JeanInMontana Posted September 26, 2008 ID:29156 Share Posted September 26, 2008 Are you rebooting when MBAM says to? I need to see the HJT log after the reboot for removal with MBAM. Link to post Share on other sites More sharing options...
srpad Posted September 27, 2008 Author ID:29173 Share Posted September 27, 2008 Are you rebooting when MBAM says to? I need to see the HJT log after the reboot for removal with MBAM.I can understand why you would think that because those entries just won't delete but I have been. Just to be on the safe side though, this evening I updated MBAM and reran the scan . Here is the newest MBAM log: Malwarebytes' Anti-Malware 1.28Database version: 1211Windows 5.1.2600 Service Pack 39/26/2008 8:09:33 PMmbam-log-2008-09-26 (20-09-33).txtScan type: Quick ScanObjects scanned: 56817Time elapsed: 9 minute(s), 28 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 6Registry Values Infected: 4Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7b34a56-1fd0-4af9-bbc9-b089dac5c6ed} (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hmbdkint (Trojan.Vundo.H) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{e7b34a56-1fd0-4af9-bbc9-b089dac5c6ed} (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1b2a198b-e7f1-4e02-a0c8-6e3743cf2dc6} (Trojan.BHO.H) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{1b2a198b-e7f1-4e02-a0c8-6e3743cf2dc6} (Trojan.BHO.H) -> Delete on reboot.HKEY_CLASSES_ROOT\lowbypdr (Trojan.BHO) -> Delete on reboot.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\WINDOWS\SYSTEM32\cvzebzy.dll (Trojan.Vundo.H) -> Delete on reboot.C:\DOCUME~1\SCOTTP~1\LOCALS~1\Temp\CmdLineExt03k.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.And the HijackThis log (the HT log is after the reboot):Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:13:44 PM, on 9/26/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\system32\CTsvcCDA.EXEC:\Program Files\Intel\Intel Application Accelerator\iaantmon.exeC:\Program Files\Maxtor\Sync\SyncServices.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\Program Files\Intel\Intel Application Accelerator\iaanotif.exeC:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeC:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exeC:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXEC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Common Files\Sonic\Update Manager\sgtray.exeC:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exeC:\Program Files\Lexmark 7100 Series\lxbxmon.exeC:\Program Files\Lexmark 7100 Series\ezprint.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\system32\lxbxcoms.exeC:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exeC:\WINDOWS\system32\CTHELPER.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Creative\MediaSource\Detector\CTDetect.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Palm\HOTSYNC.EXEC:\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {1B2A198B-E7F1-4E02-A0C8-6E3743CF2DC6} - C:\DOCUME~1\SCOTTP~1\LOCALS~1\Temp\CmdLineExt03k.dll (file missing)O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {E7B34A56-1FD0-4AF9-BBC9-B089DAC5C6ED} - c:\windows\system32\cvzebzy.dllO2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLLO3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLLO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exeO4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeO4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /rO4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 7100 Series\fm3032.exe" /sO4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /RO4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXEO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exeO9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exeO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO20 - Winlogon Notify: hmbdkint - C:\WINDOWS\SYSTEM32\cvzebzy.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXEO23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exeO23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe--End of file - 8984 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted September 27, 2008 ID:29241 Share Posted September 27, 2008 I'm asking nosirrah what he wants next. Please be patient the site is having severe performance issues and is barley functioning. Link to post Share on other sites More sharing options...
srpad Posted September 28, 2008 Author ID:29277 Share Posted September 28, 2008 I'm asking nosirrah what he wants next. Please be patient the site is having severe performance issues and is barley functioning.No problem. Take all the time you need. Thank you very much for helping me. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 1, 2008 Root Admin ID:29369 Share Posted October 1, 2008 Hello srpad,I will be taking over for Jean. She has some other commitments she has to take care of for now.Well since it's been a few days and updates to the program are made a few times a day, please run MB and go to the UPDATE tab and update the program. Then run a Quick Scan and allow it to clean anything it finds and reboot the computer.Then run a new HJT scan and post back both the MB and HJT logs. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 1, 2008 Root Admin ID:29415 Share Posted October 1, 2008 Please post a status update so that we can continue and finish this up.Thanks Link to post Share on other sites More sharing options...
srpad Posted October 1, 2008 Author ID:29447 Share Posted October 1, 2008 Hello srpad,I will be taking over for Jean. She has some other commitments she has to take care of for now.Well since it's been a few days and updates to the program are made a few times a day, please run MB and go to the UPDATE tab and update the program. Then run a Quick Scan and allow it to clean anything it finds and reboot the computer.Then run a new HJT scan and post back both the MB and HJT logs.Thank you, I will do so this evening when I am back at the PC. Thanks for your help. Link to post Share on other sites More sharing options...
