Help - Search - Members - Calendar
Full Version: Need Urgent Help To Get Rid of Persistent Trojan
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
sean26
Dec 18 2006, 06:27 AM
Hi,

Need urgent help and advice on how to get rid of the persistent trojan richdll.dll and some other viruses detected by my antivirus program.

I have tried to remove these viruses in safe mode but they kept coming back.

Here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:28:45 PM, on 12/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rxzs.exe
C:\WINDOWS\system32\conime.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mhs2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PPENSB\Win32\ppshell.exe
C:\PPENSB\Win32\VWSWMGR.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system\internet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Flash 9 - {492B8F66-B8CF-4F7A-B0EE-B7383B92F5BA} - C:\WINDOWS\system\IceHBO.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [load] C:\WINDOWS\uninstall\rundl132.exe
O4 - HKLM\..\Run: [rxzs] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rxzs.exe
O4 - HKLM\..\Run: [mhs2] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mhs2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PenPower Start-Up.lnk = ?
O4 - Global Startup: PenPower VoiceWriter Shell Manager.lnk = C:\PPENSB\Win32\VWSWMGR.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.xpres-net.com/wfplayer/tdserver.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iesdev.moe.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = iesdev.moe.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iesdev.moe.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iesdev.moe.edu.sg
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: 49400M.BMP
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: SQLSERVERAGENT - Unknown owner - C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlagent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe


Here is my adAware scan logfile:

Ad-Aware SE Build 1.06r1
Logfile Created on:Monday, December 18, 2006 1:26:35 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R139 12.12.2006
换换换换换换换换换换换换换换换换换换换换换换换换换?

References detected during the scan:
换换换换换换换换换换换换换换换换换换换?
MRU List(TAC index:0):2 total references
Win32.Trojan.Downloader(TAC index:10):2 total references
Win32.Trojan-PSW.Lineage(TAC index:10):2 total references
换换换换换换换换换换换换换换换换换换换?

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


12-18-2006 1:26:35 PM - Scan started. (Smart mode)

Listing running processes
换换换换换换换换换换换换换换换换换换换

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 544
ThreadCreationTime : 12-18-2006 3:56:53 AM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 608
ThreadCreationTime : 12-18-2006 3:56:54 AM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 632
ThreadCreationTime : 12-18-2006 3:56:54 AM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 684
ThreadCreationTime : 12-18-2006 3:56:55 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 696
ThreadCreationTime : 12-18-2006 3:56:55 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 908
ThreadCreationTime : 12-18-2006 3:56:56 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 984
ThreadCreationTime : 12-18-2006 3:56:56 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1088
ThreadCreationTime : 12-18-2006 3:56:56 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1140
ThreadCreationTime : 12-18-2006 3:56:56 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1304
ThreadCreationTime : 12-18-2006 3:56:57 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1460
ThreadCreationTime : 12-18-2006 3:56:57 AM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ProcessID : 1868
ThreadCreationTime : 12-18-2006 3:57:25 AM
BasePriority : Normal
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
ProductName : Microsoft Development Environment
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : Copyright © Microsoft Corp. 1997-2000
OriginalFilename : mdm.exe

#:13 [sqlservr.exe]
FilePath : C:\PROGRA~1\MI6841~1\MSSQL\binn\
ProcessID : 1924
ThreadCreationTime : 12-18-2006 3:57:25 AM
BasePriority : Normal
FileVersion : 2000.080.0194.00
ProductVersion : 8.00.194
ProductName : Microsoft SQL Server
CompanyName : Microsoft Corporation
FileDescription : SQL Server Windows NT
InternalName : SQLSERVR
LegalCopyright : ? 1988-2000 Microsoft Corp. All rights reserved.
LegalTrademarks : Microsoft? is a registered trademark of Microsoft Corporation. Windows™ is a trademark of Microsoft Corporation
OriginalFilename : SQLSERVR.EXE
Comments : NT INTEL X86

#:14 [spkrmon.exe]
FilePath : C:\Program Files\Analog Devices\SoundMAX\
ProcessID : 224
ThreadCreationTime : 12-18-2006 3:57:33 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 4
ProductVersion : 1, 0, 0, 4
ProductName : spkrmon Module
FileDescription : SoundMAX SpeakerMonitor service
InternalName : spkrmon
LegalCopyright : Copyright 2003
OriginalFilename : spkrmon.EXE

