINDOWS\system32\lsass.exe

H:\WINDOWS\system32\svchost.exe

H:\WINDOWS\system32\svchost.exe

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\system32\spoolsv.exe

H:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

H:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

H:\WINDOWS\System32\nvsvc32.exe

H:\WINDOWS\System32\WgaTray.exe

H:\WINDOWS\Explorer.EXE

H:\WINDOWS\SOUNDMAN.EXE

H:\WINDOWS\System32\RUNDLL32.EXE

H:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: (no name) - {E4FFD1CB-D8A7-44BB-A3F1-C177AE513988} - H:\WINDOWS\system32\mljjj.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avgnt] "H:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - H:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - H:\WINDOWS\web\related.htm

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - H:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - http://imikimi.com/download/imikimi_plugin_0.5.1.cab

O20 - Winlogon Notify: mlJCTmKa - mlJCTmKa.dll (file missing)

O20 - Winlogon Notify: pgjrawnu - H:\WINDOWS\

O21 - SSODL: CheckAlrt - {5f7b7b43-7742-4f33-83ba-7952324a36d4} - H:\WINDOWS\Resources\CheckAlrt.dll (file missing)

O23 - Service: Microsoft DDE+ server (423b2bdf) - Unknown owner - H:\WINDOWS\system32\.423b2bdf\423b2bdf.exe (file missing)

O23 - Service: Avira AntiVir Personal

Link to post
Share on other sites
Raid

Raid

Posted
Posted
http://malwarebytes.gt500.org/database.jspI think that was posted in your thread. It's on the download page too. Let's do it all again please. Did you use LSPfix to try and get a connection?

http://wiki.lunarsoft.net/wiki/Dial-a-fix

Please download Dial A fix as well.

Reboot from the bartpe disc and locate this file:

pgjrawnu - H:\WINDOWS\

it may have the hidden andor/system file attribute set, so do a dir /a :)

move this file to some other place, such as c:\hold

Next, restart the computer, login as you now can, and proceed with the instructions below.

I'd like you to have it do a policy scan, and remove any keys it finds.

Please let me know if after doing this, you are able to regain some functionality of the control panel, and various areas you seem to be locked out of.

Link to post
Share on other sites
swetbak

swetbak

Posted
  • Author
Posted
http://malwarebytes.gt500.org/database.jspI think that was posted in your thread. It's on the download page too. Let's do it all again please. Did you use LSPfix to try and get a connection?

Jean, I want to thank you and your fellow warriors for helping me and everyone else who comes here looking for help. The advice is priceless.

I tried lspfix and it found nothing. I think that particular problem is my nic driver. I replaced the motherboard and processor on this machine and they are slightly different than the original. There are two items in Device Manager that are not reconized; PCI bridge device, and SM Bus controller. I believe the former is the network card since there are no network devices listed. I'm in the process of looking for the drivers.

I did use the mbam-rules earlier, but it must not have taken. Perhaps because I was trying to update ver. 1.9. Anyway it looks like it updated now. I noticed that I had some items unchecked in the "startup" in msconfig, so I enabled everything and rebooted prior to running these latest scans.

Twice during the mb scan, Avira popped up with a warning that malware was found in H:\Windows\System32\WinNt32.dll. I ok'd the default action to "deny access".

Here are the logs:

Malwarebytes' Anti-Malware 1.20

Database version: 938

Windows 5.1.2600 Service Pack 1

5:35:22 PM 7/16/2008

mbam-log-7-16-2008 (17-35-22).txt

Scan type: Quick Scan

Objects scanned: 42407

Time elapsed: 4 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 3

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winnt32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iSecurity applet (Rouge.ISecurity) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

H:\WINDOWS\system32\WinNt32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

========

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:37:39 PM, on 7/16/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

H:\WINDOWS\System32\smss.exe

H:\WINDOWS\system32\winlogon.exe

H:\WINDOWS\system32\services.exe

H:\WINDOWS\system32\lsass.exe

H:\WINDOWS\system32\svchost.exe

H:\WINDOWS\system32\svchost.exe

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\system32\spoolsv.exe

H:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

H:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

H:\WINDOWS\System32\nvsvc32.exe

H:\WINDOWS\System32\WgaTray.exe

H:\WINDOWS\Explorer.EXE

H:\WINDOWS\SOUNDMAN.EXE

H:\WINDOWS\System32\RUNDLL32.EXE

H:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

H:\Program Files\Messenger\msmsgs.exe

H:\WINDOWS\system32\NOTEPAD.EXE

H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: (no name) - {E4FFD1CB-D8A7-44BB-A3F1-C177AE513988} - H:\WINDOWS\system32\mljjj.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avgnt] "H:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - H:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - H:\WINDOWS\web\related.htm