srpad Posted October 1, 2008 Author ID:29482 Share Posted October 1, 2008 Hello srpad,I will be taking over for Jean. She has some other commitments she has to take care of for now.Well since it's been a few days and updates to the program are made a few times a day, please run MB and go to the UPDATE tab and update the program. Then run a Quick Scan and allow it to clean anything it finds and reboot the computer.Then run a new HJT scan and post back both the MB and HJT logs.Here you are:Malwarebytes' Anti-Malware 1.28Database version: 1225Windows 5.1.2600 Service Pack 310/1/2008 6:39:00 PMmbam-log-2008-10-01 (18-39-00).txtScan type: Quick ScanObjects scanned: 57807Time elapsed: 9 minute(s), 55 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 6Registry Values Infected: 4Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7b34a56-1fd0-4af9-bbc9-b089dac5c6ed} (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hmbdkint (Trojan.Vundo.H) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{e7b34a56-1fd0-4af9-bbc9-b089dac5c6ed} (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1b2a198b-e7f1-4e02-a0c8-6e3743cf2dc6} (Trojan.BHO.H) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{1b2a198b-e7f1-4e02-a0c8-6e3743cf2dc6} (Trojan.BHO.H) -> Delete on reboot.HKEY_CLASSES_ROOT\lowbypdr (Trojan.BHO) -> Delete on reboot.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\WINDOWS\SYSTEM32\cvzebzy.dll (Trojan.Vundo.H) -> Delete on reboot.C:\DOCUME~1\SCOTTP~1\LOCALS~1\Temp\CmdLineExt03k.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.HijackThis Log (after reboot):Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:43:11 PM, on 10/1/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\system32\CTsvcCDA.EXEC:\Program Files\Intel\Intel Application Accelerator\iaantmon.exeC:\Program Files\Maxtor\Sync\SyncServices.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\Program Files\Intel\Intel Application Accelerator\iaanotif.exeC:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeC:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exeC:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXEC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Common Files\Sonic\Update Manager\sgtray.exeC:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exeC:\Program Files\Lexmark 7100 Series\lxbxmon.exeC:\Program Files\Lexmark 7100 Series\ezprint.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exeC:\WINDOWS\system32\lxbxcoms.exeC:\WINDOWS\system32\CTHELPER.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Creative\MediaSource\Detector\CTDetect.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\Program Files\Palm\HOTSYNC.EXEC:\WINDOWS\system32\wuauclt.exeC:\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {1B2A198B-E7F1-4E02-A0C8-6E3743CF2DC6} - C:\DOCUME~1\SCOTTP~1\LOCALS~1\Temp\CmdLineExt03k.dll (file missing)O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {E7B34A56-1FD0-4AF9-BBC9-B089DAC5C6ED} - c:\windows\system32\cvzebzy.dllO2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLLO3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLLO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exeO4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeO4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /rO4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 7100 Series\fm3032.exe" /sO4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /RO4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXEO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exeO9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exeO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO20 - Winlogon Notify: hmbdkint - C:\WINDOWS\SYSTEM32\cvzebzy.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXEO23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exeO23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe--End of file - 8984 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 2, 2008 Root Admin ID:29505 Share Posted October 2, 2008 Please rename C:\HiJackThis.exe to C:\sprad.exeThen start C:\sprad.exe {the renamed HiJackThis program}Do a scan only and place a check mark on the following itemsR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://bfc.myway.com/search/de_srchlft.htmlO2 - BHO: (no name) - {1B2A198B-E7F1-4E02-A0C8-6E3743CF2DC6} - C:\DOCUME~1\SCOTTP~1\LOCALS~1\Temp\CmdLineExt03k.dll (file missing)O2 - BHO: (no name) - {E7B34A56-1FD0-4AF9-BBC9-B089DAC5C6ED} - c:\windows\system32\cvzebzy.dllO20 - Winlogon Notify: hmbdkint - C:\WINDOWS\SYSTEM32\cvzebzy.dllThen click on Fix selectedPlease download Avenger 2.0 from hereOpen or extract the program file avenger.exe then double click to start it.Copy the following text from the code box below into the main window of Avenger.Files to delete:C:\DOCUME~1\SCOTTP~1\LOCALS~1\Temp\CmdLineExt03k.dllc:\windows\system32\cvzebzy.dllPlace a check mark on the "Scan for