#:15 [tablet.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 264
ThreadCreationTime : 12-18-2006 3:57:33 AM
BasePriority : High


#:16 [tmlisten.exe]
FilePath : C:\Program Files\Trend Micro\OfficeScan Client\
ProcessID : 464
ThreadCreationTime : 12-18-2006 3:57:33 AM
BasePriority : Normal


#:17 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 940
ThreadCreationTime : 12-18-2006 3:57:33 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:18 [ofcdog.exe]
FilePath : C:\Program Files\Trend Micro\OfficeScan Client\
ProcessID : 1624
ThreadCreationTime : 12-18-2006 3:57:43 AM
BasePriority : Normal


#:19 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1284
ThreadCreationTime : 12-18-2006 3:58:09 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:20 [hkcmd.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2172
ThreadCreationTime : 12-18-2006 3:58:13 AM
BasePriority : Normal
FileVersion : 3.0.0.4020
ProductVersion : 7.0.0.4020
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2004, Intel Corporation
OriginalFilename : HKCMD.EXE

#:21 [pccntmon.exe]
FilePath : C:\Program Files\Trend Micro\OfficeScan Client\
ProcessID : 2180
ThreadCreationTime : 12-18-2006 3:58:13 AM
BasePriority : Normal
FileVersion : 5.58.0.1063
ProductVersion : 5.58
ProductName : Trend Micro OfficeScan
CompanyName : Trend Micro Inc.
FileDescription : I/O Monitor
InternalName : PCCNTMON
LegalCopyright : Copyright © 1999-2004 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright © Trend Micro, Inc.
OriginalFilename : PCCNTMON.EXE

#:22 [rxzs.exe]
FilePath : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
ProcessID : 2284
ThreadCreationTime : 12-18-2006 3:58:14 AM
BasePriority : Normal


#:23 [conime.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2316
ThreadCreationTime : 12-18-2006 3:58:17 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Console IME
InternalName : Console
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : CONIME.EXE

#:24 [mhs2.exe]
FilePath : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
ProcessID : 2336
ThreadCreationTime : 12-18-2006 3:58:17 AM
BasePriority : Normal


#:25 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2484
ThreadCreationTime : 12-18-2006 3:58:20 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:26 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ProcessID : 2524
ThreadCreationTime : 12-18-2006 3:58:22 AM
BasePriority : Normal
FileVersion : 8.0.0812.00
ProductVersion : 8.0.0812
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msnmsgr.exe
LegalCopyright : Copyright © Microsoft Corporation. All rights reserved.
OriginalFilename : msnmsgr.exe

#:27 [ppshell.exe]
FilePath : C:\PPENSB\Win32\
ProcessID : 2564
ThreadCreationTime : 12-18-2006 3:58:23 AM
BasePriority : Normal
FileVersion : 6, 0, 0, 0
ProductVersion : 6, 0, 0, 0
ProductName : PenPower PPSHELL
CompanyName : PenPower
FileDescription : PPSHELL
InternalName : PPSHELL
LegalCopyright : Copyright c 1997
OriginalFilename : PPSHELL.exe

#:28 [vwswmgr.exe]
FilePath : C:\PPENSB\Win32\
ProcessID : 2596
ThreadCreationTime : 12-18-2006 3:58:23 AM
BasePriority : Normal


#:29 [sqlmangr.exe]
FilePath : C:\Program Files\Microsoft SQL Server\80\Tools\Binn\
ProcessID : 2608
ThreadCreationTime : 12-18-2006 3:58:23 AM
BasePriority : Normal
FileVersion : 2000.080.0194.00
ProductVersion : 8.00.194
ProductName : Microsoft SQL Server
CompanyName : Microsoft Corporation
FileDescription : SQL Server Service Manager
InternalName : SQLMANGR
LegalCopyright : ? 1988-2000 Microsoft Corp. All rights reserved.
LegalTrademarks : Microsoft? is a registered trademark of Microsoft Corporation. Windows™ is a trademark of Microsoft Corporation
OriginalFilename : SQLMANGR.exe
Comments : NT INTEL X86