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - H:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - http://imikimi.com/download/imikimi_plugin_0.5.1.cab

O20 - Winlogon Notify: mlJCTmKa - mlJCTmKa.dll (file missing)

O20 - Winlogon Notify: pgjrawnu - H:\WINDOWS\

O21 - SSODL: CheckAlrt - {5f7b7b43-7742-4f33-83ba-7952324a36d4} - H:\WINDOWS\Resources\CheckAlrt.dll (file missing)

O23 - Service: Microsoft DDE+ server (423b2bdf) - Unknown owner - H:\WINDOWS\system32\.423b2bdf\423b2bdf.exe (file missing)

O23 - Service: Avira AntiVir Personal

Link to post
Share on other sites
Raid

Raid

Posted
Posted
Jean, I want to thank you and your fellow warriors for helping me and everyone else who comes here looking for help. The advice is priceless.

I tried lspfix and it found nothing. I think that particular problem is my nic driver. I replaced the motherboard and processor on this machine and they are slightly different than the original. There are two items in Device Manager that are not reconized; PCI bridge device, and SM Bus controller. I believe the former is the network card since there are no network devices listed. I'm in the process of looking for the drivers.

The SM BUS controller is Intel, as is likely the pci bridge device... You said the new motherboard had an intel chipset? You might want to snag the intel chipset drivers. Then go in cmos, and double check to make sure ethernet is enabled. :)

Once the chipset drivers are loaded, the sm bus controller will disappear for you. If the nic card is a pci device card, installing the chipset drivers should allow the system to properly use it's pci bus, and it should detect the nic card. YOu might even luck out and it install compatable drivers for you.

I accidently posted this information to Jean, but I had intended it for yourself:

http://wiki.lunarsoft.net/wiki/Dial-a-fix

Please download Dial A fix as well.

Reboot from the bartpe disc and locate this file:

pgjrawnu - H:\WINDOWS\

it may have the hidden andor/system file attribute set, so do a dir /a smile.gif

move this file to some other place, such as c:\hold

Next, restart the computer, login as you now can, and proceed with the instructions below.

I'd like you to have it do a policy scan, and remove any keys it finds.

Please let me know if after doing this, you are able to regain some functionality of the control panel, and various areas you seem to be locked out of.

Link to post
Share on other sites
swetbak

swetbak

Posted
  • Author
Posted
The SM BUS controller is Intel, as is likely the pci bridge device... You said the new motherboard had an intel chipset? You might want to snag the intel chipset drivers. Then go in cmos, and double check to make sure ethernet is enabled. :)

Once the chipset drivers are loaded, the sm bus controller will disappear for you. If the nic card is a pci device card, installing the chipset drivers should allow the system to properly use it's pci bus, and it should detect the nic card. YOu might even luck out and it install compatable drivers for you.

I accidently posted this information to Jean, but I had intended it for yourself:

http://wiki.lunarsoft.net/wiki/Dial-a-fix

Please download Dial A fix as well.

Reboot from the bartpe disc and locate this file:

pgjrawnu - H:\WINDOWS\

it may have the hidden andor/system file attribute set, so do a dir /a smile.gif

move this file to some other place, such as c:\hold

Next, restart the computer, login as you now can, and proceed with the instructions below.

I'd like you to have it do a policy scan, and remove any keys it finds.

Please let me know if after doing this, you are able to regain some functionality of the control panel, and various areas you seem to be locked out of.

I got the chipset drivers straightened out. It was Nvidia. Internet ok and able to update everything.

I couldn't find the pgrawnu file either in the Windows directory or doing a dir /a smile.gif from the command line.

Dial a fix found and fixed two reg entries, but I didn't keep a log file.

All my Control Panel applets are working. I think that ended up being a safe mode thing. Other than my background which I can't change (although I see the problem in HJT), I think I have only a virus issue left. Well maybe; I haven't tried Windows Updates yet.