rootkits"Close all other running applicationsPaste the text into the main window and then click on ExecuteOnce Avenger is done and you've rebooted please update your Java RuntimeYou are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 7.Go to http://java.sun.com/javase/downloads/index.jspGo to Java Runtime Environment (JRE) 6 Update 7 and click on Download button.In Platform box choose Windows.Check the box to Accept License Agreement and click Continue.Click on Windows Offline Installation, click on the link under it which says "jre-6u7-windows-i586-p.exe" and save the downloaded file to your desktop.Go to Start => Control Panel => Add or Remove ProgramsUninstall all all old versions of Java (Java 3 Runtime Environment, JRE or JSE), etc...Browse to C:\Program Files\Java and remove the JAVA folder.Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.Reboot your computer, even if not asked toDownload CCleaner from here to clean temp files from your computer.Double click on the ccsetup.exe file to start the installation of the program.Select your language and click OK, then next.Read the license agreement and click I Agree.Click next to use the default install location.Under Install Options, choose all the default settings except I would recommend that you unclick/untick install the Yahoo! Toolbar, unless you want it. You can also Uncheck the 'Automatically check for updates' box.Click Install then finish to complete installation.Double click the CCleaner shortcut on the desktop to start the program.On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.Click on the "Options" icon at the left side of the window, then click on "Advanced."deselect "Only delete files in Windows Temp folders older than 48 hours."Caution: It is not recommended that you use the "Registry" feature unless you are very familiar with the registry as it has been known to find legitimate items. Click on Registry and make sure Registry Integrity is UNchecked!Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.After CCleaner has completed its process, click Exit.Then run MB and go to the UPDATE tab and update the program again and do a Quick Scan. Let it fix anything it finds.Reboot if requested. Then start C:\sprad.exe {the renamed HiJackThis program} and do a Scan only and post back all logs.Avenger log, MB log, and HJT log. Link to post Share on other sites More sharing options...
srpad Posted October 2, 2008 Author ID:29523 Share Posted October 2, 2008 Steps removed...Then run MB and go to the UPDATE tab and update the program again and do a Quick Scan. Let it fix anything it finds.Reboot if requested. Then start C:\sprad.exe {the renamed HiJackThis program} and do a Scan only and post back all logs.Avenger log, MB log, and HJT log.Thank you. It will probably be Friday when I can do these steps but I will do them as soon as I can and post the logs. Thanks again. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 2, 2008 Root Admin ID:29566 Share Posted October 2, 2008 Okay I'll take a look tomorrow and see if we can finish up because I'm not sure how much time I"ll have on the weekend. Time to paint some rooms in the house for the Wife. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 3, 2008 Root Admin ID:29639 Share Posted October 3, 2008 Are you going to be able to do this today? Link to post Share on other sites More sharing options...
srpad Posted October 3, 2008 Author ID:29647 Share Posted October 3, 2008 Are you going to be able to do this today?Yes this evening. I apologize, I won't be home to access the PC until then. As soon as I am I will follow your intructions and post. Thank you very much for doing this. Link to post Share on other sites More sharing options...
srpad Posted October 4, 2008 Author ID:29672 Share Posted October 4, 2008 Okay I'll take a look tomorrow and see if we can finish up because I'm not sure how much time I"ll have on the weekend. Time to paint some rooms in the house for the Wife.I apologize for the lateness of this. For some reason, even though I deselected it, CCcleaner removed all my cookies which removed my login status from your site. Then I was unable to log back into the site (I got a web page error after the login page) or create a second user id. My login only just now worked. Here is the Avenger log:Logfile of The Avenger Version 2.0, © by Swandog46http://swandog46.geekstogo.comPlatform: Windows XP*******************Script file opened successfully.Script file read successfully.Backups directory opened successfully at C:\Avenger*******************Beginning to process script file:Rootkit scan active.No rootkits found!Error: could not open file "C:\DOCUME~1\SCOTTP~1\LOCALS~1\Temp\CmdLineExt03k.dll"Deletion of file "C:\DOCUME~1\SCOTTP~1\LOCALS~1\Temp\CmdLineExt03k.dll" failed!Status: 0xc0000022 (STATUS_ACCESS_DENIED)Error: could not open file "c:\windows\system32\cvzebzy.dll"Deletion of file "c:\windows\system32\cvzebzy.dll" failed!Status: 0xc0000022 (STATUS_ACCESS_DENIED)Completed script processing.