#:30 [tabuserw.exe]
FilePath : C:\WINDOWS\system32\Wtablet\
ProcessID : 2620
ThreadCreationTime : 12-18-2006 3:58:23 AM
BasePriority : Normal
FileVersion : 4.78-4
ProductVersion : 4.78-4
ProductName : Wacom Technology, Corp. TABUSERW
CompanyName : Wacom Technology, Corp.
FileDescription : TABUSERW
InternalName : TABUSERW
LegalCopyright : Copyright ? 1997,1998,1999,2000,2001,2002,2003 Wacom Technology, Corp.
OriginalFilename : TABUSERW.EXE

#:31 [conime.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2732
ThreadCreationTime : 12-18-2006 3:58:32 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Console IME
InternalName : Console
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : CONIME.EXE

#:32 [internet.exe]
FilePath : C:\WINDOWS\system\
ProcessID : 4024
ThreadCreationTime : 12-18-2006 4:01:49 AM
BasePriority : Normal


#:33 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 3896
ThreadCreationTime : 12-18-2006 4:27:29 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:34 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3748
ThreadCreationTime : 12-18-2006 4:37:04 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright ? Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:35 [textpad.exe]
FilePath : C:\Program Files\TextPad 4\
ProcessID : 412
ThreadCreationTime : 12-18-2006 5:23:13 AM
BasePriority : Normal
FileVersion : 4.7
ProductVersion : 4.7.3
ProductName : TextPad
CompanyName : Helios Software Solutions
FileDescription : TextPad
InternalName : TextPad
LegalCopyright : Copyright ? 1992-2004
LegalTrademarks : TextPad
OriginalFilename : TEXTPAD.EXE

Memory scan result:

New critical objects: 0
Objects found so far: 0


Started registry scan


Win32.Trojan-PSW.Lineage Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Virus
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{6e44887f-5214-41f2-ab46-4728735c4cc6}

Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-19\software\classes\software\microsoft\internet explorer\toolbar

Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-20\software\classes\software\microsoft\internet explorer\toolbar

Registry Scan result:

New critical objects: 3
Objects found so far: 3


Started deep registry scan


Deep registry scan result:
New critical objects: 0
Objects found so far: 3


Started Tracking Cookie scan



Tracking cookie scan result:
New critical objects: 0
Objects found so far: 3



Deep scanning and examining files...


Disk Scan Result for C:\WINDOWS
New critical objects: 0
Objects found so far: 3

Disk Scan Result for C:\WINDOWS\system32
New critical objects: 0
Objects found so far: 3

Disk Scan Result for C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
New critical objects: 0
Objects found so far: 3

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1409082233-725345543-500\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Performing conditional scans...


Win32.Trojan-PSW.Lineage Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Virus
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\soft\downloadwww

Conditional scan result:
New critical objects: 1
Objects found so far: 6

1:28:29 PM Scan Complete

Summary Of This Scan
Total scanning time:00:01:53.905
Objects scanned:85175
Objects identified:4
Objects ignored:0
New critical objects:4



Thanks for the help in advance!
HJThis
Dec 18 2006, 03:43 PM
Hello,sean26 & Welcome


Please download ComboFix and save it to your desktop.

Double click combofix.exe and follow the prompts.

When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


Gogo wink.gif
sean26
Dec 19 2006, 02:33 AM
Hi,

Thanks for replying. As requested, I have posted my combofix log.

Actually I have tried on my own to get rid of some of the virus. I know this trojan richdll will always produced 3 files upon start up(C:\WINDOWS\uninstall,C:\WINDOWS\rundl132.exe and C:\WINDOWS\Logo1_.exe)
hence i deleted them in safe mode and created three identical files with same name and made them inaccessible to be overwritten. I guess this will solve this provblem temporary.

But when i ran my trend micro, i was not able to get rid of this virus TSPY_LEGMIR.AKJ which was detected as a .BMP file. Any advice and assitance will be greatly appreciated. Thanks!