Here are my latest Avira, MB's, and HJT logs:

Avira AntiVir Personal

Report file date: Thursday, July 17, 2008 14:07

Scanning for 1468484 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 1) [5.1.2600]

Boot mode: Normally booted

Username: SYSTEM

Computer name: OWNER-JO3GFNRDH

Version information:

BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00

AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 15:02:56

AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 14:43:37

LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 14:41:23

LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 14:28:40

ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:33:34

ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 14:36:33

ANTIVIR2.VDF : 7.0.5.119 1264128 Bytes 7/15/2008 14:37:22

ANTIVIR3.VDF : 7.0.5.133 209408 Bytes 7/17/2008 14:37:30

Engineversion : 8.1.1.9

AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 15:58:21

AESCRIPT.DLL : 8.1.0.54 303482 Bytes 7/17/2008 14:39:00

AESCN.DLL : 8.1.0.23 119156 Bytes 7/17/2008 14:38:56

AERDL.DLL : 8.1.0.20 418165 Bytes 7/17/2008 14:38:53

AEPACK.DLL : 8.1.2.1 364917 Bytes 7/17/2008 14:38:43

AEOFFICE.DLL : 8.1.0.20 192891 Bytes 7/17/2008 14:38:36

AEHEUR.DLL : 8.1.0.42 1339766 Bytes 7/17/2008 14:38:30

AEHELP.DLL : 8.1.0.15 115063 Bytes 7/17/2008 14:38:04

AEGEN.DLL : 8.1.0.29 307573 Bytes 7/17/2008 14:38:01

AEEMU.DLL : 8.1.0.6 430451 Bytes 7/17/2008 14:37:41

AECORE.DLL : 8.1.1.6 172405 Bytes 7/17/2008 14:37:36

AEBB.DLL : 8.1.0.1 53617 Bytes 7/17/2008 14:37:31

AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/23/2008 23:07:53

AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 16:37:50

AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:26:47

AVREG.DLL : 8.0.0.0 30977 Bytes 1/23/2008 23:07:49

AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23

AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 14:31:31

SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02

SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/23/2008 23:08:39

NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10

RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 20:37:25

RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 18:02:11

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: h:\program files\avira\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: on

Scan boot sector.................: on

Boot sectors.....................: C:, H:,

Scan memory......................: on

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: on

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

Start of the scan: Thursday, July 17, 2008 14:07

Starting search for hidden objects.

'35629' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'msmsgs.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'soundman.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'WgaTray.exe' - '1' Module(s) have been scanned

Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

23 processes with 23 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

[WARNING] The device is not ready.

Master boot sector HD2

[iNFO] No virus was found!

[WARNING] The device is not ready.

Master boot sector HD3

[iNFO] No virus was found!

[WARNING] The device is not ready.

Master boot sector HD4

[iNFO] No virus was found!

[WARNING] The device is not ready.

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'H:\'

[iNFO] No virus was found!

Starting to scan the registry.

H:\WINDOWS\system32\WinNt32.dll

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was moved to '48ed8ff1.qua'!

The registry was scanned ( '27' files ).

Starting the file scan:

Begin scan in 'C:\' <RECOVERY>

Begin scan in 'H:\'

H:\pagefile.sys

[WARNING] The file could not be opened!

H:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe

[0] Archive type: RAR SFX (self extracting)

--> SmitfraudFix\404Fix.exe

[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/IRC.Chazz.41 Backdoor server programs

[DETECTION] Contains detection pattern of the dropper DR/Tool.Reboot.F.108

--> SmitfraudFix\IEDFix.exe

[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/IRC.Chazz.42 Backdoor server programs

[NOTE] The file was moved to '48e890dc.qua'!

H:\Documents and Settings\Administrator\Desktop\SmitfraudFix\404Fix.exe

[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/IRC.Chazz.41 Backdoor server programs

[NOTE] The file was moved to '48b3909f.qua'!

H:\Documents and Settings\Administrator\Desktop\SmitfraudFix\IEDFix.exe

[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/IRC.Chazz.42 Backdoor server programs

[NOTE] The file was moved to '48c390b5.qua'!

H:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.40598

[DETECTION] Is the Trojan horse TR/Dldr.Agent.NRU.13

[NOTE] The file was moved to '48c09166.qua'!

H:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.91901

[DETECTION] Is the Trojan horse TR/Emgr.AI

[NOTE] The file was moved to '48c09168.qua'!

H:\Documents and Settings\Owner\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

[DETECTION] Contains detection pattern of the Java script virus JS/Dldr.Agent.KO

[NOTE] The file was moved to '48b29149.qua'!

H:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe

[0] Archive type: RAR SFX (self extracting)

--> SmitfraudFix\404Fix.exe

[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/IRC.Chazz.41 Backdoor server programs

[DETECTION] Contains detection pattern of the dropper DR/Tool.Reboot.F.108

--> SmitfraudFix\IEDFix.exe

[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/IRC.Chazz.42 Backdoor server programs

[NOTE] The file was moved to '48e8918a.qua'!

H:\Documents and Settings\Owner\Desktop\SmitfraudFix\404Fix.exe

[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/IRC.Chazz.41 Backdoor server programs

[NOTE] The file was moved to '48b39153.qua'!

H:\Documents and Settings\Owner\Desktop\SmitfraudFix\IEDFix.exe

[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/IRC.Chazz.42 Backdoor server programs

[NOTE] The file was moved to '48c39168.qua'!

H:\oldreg\systemprofile\cftmon.exe

[DETECTION] Is the Trojan horse TR/Dldr.Small.vzw

[NOTE] The file was moved to '48f391bb.qua'!

H:\oldreg\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\K9AZO1E3\1[1].exe

[DETECTION] Is the Trojan horse TR/Dldr.Small.vzw

[NOTE] The file was moved to '48b091b2.qua'!

H:\oldreg\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ODERS5U7\update[1].upd

[DETECTION] Is the Trojan horse TR/Agent.49152.117

[NOTE] The file was moved to '48e391c8.qua'!

H:\WINDOWS\system32\404Fix.exe

[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/IRC.Chazz.41 Backdoor server programs

[NOTE] The file was moved to '48b392a0.qua'!

H:\WINDOWS\system32\IEDFix.exe

[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/IRC.Chazz.42 Backdoor server programs

[NOTE] The file was moved to '48c392c9.qua'!

H:\WINDOWS\system32\config\systemprofile\cftmon.exeold

[DETECTION] Is the Trojan horse TR/Dldr.Small.vzw

[NOTE] The file was moved to '48f39320.qua'!

H:\WINDOWS\system32\drivers\Owe75.sys

[WARNING] The file could not be opened!

End of the scan: Thursday, July 17, 2008 14:44

Used time: 36:18 min

The scan has been done completely.

3291 Scanning directories

138755 Files were scanned

20 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

0 files were deleted

0 files were repaired

16 files were moved to quarantine

0 files were renamed

2 Files cannot be scanned

138735 Files not concerned

1308 Archives were scanned

6 Warnings

16 Notes

35629 Objects were scanned with rootkit scan

0 Hidden objects were found

I tried File Assassin on the Owe75.sys file, but it could not delete it.

============

Malwarebytes' Anti-Malware 1.20

Database version: 962

Windows 5.1.2600 Service Pack 1

3:21:01 PM 7/17/2008

mbam-log-7-17-2008 (15-21-01).txt

Scan type: Quick Scan

Objects scanned: 42861

Time elapsed: 4 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32 (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

=========

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:22:09 PM, on 7/17/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

H:\WINDOWS\System32\smss.exe

H:\WINDOWS\system32\winlogon.exe

H:\WINDOWS\system32\services.exe

H:\WINDOWS\system32\lsass.exe

H:\WINDOWS\system32\svchost.exe

H:\WINDOWS\system32\svchost.exe

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\system32\spoolsv.exe

H:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

H:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

H:\WINDOWS\System32\nvsvc32.exe

H:\WINDOWS\System32\WgaTray.exe

H:\WINDOWS\Explorer.EXE

H:\WINDOWS\SOUNDMAN.EXE

H:\WINDOWS\System32\RUNDLL32.EXE

H:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

H:\Program Files\Messenger\msmsgs.exe

H:\Program Files\Internet Explorer\iexplore.exe

H:\Program Files\Internet Explorer\iexplore.exe

H:\WINDOWS\System32\wuauclt.exe

H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: (no name) - {E4FFD1CB-D8A7-44BB-A3F1-C177AE513988} - H:\WINDOWS\system32\mljjj.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avgnt] "H:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - H:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - H:\WINDOWS\web\related.htm

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - H:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - http://imikimi.com/download/imikimi_plugin_0.5.1.cab

O20 - Winlogon Notify: mlJCTmKa - mlJCTmKa.dll (file missing)

O20 - Winlogon Notify: pgjrawnu - H:\WINDOWS\

O21 - SSODL: CheckAlrt - {5f7b7b43-7742-4f33-83ba-7952324a36d4} - H:\WINDOWS\Resources\CheckAlrt.dll (file missing)

O23 - Service: Microsoft DDE+ server (423b2bdf) - Unknown owner - H:\WINDOWS\system32\.423b2bdf\423b2bdf.exe (file missing)

O23 - Service: Avira AntiVir Personal

Link to post
Share on other sites
JeanInMontana

JeanInMontana

Posted
Posted (edited)

You have SP1 it shows plainly in the HJT log. The current SP is 3. Delete the quarantine in Avira and the SmitFraudfix on the desktop. Empty the recycle bin and temp folders. Run another Avira scan after update.