*******************Finished! Terminate.Mbam Log:Malwarebytes' Anti-Malware 1.28Database version: 1226Windows 5.1.2600 Service Pack 310/3/2008 8:33:06 PMmbam-log-2008-10-03 (20-33-06).txtScan type: Quick ScanObjects scanned: 47574Time elapsed: 4 minute(s), 17 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 6Registry Values Infected: 4Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7b34a56-1fd0-4af9-bbc9-b089dac5c6ed} (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hmbdkint (Trojan.Vundo.H) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{e7b34a56-1fd0-4af9-bbc9-b089dac5c6ed} (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1b2a198b-e7f1-4e02-a0c8-6e3743cf2dc6} (Trojan.BHO.H) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{1b2a198b-e7f1-4e02-a0c8-6e3743cf2dc6} (Trojan.BHO.H) -> Delete on reboot.HKEY_CLASSES_ROOT\lowbypdr (Trojan.BHO) -> Delete on reboot.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\WINDOWS\SYSTEM32\cvzebzy.dll (Trojan.Vundo.H) -> Delete on reboot.C:\DOCUME~1\SCOTTP~1\LOCALS~1\Temp\CmdLineExt03k.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.Hijackthis Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:37:26 PM, on 10/3/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\system32\CTsvcCDA.EXEC:\Program Files\Intel\Intel Application Accelerator\iaantmon.exeC:\Program Files\Maxtor\Sync\SyncServices.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Intel\Intel Application Accelerator\iaanotif.exeC:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeC:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exeC:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXEC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Common Files\Sonic\Update Manager\sgtray.exeC:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exeC:\Program Files\Lexmark 7100 Series\lxbxmon.exeC:\Program Files\Lexmark 7100 Series\ezprint.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exeC:\WINDOWS\system32\CTHELPER.EXEC:\WINDOWS\system32\lxbxcoms.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Creative\MediaSource\Detector\CTDetect.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\Program Files\Palm\HOTSYNC.EXEC:\srpad.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {1B2A198B-E7F1-4E02-A0C8-6E3743CF2DC6} - C:\DOCUME~1\SCOTTP~1\LOCALS~1\Temp\CmdLineExt03k.dll (file missing)O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: (no name) - {E7B34A56-1FD0-4AF9-BBC9-B089DAC5C6ED} - c:\windows\system32\cvzebzy.dllO2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLLO3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLLO4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exeO4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeO4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /rO4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 7100 Series\fm3032.exe" /sO4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /RO4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXEO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exeO9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exeO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO20 - Winlogon Notify: hmbdkint - C:\WINDOWS\SYSTEM32\cvzebzy.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXEO23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exeO23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe--End of file - 8824 bytesThanks for your help! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 4, 2008 Root Admin ID:29674 Share Posted October 4, 2008 Thanks. Well I see them in the logs and I see that MB and Avenger both tried to remove it and both had issues either finding or removing it.Please wait and I'll bring this up with the Developers and see what they want to do. We will probably try to have you upload some of the DLL files so that we can review them in more detail.Stay tuned.... Link to post Share on other sites More sharing options...
srpad Posted October 4, 2008 Author ID:29737 Share Posted October 4, 2008 Thanks. Well I see them in the logs and I see that MB and Avenger both tried to remove it and both had issues either finding or removing it.Please wait and I'll bring this up with the Developers and see what they want to do. We will probably try to have you upload some of the DLL files so that we can review them in more detail.Stay tuned....Thanks. I really appreciate this. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 4, 2008 Root Admin ID:29775 Share Posted October 4, 2008 Hi Sprad,Many updates have been made to the definitions. Please run MB go to the UPDATE tab and update the program. Run a Quick Scan and fix anything found, reboot.Then run a new HJT scan and post back both logs please.Thanks Link to post Share on other sites More sharing options...