Administrator - 06-12-19 9:29:41.27 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Administrator\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-19 to 2006-12-19 ))))))))))))))))))))))))))))))))))


2006-12-18 18:45 <DIR> d-------- C:\Program Files\Grisoft
2006-12-18 16:18 <DIR> d-------- C:\WINDOWS\uninstall
2006-12-18 16:17 0 --a------ C:\WINDOWS\rundl132.exe
2006-12-18 16:16 0 --a------ C:\WINDOWS\Logo1_.exe
2006-12-18 14:59 <DIR> d-------- C:\WINDOWS\pss
2006-12-18 12:34 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-18 12:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2006-12-18 11:45 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2006-12-18 10:29 191,488 --a------ C:\WINDOWS\system\IceHBO.dll
2006-12-18 10:29 1,308 --a------ C:\update_4.exe
2006-12-18 10:27 13,572 --a------ C:\WINDOWS\system32\bdscheca100.dll
2006-12-18 10:24 32,512 --a------ C:\WINDOWS\system32\drivers\npf.sys
2006-12-18 10:15 52,072 --a------ C:\WINDOWS\SERVICES.EXE
2006-12-14 17:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2006-12-14 17:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2006-12-14 16:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-12-14 15:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Help
2006-12-14 15:14 <DIR> dr-h----- C:\Documents and Settings\Administrator\Application Data\yahoo!
2006-12-14 15:11 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2006-12-14 15:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PLSQL Developer
2006-12-13 15:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TextPad
2006-12-13 15:02 36,939 --a------ C:\WINDOWS\system32\insrepim.exe
2006-12-13 15:02 192,569 --a------ C:\WINDOWS\system32\msrpjt40.dll
2006-12-13 15:01 32,830 --a------ C:\WINDOWS\system32\dbmsshrn.dll
2006-12-13 15:01 28,734 --a------ C:\WINDOWS\system32\dbmslpcn.dll
2006-12-13 15:01 274,489 --a------ C:\WINDOWS\system32\ntwdblib.dll
2006-12-13 15:00 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2006-12-13 14:45 <DIR> d-------- C:\SQLEVAL
2006-12-13 13:58 65,536 --a------ C:\WINDOWS\system32\viavoiceps.dll
2006-12-13 13:58 61,440 --a------ C:\WINDOWS\system32\vvrtkclients.dll
2006-12-13 13:58 37,888 --a------ C:\WINDOWS\system32\vvrtkreg.dll
2006-12-13 13:58 20,480 --a------ C:\WINDOWS\system32\setrescn.dll
2006-12-13 13:58 1,052,672 --a------ C:\WINDOWS\system32\roboex32.dll
2006-12-13 13:57 36,864 --a------ C:\WINDOWS\system32\PPgolnkV.DLL
2006-12-13 13:57 159,744 --a------ C:\WINDOWS\system32\PPVWCMD.DLL
2006-12-13 13:57 131,072 --a------ C:\WINDOWS\system32\PPWordWV.DLL
2006-12-13 13:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Real
2006-12-13 13:48 <DIR> d-------- C:\WINDOWS\system32\Wtablet
2006-12-13 13:48 <DIR> d-------- C:\Program Files\Tablet
2006-12-13 13:47 69,632 --------- C:\WINDOWS\PPUNINST.EXE
2006-12-13 13:47 36,864 --------- C:\WINDOWS\system32\PPGOLINK.DLL
2006-12-13 13:47 131,072 --------- C:\WINDOWS\system32\PPWORDW.DLL
2006-12-13 13:47 <DIR> d-------- C:\PPENSB
2006-12-13 13:42 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2006-12-13 13:42 21,504 --a------ C:\WINDOWS\system32\hidserv.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-18 18:13 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-12-18 15:14 -------- d-------- C:\Program Files\WinZip
2006-12-18 14:32 -------- d-------- C:\Program Files\WS_FTP
2006-12-18 10:22 -------- d-------- C:\Program Files\TextPad 4
2006-12-18 10:17 -------- d-------- C:\Program Files\WinRAR
2006-12-18 10:14 -------- d-------- C:\Program Files\MSN Messenger
2006-12-18 10:14 -------- d-------- C:\Program Files\DAP
2006-12-18 10:12 -------- d-------- C:\Program Files\Terminal Services Client
2006-12-18 10:12 -------- d-------- C:\Program Files\PLSQL Developer
2006-12-18 10:11 -------- d-------- C:\Program Files\JetAudio
2006-12-18 10:11 -------- d-------- C:\Program Files\decomp
2006-12-17 03:02 -------- d-------- C:\Program Files\Internet Explorer
2006-12-17 03:01 -------- d-------- C:\Program Files\Outlook Express
2006-12-17 03:01 -------- d-------- C:\Program Files\Common Files\System
2006-12-13 15:01 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-12-13 15:00 -------- d--h----- C:\Program Files\Uninstall Information
2006-12-13 13:57 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-07 17:02 2174976 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-05 08:54 -------- d-------- C:\Program Files\Google
2006-11-08 13:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-03 09:33 -------- d-------- C:\Program Files\Common Files
2006-10-19 21:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-13 20:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 20:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 20:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"OfficeScanNT Monitor"="\"C:\\Program Files\\Trend Micro\\OfficeScan Client\\pccntmon.exe\" -HideWindow"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"DownloadAccelerator"="\"C:\\Program Files\\DAP\\DAP.EXE\" /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{6E44887F-5214-41F2-AB46-4728735C4CC6}"=""
"{9C0CFA58-3A6F-51ba-9EFE-5320F4F62FB1}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-12-19 9:30:04.02
C:\ComboFix.txt ... 06-12-19 09:30
C:\ComboFix2.txt ... 06-12-18 19:34
C:\ComboFix3.txt ... 06-12-18 19:07
HJThis
Dec 19 2006, 12:02 PM
Hi,sean26