Close all programs and run a scan only in HJT. Put a check next to the following line then click fix.

O2 - BHO: (no name) - {E4FFD1CB-D8A7-44BB-A3F1-C177AE513988} - H:\WINDOWS\system32\mljjj.dll (file missing)

O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - H:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing

O20 - Winlogon Notify: mlJCTmKa - mlJCTmKa.dll (file missing)

O20 - Winlogon Notify: pgjrawnu - H:\WINDOWS\

O21 - SSODL: CheckAlrt - {5f7b7b43-7742-4f33-83ba-7952324a36d4} - H:\WINDOWS\Resources\CheckAlrt.dll (file missing)

O23 - Service: Microsoft DDE+ server (423b2bdf) - Unknown owner - H:\WINDOWS\system32\.423b2bdf\423b2bdf.exe (file missing)

O24 - Desktop Component 3: Privacy Protection - file:///H:\WINDOWS\privacy_danger\index.htm

Exit HJT reboot normally.

Update MBAM run a quick scan and post that log and a new HJT log please.

Edited by JeanInMontana
add information & instructions
Link to post
Share on other sites
swetbak

swetbak

Posted
  • Author
Posted
You have SP1 it shows plainly in the HJT log. The current SP is 3. Delete the quarantine in Avira and the SmitFraudfix on the desktop. Empty the recycle bin and temp folders. Run another Avira scan after update.

Close all programs and run a scan only in HJT. Put a check next to the following line then click fix.

O2 - BHO: (no name) - {E4FFD1CB-D8A7-44BB-A3F1-C177AE513988} - H:\WINDOWS\system32\mljjj.dll (file missing)

O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - H:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing

O20 - Winlogon Notify: mlJCTmKa - mlJCTmKa.dll (file missing)

O20 - Winlogon Notify: pgjrawnu - H:\WINDOWS\

O21 - SSODL: CheckAlrt - {5f7b7b43-7742-4f33-83ba-7952324a36d4} - H:\WINDOWS\Resources\CheckAlrt.dll (file missing)

O23 - Service: Microsoft DDE+ server (423b2bdf) - Unknown owner - H:\WINDOWS\system32\.423b2bdf\423b2bdf.exe (file missing)

O24 - Desktop Component 3: Privacy Protection - file:///H:\WINDOWS\privacy_danger\index.htm

Exit HJT reboot normally.

Update MBAM run a quick scan and post that log and a new HJT log please.

Your are right. I was on SP1 at the time. After rebooting after the error it showed SP2 which is where I'm at now. Here are the logs MB, HJT, Avira:

Malwarebytes' Anti-Malware 1.22

Database version: 972

Windows 5.1.2600 Service Pack 2

11:54:01 PM 7/20/2008

mbam-log-7-20-2008 (23-54-01).txt

Scan type: Quick Scan

Objects scanned: 42028

Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 2

Folders Infected: 3

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

H:\WINDOWS\system32\WinNt32.dll (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32 (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: h:\windows\system32\ntos.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (H:\WINDOWS\system32\userinit.exe,H:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

H:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Delete on reboot.

H:\Documents and Settings\NetworkService\Application Data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.

H:\Documents and Settings\LocalService\Application Data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:

H:\WINDOWS\Temp\BN2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

H:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Delete on reboot.

H:\WINDOWS\system32\wsnpoem\audio.dll.cla (Trojan.Agent) -> Quarantined and deleted successfully.

H:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Delete on reboot.

H:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.

H:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.

H:\WINDOWS\system32\WinNt32.dll (Rootkit.Agent) -> Delete on reboot.

H:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> Delete on reboot.