srpad Posted October 5, 2008 Author ID:29864 Share Posted October 5, 2008 Hi Sprad,Many updates have been made to the definitions. Please run MB go to the UPDATE tab and update the program. Run a Quick Scan and fix anything found, reboot.Then run a new HJT scan and post back both logs please.ThanksHere you go:MBAM:Malwarebytes' Anti-Malware 1.28Database version: 1230Windows 5.1.2600 Service Pack 310/5/2008 6:40:02 PMmbam-log-2008-10-05 (18-40-02).txtScan type: Quick ScanObjects scanned: 54673Time elapsed: 7 minute(s), 40 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 6Registry Values Infected: 4Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7b34a56-1fd0-4af9-bbc9-b089dac5c6ed} (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hmbdkint (Trojan.Vundo.H) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{e7b34a56-1fd0-4af9-bbc9-b089dac5c6ed} (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1b2a198b-e7f1-4e02-a0c8-6e3743cf2dc6} (Trojan.BHO.H) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{1b2a198b-e7f1-4e02-a0c8-6e3743cf2dc6} (Trojan.BHO.H) -> Delete on reboot.HKEY_CLASSES_ROOT\lowbypdr (Trojan.BHO) -> Delete on reboot.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\WINDOWS\SYSTEM32\cvzebzy.dll (Trojan.Vundo.H) -> Delete on reboot.C:\DOCUME~1\SCOTTP~1\LOCALS~1\Temp\CmdLineExt03k.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.HijackThis (app is still renamed. Scan taken after reboot):Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:45:45 PM, on 10/5/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\system32\CTsvcCDA.EXEC:\Program Files\Intel\Intel Application Accelerator\iaantmon.exeC:\Program Files\Maxtor\Sync\SyncServices.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Intel\Intel Application Accelerator\iaanotif.exeC:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeC:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exeC:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXEC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Common Files\Sonic\Update Manager\sgtray.exeC:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exeC:\Program Files\Lexmark 7100 Series\lxbxmon.exeC:\Program Files\Lexmark 7100 Series\ezprint.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\system32\lxbxcoms.exeC:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exeC:\WINDOWS\system32\CTHELPER.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Creative\MediaSource\Detector\CTDetect.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Palm\HOTSYNC.EXEC:\srpad.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {1B2A198B-E7F1-4E02-A0C8-6E3743CF2DC6} - C:\DOCUME~1\SCOTTP~1\LOCALS~1\Temp\CmdLineExt03k.dll (file missing)O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: (no name) - {E7B34A56-1FD0-4AF9-BBC9-B089DAC5C6ED} - c:\windows\system32\cvzebzy.dllO2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLLO3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLLO4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exeO4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeO4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /rO4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 7100 Series\fm3032.exe" /sO4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /RO4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXEO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exeO9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exeO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO20 - Winlogon Notify: hmbdkint - C:\WINDOWS\SYSTEM32\cvzebzy.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXEO23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exeO23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe--End of file - 8824 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 6, 2008 Root Admin ID:29974 Share Posted October 6, 2008 Please upload this file c:\WINDOWS\SYSTEM32\cvzebzy.dll to: uploads.malwarebytes.orgThe HJT log looks like it was ran before rebooting. It needs to be ran after rebooting please.You need to update your Acrobat Reader to a newer version (currently version 9)O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exePlease make sure ZoneAlarm spyblocker, or Spybot Search & Destory or some other registry monitoring application is not blocking HJT from removing entriesDisable all programs that may be stopping HJT then scan and place a check mark on these items and remove them again.O2 - BHO: (no name) - {1B2A198B-E7F1-4E02-A0C8-6E3743CF2DC6} - C:\DOCUME~1\SCOTTP~1\LOCALS~1\Temp\CmdLineExt03k.dll (file missing)O2 - BHO: (no name) - {E7B34A56-1FD0-4AF9-BBC9-B089DAC5C6ED} - c:\windows\system32\cvzebzy.dllO20 - Winlogon Notify: hmbdkint - C:\WINDOWS\SYSTEM32\cvzebzy.dllWe'll analyze the file you upload and see what we can find about it.In the meantime please click on START - RUN and type in MSCONFIG and click OK.Click on the BOOT.INI tab and place a checkmark on /BOOTLOG and then click OK and restart your computer.After it restarts locate the file: C:\WINDOWS\NTBTLOG.TXT and open it with NOTEPAD and post it back here please.You can then re-enable NORMAL STARTUP MODE with MSCONFIG so that it does not run this log every time the computer runs.. Link to post Share on other sites More sharing options...