Download The Avenger Copyright © Swandog46
You must extract avenger.exe to your desktop, before you run it.

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!


Copy all the text contained in the code box below to your Clipboard.
NOTE: don't copy the word quote

QUOTE
Files to delete:
C:\WINDOWS\rundl132.exe
C:\WINDOWS\Logo1_.exe
C:\WINDOWS\system32\bdscheca100.dll
C:\WINDOWS\SERVICES.EXE
C:\WINDOWS\system32\viavoiceps.dll
C:\WINDOWS\system32\setrescn.dll
C:\WINDOWS\system32\PPgolnkV.DLL
C:\WINDOWS\system32\PPVWCMD.DLL
C:\WINDOWS\system32\PPWordWV.DLL


The above script is for this user only, if you need help please start your own thread.

Start the Avenger.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a new window titled "View/edit script".
Paste the entire text in into this window.
Click done, now click on the Green Light
Answer "Yes" twice when prompted.
Your computer shoud reboot, and briefly open a black command window on your desktop, this is normal.

After the restart, it will create a log file that should open.
This log file will be located at C:\avenger.txt

Paste the contents of C:\avenger.txt into your reply along with a fresh HijackThis! log.

Also: Avenger has made backups of all the files, etc., that you asked it to delete, located at C:\avenger\backup.zip.


After above is done do this here for me as well.


The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Backup the Registry:

Navigate to Start | Run and paste the following:

regedit /e c:\registrybackup.reg

Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!) don't copy the word quote

QUOTE
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=-

"{6E44887F-5214-41F2-AB46-4728735C4CC6}"=-

"{9C0CFA58-3A6F-51ba-9EFE-5320F4F62FB1}"=-


Save this as fix.reg Choose to save as *all files and place it on your Desktop.
It should look like this: Click to view attachment
Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

NOTE: Please make sure to do a reboot after running the reg file.


Gogo wink.gif
sean26
Dec 20 2006, 11:10 AM
Hi,

Thanks for your reply.
I have ran Avenger and here are my contents from avenger.txt and fresh HijackThis logfile.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\sytcjwks

*******************

Script file located at: \??\C:\WINDOWS\pftisxbe.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\rundl132.exe deleted successfully.
File C:\WINDOWS\Logo1_.exe deleted successfully.


File C:\WINDOWS\system32\bdscheca100.dll not found!
Deletion of file C:\WINDOWS\system32\bdscheca100.dll failed!