==========

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:57:45 PM, on 7/20/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

H:\WINDOWS\System32\smss.exe

H:\WINDOWS\system32\csrss.exe

H:\WINDOWS\system32\winlogon.exe

H:\WINDOWS\system32\services.exe

H:\WINDOWS\system32\lsass.exe

H:\WINDOWS\system32\svchost.exe

H:\WINDOWS\system32\svchost.exe

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\system32\spoolsv.exe

H:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

H:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

H:\WINDOWS\System32\nvsvc32.exe

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\System32\alg.exe

H:\WINDOWS\Explorer.EXE

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\SOUNDMAN.EXE

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\system32\RUNDLL32.EXE

H:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

H:\Program Files\Internet Explorer\IEXPLORE.EXE

H:\WINDOWS\System32\svchost.exe

H:\Program Files\Internet Explorer\IEXPLORE.EXE

H:\WINDOWS\System32\svchost.exe

H:\Program Files\Internet Explorer\iexplore.exe

H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

H:\Program Files\Internet Explorer\iexplore.exe

H:\Program Files\Internet Explorer\iexplore.exe

H:\WINDOWS\System32\wbem\wmiprvse.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

F2 - REG:system.ini: UserInit=H:\WINDOWS\system32\userinit.exe,H:\WINDOWS\system32\ntos.exe,

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avgnt] "H:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "H:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] H:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] H:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - http://imikimi.com/download/imikimi_plugin_0.5.1.cab

O23 - Service: Microsoft DDE+ server (423b2bdf) - Unknown owner - H:\WINDOWS\system32\.423b2bdf\423b2bdf.exe (file missing)

O23 - Service: Avira AntiVir Personal

Link to post
Share on other sites
swetbak

swetbak

Posted
  • Author
Posted
HI Guys,

Swetbak, I'm starting to wonder if you might have a rootkit lingering. I apologize for the smile.gif part; I didn't intend for you to type that. :)

That is too funny!

Any possibility you could send a copy of the owe75.sys to uploads.malwarebytes.org?

That will give us a chance to examine it.

I tried to upload owe75.sys as well as ltb87.sys and both said they were 0 bytes. It wouldn't let me copy it either, but in safe mode I was able to delete them both with File Assassin.

I rebooted and reran MB and HJT, here are the logs:

Malwarebytes' Anti-Malware 1.22

Database version: 972

Windows 5.1.2600 Service Pack 2

12:19:20 AM 7/21/2008

mbam-log-7-21-2008 (00-19-20).txt

Scan type: Quick Scan

Objects scanned: 41643

Time elapsed: 3 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

======

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:26:32 AM, on 7/21/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

H:\WINDOWS\System32\smss.exe

H:\WINDOWS\system32\winlogon.exe

H:\WINDOWS\system32\services.exe

H:\WINDOWS\system32\lsass.exe

H:\WINDOWS\system32\svchost.exe

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\system32\spoolsv.exe

H:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

H:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

H:\WINDOWS\System32\nvsvc32.exe

H:\WINDOWS\Explorer.EXE

H:\WINDOWS\SOUNDMAN.EXE

H:\WINDOWS\system32\RUNDLL32.EXE

H:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

H:\WINDOWS\System32\svchost.exe

H:\Program Files\Internet Explorer\iexplore.exe

H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avgnt] "H:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] H:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] H:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - http://imikimi.com/download/imikimi_plugin_0.5.1.cab

O23 - Service: Microsoft DDE+ server (423b2bdf) - Unknown owner - H:\WINDOWS\system32\.423b2bdf\423b2bdf.exe (file missing)

O23 - Service: Avira AntiVir Personal

Link to post
Share on other sites
swetbak

swetbak

Posted
  • Author
Posted
you are not updated. The current SP is 3 not 2.

My last post was suppose to imply that I was able to do the rest of Windows updates over the weekend, after my last log post. Sorry for the confusion.

I am on SP3.

Everything was scanning clean so I thought I was clear, but then I logged onto the "other" non-admin profile and MB found some things. Avira scanned clean however.

Here are my MB and HJT logs:

Malwarebytes' Anti-Malware 1.22

Database version: 972

Windows 5.1.2600 Service Pack 3

11:35:23 AM 7/21/2008

mbam-log-7-21-2008 (11-35-23).txt

Scan type: Quick Scan

Objects scanned: 33876

Time elapsed: 2 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 8

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Features\9ee2330ae5f4470cac801baac83818c9 (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Products\568267acfc5644dab06f058006ddbae3 (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\zangosa (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

H:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Delete on reboot.