srpad Posted October 7, 2008 Author ID:30085 Share Posted October 7, 2008 Please upload this file c:\WINDOWS\SYSTEM32\cvzebzy.dll to: uploads.malwarebytes.orgThe HJT log looks like it was ran before rebooting. It needs to be ran after rebooting please.You need to update your Acrobat Reader to a newer version (currently version 9)O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exePlease make sure ZoneAlarm spyblocker, or Spybot Search & Destory or some other registry monitoring application is not blocking HJT from removing entriesDisable all programs that may be stopping HJT then scan and place a check mark on these items and remove them again.O2 - BHO: (no name) - {1B2A198B-E7F1-4E02-A0C8-6E3743CF2DC6} - C:\DOCUME~1\SCOTTP~1\LOCALS~1\Temp\CmdLineExt03k.dll (file missing)O2 - BHO: (no name) - {E7B34A56-1FD0-4AF9-BBC9-B089DAC5C6ED} - c:\windows\system32\cvzebzy.dllO20 - Winlogon Notify: hmbdkint - C:\WINDOWS\SYSTEM32\cvzebzy.dllWe'll analyze the file you upload and see what we can find about it.In the meantime please click on START - RUN and type in MSCONFIG and click OK.Click on the BOOT.INI tab and place a checkmark on /BOOTLOG and then click OK and restart your computer.After it restarts locate the file: C:\WINDOWS\NTBTLOG.TXT and open it with NOTEPAD and post it back here please.You can then re-enable NORMAL STARTUP MODE with MSCONFIG so that it does not run this log every time the computer runs..Helllo,The file is uploaded and I updated Adobe.I know it looks like I am not rebooting because those entries don't go away but I promise I am :-)ntbtlog.txt: Service Pack 310 7 2008 19:14:15.375Loaded driver \WINDOWS\system32\ntkrnlpa.exeLoaded driver \WINDOWS\system32\hal.dllLoaded driver \WINDOWS\system32\KDCOM.DLLLoaded driver \WINDOWS\system32\BOOTVID.dllLoaded driver ACPI.sysLoaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYSLoaded driver pci.sysLoaded driver isapnp.sysLoaded driver lffycjtc.sysLoaded driver pciide.sysLoaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYSLoaded driver aliide.sysLoaded driver cmdide.sysLoaded driver toside.sysLoaded driver viaide.sysLoaded driver intelide.sysLoaded driver MountMgr.sysLoaded driver ftdisk.sysLoaded driver dmload.sysLoaded driver dmio.sysLoaded driver PartMgr.sysLoaded driver VolSnap.sysLoaded driver cpqarray.sysLoaded driver \WINDOWS\system32\DRIVERS\SCSIPORT.SYSLoaded driver iaStor.sysLoaded driver atapi.sysLoaded driver aha154x.sysLoaded driver sparrow.sysLoaded driver symc810.sysLoaded driver aic78xx.sysLoaded driver dac960nt.sysLoaded driver ql10wnt.sysLoaded driver amsint.sysLoaded driver asc.sysLoaded driver asc3550.sysLoaded driver mraid35x.sysLoaded driver i2omp.sysLoaded driver ini910u.sysLoaded driver ql1240.sysLoaded driver aic78u2.sysLoaded driver symc8xx.sysLoaded driver sym_hi.sysLoaded driver sym_u3.sysLoaded driver ABP480N5.SYSLoaded driver asc3350p.sysLoaded driver cd20xrnt.sysLoaded driver ultra.sysLoaded driver adpu160m.sysLoaded driver dpti2o.sysLoaded driver ql1080.sysLoaded driver ql1280.sysLoaded driver ql12160.sysLoaded driver perc2.sysLoaded driver perc2hib.sysLoaded driver hpn.sysLoaded driver cbidf2k.sysLoaded driver dac2w2k.sysLoaded driver disk.sysLoaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYSLoaded driver fltmgr.sysLoaded driver sr.sysLoaded driver PxHelp20.sysLoaded driver KSecDD.sysLoaded driver WudfPf.sysLoaded driver Ntfs.sysLoaded driver NDIS.sysLoaded driver viaagp.sysLoaded driver srescan.sysLoaded driver sisagp.sysLoaded driver ohci1394.sysLoaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYSLoaded driver Mup.sysLoaded driver agp440.sysLoaded driver alim1541.sysLoaded driver amdagp.sysLoaded driver agpCPQ.sysLoaded driver \SystemRoot\system32\DRIVERS\nic1394.sysLoaded driver \SystemRoot\system32\DRIVERS\intelppm.sysLoaded driver \SystemRoot\system32\DRIVERS\nv4_mini.sysLoaded driver \SystemRoot\system32\DRIVERS\b57xp32.sysLoaded driver \SystemRoot\system32\DRIVERS\usbuhci.sysLoaded