Could not process line:
C:\WINDOWS\system32\bdscheca100.dll
Status: 0xc0000034

File C:\WINDOWS\SERVICES.EXE deleted successfully.
File C:\WINDOWS\system32\viavoiceps.dll deleted successfully.
File C:\WINDOWS\system32\setrescn.dll deleted successfully.
File C:\WINDOWS\system32\PPgolnkV.DLL deleted successfully.
File C:\WINDOWS\system32\PPVWCMD.DLL deleted successfully.
File C:\WINDOWS\system32\PPWordWV.DLL deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



Logfile of HijackThis v1.99.1
Scan saved at 6:08:44 PM, on 12/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PPENSB\Win32\ppshell.exe
C:\PPENSB\Win32\VWSWMGR.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Flash 9 - {492B8F66-B8CF-4F7A-B0EE-B7383B92F5BA} - C:\WINDOWS\system\IceHBO.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PenPower Start-Up.lnk = ?
O4 - Global Startup: PenPower VoiceWriter Shell Manager.lnk = C:\PPENSB\Win32\VWSWMGR.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.xpres-net.com/wfplayer/tdserver.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iesdev.moe.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = iesdev.moe.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iesdev.moe.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iesdev.moe.edu.sg
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: 49400M.BMP
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: SQLSERVERAGENT - Unknown owner - C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlagent.exe (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe



One more thing, whenever I close my internet browser, a pop up will appear. I cant seem to get rid of it. can you also help me look out for this? Thanks for your help!! Deeply appreciated.
HJThis
Dec 20 2006, 03:54 PM
Hi,sean26

Ok you have one item here not to sure about here is the info about the file
Note! If your system is using a non western language this can be a legitimate entry.

and this is the file tell me what if anythng you know about it.
C:\WINDOWS\system32\conime.exe


Now run HijackThis and place a check mark in the box next to
this file here.
O20 - AppInit_DLLs: 49400M.BMP

Then click fix checked close out of HijackThis

Next

Please run Panda's ActiveScan and perform a full system scan.
Once you are on the Panda site click the Scan your PC button (be sure to disable your popup blocker first )
A new window will open...click the big Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
Click on Local Disks to start the scan
Click on see report Then click Save report

Post a fresh HijackThis log, the AVG Anti-Spyware log and the Panda Scan log here
(You may need to use several replies as the logs may be cut off)


Then come back here with a new HijackThis logfile and a Panda report.txt
and may i have feedback how is the PC doing now.


Gogo wink.gif
sean26
Dec 21 2006, 09:58 AM
Hi,

Thanks for your prompt response!
I have no idea about this exe file. But I did send this file to scan@virustotal.com to check and it came out clean though.

Here are my ActiveScan and HijackThis log files. I will post them in two reply due to the length.

Logfile of HijackThis v1.99.1
Scan saved at 5:01:14 PM, on 12/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Flash 9 - {492B8F66-B8CF-4F7A-B0EE-B7383B92F5BA} - C:\WINDOWS\system\IceHBO.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PenPower Start-Up.lnk = ?
O4 - Global Startup: PenPower VoiceWriter Shell Manager.lnk = C:\PPENSB\Win32\VWSWMGR.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.xpres-net.com/wfplayer/tdserver.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166612602249
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iesdev.moe.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = iesdev.moe.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iesdev.moe.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iesdev.moe.edu.sg
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: SQLSERVERAGENT - Unknown owner - C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlagent.exe (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
sean26
Dec 21 2006, 09:59 AM
This is the ActiveScan log:


Incident Status Location

Possible Virus. Not disinfected C:\avenger\backup.zip[avenger/SERVICES.EXE]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\chocks\Cookies\chocks@888[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\chocks\Cookies\chocks@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\chocks\Cookies\chocks@adopt.hbmediapro[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\chocks\Cookies\chocks@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\chocks\Cookies\chocks@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\chocks\Cookies\chocks@burstnet[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\chocks\Cookies\chocks@cassava[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\chocks\Cookies\chocks@com[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\chocks\Cookies\chocks@did-it[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\chocks\Cookies\chocks@rn11[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\chocks\Cookies\chocks@searchportal.information[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\chocks\Cookies\chocks@xiti[1].txt
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8-2.inf
Thnaks for your help!
HJThis
Dec 21 2006, 02:35 PM
Hey,sean26

Hmm ok let me try it this way go here have a look on the info
about this file you say is clean.

http://www.liutilities.com/products/wintas...library/conime/

now if this file has nothing to do with you or the PC we can remove
it but look at the NOTE at that site again if it has nothing to do with you
then gone it will be.

as for the logfiles you showed me no big thing just some cookies
and one DPF that we will clean after you give me a heads-up on that file.