=========

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:24:38 PM, on 7/21/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

H:\WINDOWS\Explorer.EXE

H:\WINDOWS\system32\RUNDLL32.EXE

H:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

H:\WINDOWS\SOUNDMAN.EXE

H:\Program Files\Messenger\msmsgs.exe

H:\Program Files\MySpace\IM\MySpaceIM.exe

H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

H:\Program Files\MySpace\IM\MySpaceIM.exe

h:\program files\avira\antivir personaledition classic\avcenter.exe

H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avgnt] "H:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MySpaceIM] H:\Program Files\MySpace\IM\MySpaceIM.exe

O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] H:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] H:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - http://imikimi.com/download/imikimi_plugin_0.5.1.cab

O23 - Service: Microsoft DDE+ server (423b2bdf) - Unknown owner - H:\WINDOWS\system32\.423b2bdf\423b2bdf.exe (file missing)

O23 - Service: Avira AntiVir Personal

Link to post
Share on other sites
JeanInMontana

JeanInMontana

Posted
Posted

LOL well I'm sorry if I sounded crabby. I see too many of these logs and people don't realize they will tell me exactly what is on the system. How many accounts are on the PC? I'm going to split this topic if there is more than just two. We will have to clean each one.

h:\program files\avira\antivir personaledition classic\avcenter.exe

H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Why are the drive letters different?

Run HJT again with all programs closed, put a check next to these items and click fix.

O23 - Service: Microsoft DDE+ server (423b2bdf) - Unknown owner - H:\WINDOWS\system32\.423b2bdf\423b2bdf.exe (file missing)

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - H:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

Close the program, reboot to normal, update MBAM scan a quick scan, post that log and a new HJT please.

Link to post
Share on other sites
Raid

Raid

Posted
Posted
I tried to upload owe75.sys as well as ltb87.sys and both said they were 0 bytes. It wouldn't let me copy it either, but in safe mode I was able to delete them both with File Assassin.

How unfortunate. Glad you were able to delete them, but it's a surely missed chance for us to examine those suspect files in closer detail.

Jean wants you to do a bit of tidying up with your other accounts, so I'll back out now. :)

Link to post
Share on other sites
swetbak

swetbak

Posted
  • Author
Posted
[

1. How many accounts are on the PC?

h:\program files\avira\antivir personaledition classic\avcenter.exe

H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

2. Why are the drive letters different?

3. Run HJT again with all programs closed, put a check next to these items and click fix.

O23 - Service: Microsoft DDE+ server (423b2bdf) - Unknown owner - H:\WINDOWS\system32\.423b2bdf\423b2bdf.exe (file missing)

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - H:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

1. There were two, but I deleted the second. It was a limited non-admin account with a few pic's and songs that I saved.

2. I don't have any idea.

3. I've tried to fix those two things many times. No luck again this time either.

FYI- the beep.sys (Fake.Beep.Sys) that MB found, kept showing up with each scan, even after the reboot. I just did a regular delete with no problem and it was gone.

Also installed Spybot and cleaned out some things (yesterday, but after my last log post).

Here are the logs (MB, Spybot (initial scan), and HJT:

Malwarebytes' Anti-Malware 1.22

Database version: 980

Windows 5.1.2600 Service Pack 3

5:30:21 PM 7/22/2008

mbam-log-7-22-2008 (17-30-21).txt

Scan type: Quick Scan

Objects scanned: 39991

Time elapsed: 3 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

==========================

21.07.2008 17:47:56 - ##### check started #####

21.07.2008 17:47:56 - ### Version: 1.6.0

21.07.2008 17:47:56 - ### Date: 7/21/2008 5:47:56 PM

21.07.2008 17:47:56 - ##### checking bots #####

21.07.2008 17:48:03 - found: Zango.ShoppingReport Settings

21.07.2008 17:48:03 - found: Zango.ShoppingReport Settings

21.07.2008 17:48:03 - found: Zango.ShoppingReport Settings

21.07.2008 17:48:03 - found: Zango.ShoppingReport Settings

21.07.2008 17:48:03 - found: Zango.ShoppingReport Settings

21.07.2008 17:48:03 - found: Zango.ShoppingReport Settings

21.07.2008 17:48:57 - found: Win32.Agent.pz Settings

21.07.2008 17:48:57 - found: Win32.Agent.pz Settings

21.07.2008 17:48:57 - found: Win32.Agent.pz Settings

21.07.2008 17:49:13 - found: FunWebProducts User settings

21.07.2008 17:49:13 - found: FunWebProducts User settings

21.07.2008 17:49:13 - found: FunWebProducts Configuration file

21.07.2008 17:49:23 - found: MyWay.MyWebSearch Settings

21.07.2008 17:49:23 - found: MyWay.MyWebSearch Settings

21.07.2008 17:49:24 - found: Zango IE toolbar

21.07.2008 17:49:24 - found: Zango IE toolbar

21.07.2008 17:49:24 - found: Zango Interface

21.07.2008 17:49:24 - found: Zango Interface

21.07.2008 17:49:24 - found: Zango Interface

21.07.2008 17:49:24 - found: Microsoft.Windows.ActiveDesktop User settings

21.07.2008 17:49:29 - found: Microsoft.WindowsSecurityCenter.FirewallOverride Settings