driver \SystemRoot\system32\DRIVERS\usbehci.sysLoaded driver \SystemRoot\system32\drivers\ctoss2k.sysLoaded driver \SystemRoot\System32\drivers\ctprxy2k.sysLoaded driver \SystemRoot\system32\drivers\ctaud2k.sysLoaded driver \SystemRoot\system32\DRIVERS\gameenum.sysLoaded driver \SystemRoot\system32\DRIVERS\IntelC53.sysLoaded driver \SystemRoot\system32\DRIVERS\IntelC51.sysLoaded driver \SystemRoot\system32\DRIVERS\IntelC52.sysLoaded driver \SystemRoot\system32\DRIVERS\mohfilt.sysLoaded driver \SystemRoot\System32\Drivers\Modem.SYSLoaded driver \SystemRoot\system32\DRIVERS\fdc.sysLoaded driver \SystemRoot\system32\DRIVERS\i8042prt.sysLoaded driver \SystemRoot\system32\DRIVERS\kbdclass.sysLoaded driver \SystemRoot\system32\DRIVERS\parport.sysLoaded driver \SystemRoot\system32\DRIVERS\serial.sysLoaded driver \SystemRoot\system32\DRIVERS\serenum.sysLoaded driver \SystemRoot\system32\DRIVERS\cdrom.sysLoaded driver \SystemRoot\system32\DRIVERS\redbook.sysLoaded driver \SystemRoot\system32\DRIVERS\imapi.sysLoaded driver \SystemRoot\system32\DRIVERS\audstub.sysLoaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sysLoaded driver \SystemRoot\system32\DRIVERS\ndistapi.sysLoaded driver \SystemRoot\system32\DRIVERS\ndiswan.sysLoaded driver \SystemRoot\system32\DRIVERS\raspppoe.sysLoaded driver \SystemRoot\system32\DRIVERS\raspptp.sysLoaded driver \SystemRoot\system32\DRIVERS\msgpc.sysLoaded driver \SystemRoot\system32\DRIVERS\psched.sysLoaded driver \SystemRoot\system32\DRIVERS\ptilink.sysLoaded driver \SystemRoot\system32\DRIVERS\raspti.sysLoaded driver \SystemRoot\system32\DRIVERS\rdpdr.sysLoaded driver \SystemRoot\system32\DRIVERS\termdd.sysLoaded driver \SystemRoot\system32\DRIVERS\mouclass.sysLoaded driver \SystemRoot\system32\DRIVERS\swenum.sysLoaded driver \SystemRoot\system32\DRIVERS\update.sysLoaded driver \SystemRoot\system32\DRIVERS\mssmbios.sysLoaded driver \SystemRoot\system32\DRIVERS\omci.sysLoaded driver \SystemRoot\System32\Drivers\NDProxy.SYSDid not load driver \SystemRoot\System32\Drivers\NDProxy.SYSLoaded driver \SystemRoot\system32\DRIVERS\usbhub.sysLoaded driver \SystemRoot\System32\drivers\hap16v2k.sysLoaded driver \SystemRoot\System32\drivers\ha10kx2k.sysLoaded driver \SystemRoot\System32\drivers\emupia2k.sysLoaded driver \SystemRoot\System32\drivers\ctsfm2k.sysLoaded driver \SystemRoot\System32\drivers\ctac32k.sysLoaded driver \SystemRoot\System32\drivers\COMMONFX.SYSLoaded driver \SystemRoot\System32\drivers\CTSBLFX.SYSLoaded driver \SystemRoot\System32\drivers\CTAUDFX.SYSLoaded driver \SystemRoot\system32\drivers\MODEMCSA.sysLoaded driver \SystemRoot\system32\DRIVERS\flpydisk.sysDid not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYSDid not load driver \SystemRoot\System32\Drivers\Sfloppy.SYSLoaded driver \SystemRoot\System32\Drivers\i2omgmt.SYSLoaded driver \SystemRoot\system32\DRIVERS\klif.sysDid not load driver \SystemRoot\System32\Drivers\Changer.SYSDid not load driver \SystemRoot\System32\Drivers\Cdaudio.SYSLoaded driver \SystemRoot\system32\DRIVERS\hidusb.sysLoaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYSLoaded driver \SystemRoot\System32\Drivers\Null.SYSLoaded driver \SystemRoot\System32\Drivers\Beep.SYSLoaded driver \SystemRoot\System32\Drivers\avgclean.sysLoaded driver \SystemRoot\System32\drivers\vga.sysLoaded driver \SystemRoot\System32\Drivers\mnmdd.SYSLoaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sysLoaded driver \SystemRoot\System32\Drivers\Msfs.SYSLoaded driver \SystemRoot\System32\Drivers\Npfs.SYSLoaded driver \SystemRoot\system32\DRIVERS\rasacd.sysLoaded driver \SystemRoot\system32\DRIVERS\ipsec.sysLoaded driver \SystemRoot\system32\DRIVERS\tcpip.sysLoaded driver \SystemRoot\system32\DRIVERS\ipnat.sysLoaded driver \SystemRoot\system32\DRIVERS\netbt.sysLoaded driver \SystemRoot\system32\DRIVERS\wanarp.sysLoaded driver \SystemRoot\system32\DRIVERS\arp1394.sysLoaded driver \SystemRoot\system32\DRIVERS\usbccgp.sysLoaded driver \SystemRoot\System32\vsdatant.sysLoaded driver \SystemRoot\System32\drivers\afd.sysLoaded driver \SystemRoot\system32\DRIVERS\netbios.sysDid not load driver \SystemRoot\System32\Drivers\PCIDump.SYSLoaded driver \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sysLoaded driver \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYSLoaded driver \SystemRoot\system32\DRIVERS\rdbss.sysLoaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sysLoaded driver \SystemRoot\System32\Drivers\Fips.SYSLoaded driver \SystemRoot\System32\Drivers\avg7core.sysLoaded driver \SystemRoot\System32\Drivers\avg7rsw.sysLoaded driver \SystemRoot\System32\Drivers\Fastfat.SYSLoaded driver \SystemRoot\System32\Drivers\avg7rsxp.sysLoaded driver \SystemRoot\system32\DRIVERS\USBSTOR.SYSLoaded driver \SystemRoot\system32\DRIVERS\mouhid.sysLoaded driver \SystemRoot\system32\DRIVERS\usbscan.sysLoaded driver \SystemRoot\system32\DRIVERS\usbprint.sysLoaded driver \SystemRoot\system32\DRIVERS\mxopswd.sysLoaded driver \SystemRoot\system32\DRIVERS\ndisuio.sysDid not load driver \SystemRoot\system32\DRIVERS\rdbss.sysDid not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sysLoaded driver \SystemRoot\system32\drivers\wdmaud.sysLoaded driver \SystemRoot\system32\drivers\sysaudio.sysLoaded driver \SystemRoot\system32\drivers\splitter.sysLoaded driver \SystemRoot\system32\drivers\aec.sysLoaded driver \SystemRoot\system32\drivers\swmidi.sysLoaded driver \SystemRoot\system32\drivers\DMusic.sysLoaded driver \SystemRoot\system32\drivers\kmixer.sysLoaded driver \SystemRoot\system32\drivers\drmkaud.sysLoaded driver \SystemRoot\system32\DRIVERS\mrxdav.sysLoaded driver \SystemRoot\System32\Drivers\avgtdi.sysLoaded driver \SystemRoot\system32\DRIVERS\srv.sysLoaded driver \??\C:\WINDOWS\system32\drivers\PfModNT.sysLoaded driver \SystemRoot\system32\DRIVERS\secdrv.sysDid not load driver \SystemRoot\system32\DRIVERS\ipnat.sysLoaded driver \SystemRoot\System32\Drivers\Cdfs.SYSLoaded driver \SystemRoot\System32\Drivers\HTTP.sysLoaded driver \SystemRoot\system32\drivers\kmixer.sysLoaded driver \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYSLoaded driver \SystemRoot\system32\drivers\kmixer.sysThanks! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 8, 2008 Root Admin ID:30100 Share Posted October 8, 2008 Okay I'm waiting to hear back from the Developers and will get back to you soon. Link to post Share on other sites More sharing options...
nosirrah Posted October 8, 2008 ID:30125 Share Posted October 8, 2008 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.^^ Those almost always show up with a rootkit .^^Im looking through what you have done already to see if I can tell if it was removed already . Link to post Share on other sites More sharing options...
nosirrah Posted October 8, 2008 ID:30126 Share Posted October 8, 2008 I dont think we have found the cause here yet .Please unzip and run the attached file .I need you to do scan and save report for drivers and files .The log could be quite long so zip and attach them please .RootRepeal.zipRootRepeal.zip Link to post Share on other sites More sharing options...
srpad Posted October 8, 2008 Author ID:30208 Share Posted October 8, 2008 I dont think we have found the cause here yet .Please unzip and run the attached file .I need you to do scan and save report for drivers and files .The log could be quite long so zip and attach them please .Thank you. I will do this as soon as I can (probably will be tomorrow). Just to clarify, do I attach the zipped log to my post in this thread or should I start a thread in another group? Link to post Share on other sites More sharing options...
nosirrah Posted October 9, 2008 ID:30269 Share Posted October 9, 2008 These are just logs , they can be zipped and attached here , only zipped malware needs to be sent to another forum . Link to post Share on other sites More sharing options...
Recommended Posts