21.07.2008 17:49:57 - found: Nurech Settings

21.07.2008 17:50:05 - found: Virtumonde.generic User settings

21.07.2008 17:50:06 - found: Virtumonde.generic User settings

21.07.2008 17:50:06 - found: Virtumonde.generic User settings

21.07.2008 17:51:34 - found: Virtumonde.prx Configuration file

21.07.2008 17:52:01 - found: DoubleClick Tracking cookie (Internet Explorer: Owner)

21.07.2008 17:52:01 - found: Right Media Tracking cookie (Internet Explorer: Owner)

21.07.2008 17:52:02 - ##### check finished #####

==========================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:36:49 PM, on 7/22/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

H:\WINDOWS\System32\smss.exe

H:\WINDOWS\system32\winlogon.exe

H:\WINDOWS\system32\services.exe

H:\WINDOWS\system32\lsass.exe

H:\WINDOWS\system32\svchost.exe

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\system32\spoolsv.exe

H:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

H:\WINDOWS\Explorer.EXE

H:\WINDOWS\system32\RUNDLL32.EXE

H:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

H:\WINDOWS\SOUNDMAN.EXE

H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

H:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

H:\WINDOWS\System32\nvsvc32.exe

H:\Program Files\Internet Explorer\iexplore.exe

H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avgnt] "H:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKCU\..\Run: [spybotSD TeaTimer] H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] H:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] H:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - http://imikimi.com/download/imikimi_plugin_0.5.1.cab

O23 - Service: Microsoft DDE+ server (423b2bdf) - Unknown owner - H:\WINDOWS\system32\.423b2bdf\423b2bdf.exe (file missing)

O23 - Service: Avira AntiVir Personal

Link to post
Share on other sites
JeanInMontana

JeanInMontana

Posted
Posted

O4 - HKCU\..\Run: [spybotSD TeaTimer] H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe <======= turn off Tea Timer

O23 - Service: Microsoft DDE+ server (423b2bdf) - Unknown owner - H:\WINDOWS\system32\.423b2bdf\423b2bdf.exe (file missing) <===== delete with HJT

Suddenly your drive letter is back to normal. I don't know what your doing but its not winning points. Your either doctoring the log or you have swapped machines. Either way its all gonna come to a screeching halt real soon.

Link to post
Share on other sites
swetbak

swetbak

Posted
  • Author
Posted
O4 - HKCU\..\Run: [spybotSD TeaTimer] H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe <======= turn off Tea Timer

O23 - Service: Microsoft DDE+ server (423b2bdf) - Unknown owner - H:\WINDOWS\system32\.423b2bdf\423b2bdf.exe (file missing) <===== delete with HJT

Suddenly your drive letter is back to normal. I don't know what your doing but its not winning points. Your either doctoring the log or you have swapped machines. Either way its all gonna come to a screeching halt real soon.

Hold on Jean and take a breather. This is the second time you've jumped to an incorrect assumption in this thread. I'm not doing anything to mess with the logs. Any differences you notice is a HJT issue, not me, and the only machine swapping I've done is the motherboard/processor change at the very beginning of my postings here, in the PC Help forum. The only thing I can think of is I ran JV Regcleaner 4.3 a couple days ago. Maybe it changed/fixed something between my log postings.

I've turned off Tea Timer.

HJT isn't able to delete either of these entries. It's not telling me it can't, they just keep showing up in the scan:

O23 - Service: Microsoft DDE+ server (423b2bdf) - Unknown owner - H:\WINDOWS\system32\.423b2bdf\423b2bdf.exe (file missing)

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - H:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

There is a system32\.423b2bdf folder (hidden) with 5 .config files inside.

Link to post
Share on other sites
swetbak

swetbak

Posted
  • Author
Posted
You should just reformat. You have been rooted, it's not going away and there is no guarantee it ever will. HJT doesn't change drive letters. If Raid wants to keep at it that's up to him, I'm done.

Thanks for your effort Jean. I'll watch this thread for a couple days to see if Raid has anything.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.