Gogo wink.gif
HJThis
Dec 21 2006, 03:07 PM
Hi,sean26

Huh is this your friends logfile if so please start a new Thread or Topic
do not post in your Thread. please it makes it hard to know where we
are in your fix so i will delete this logfile.

now on to that file


Download The Avenger Copyright © Swandog46
You must extract avenger.exe to your desktop, before you run it.

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!


Copy all the text contained in the code box below to your Clipboard.
NOTE: don't copy the word quote

QUOTE
Files to delete:
C:\WINDOWS\system32\conime.exe


The above script is for this user only, if you need help please start your own thread.

Start the Avenger.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a new window titled "View/edit script".
Paste the entire text in into this window.
Click done, now click on the Green Light
Answer "Yes" twice when prompted.
Your computer shoud reboot, and briefly open a black command window on your desktop, this is normal.

After the restart, it will create a log file that should open.
This log file will be located at C:\avenger.txt

Paste the contents of C:\avenger.txt into your reply along with a fresh HijackThis! log.

Also: Avenger has made backups of all the files, etc., that you asked it to delete, located at C:\avenger\backup.zip.


Gogo wink.gif
sean26
Dec 22 2006, 02:48 AM
Hi,

Here are the requested logfiles for your analysis. Thanks for your help!

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\aaefmyor

*******************

Script file located at: \??\C:\Program Files\fiheouae.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\conime.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Logfile of HijackThis v1.99.1
Scan saved at 9:50:28 AM, on 12/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Flash 9 - {492B8F66-B8CF-4F7A-B0EE-B7383B92F5BA} - C:\WINDOWS\system\IceHBO.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PenPower Start-Up.lnk = ?
O4 - Global Startup: PenPower VoiceWriter Shell Manager.lnk = C:\PPENSB\Win32\VWSWMGR.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.xpres-net.com/wfplayer/tdserver.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166612602249
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iesdev.moe.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = iesdev.moe.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iesdev.moe.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iesdev.moe.edu.sg
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: SQLSERVERAGENT - Unknown owner - C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlagent.exe (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

As for my friend logfiles, I will start another new thread. Once again, deeply appreciate what you guys been doing and helping people out! keep it up!

Cheers and happy holiday to you!
HJThis
Dec 22 2006, 04:43 PM
Hey,sean26

Not a problme but how are you doing is the PC any better
first let's take care of your problme then go after you friend.

and a great happy holidays to you and family

Gogo wink.gif
sean26
Dec 22 2006, 06:04 PM
Hi,

Thanks for your help! Its working fine...happy holiday! I have posted a new thread for my friend's Pc. Appreciate your help once again.
HJThis
Dec 22 2006, 06:48 PM
Hey,sean26

Great to hear it now last steps here please make it a point to look at the
link by Mr,TK


To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.


Next, let's clean your restore points and set a new one


Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.
* On the Desktop, right-click My Computer.
* Click Properties.
* Click the System Restore tab.
* CHECK Turn off System Restore.
* Click Apply, and then click OK.
2. Restart your computer.
3. Turn ON System Restore.
* On the Desktop, right-click My Computer.
* Click Properties.
* Click the System Restore tab.
* UN-Check Turn off System Restore.
* Click Apply, and then click OK.

System Restore will now be active again.


Then create a new restore point once you have System Restore back on.
To create a new System Restore Point, click Start -> All Programs -> Accessories -> System Tools -> System Restore.
When the System Restore Utility opens, click "Create a Restore Point" then click Next.
Enter a name for this Restore Point, and click Create.



Clean out your Temporary Internet files.
Internet Explorer
Close Internet Explorer and close any instances of Windows Explorer.
Click Start -> Control Panel and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.

Firefox (In case you also have Firefox installed)
Open Firefox and go to Tools -> Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to close the Options window.
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.


Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
a. Change the Download signed ActiveX controls to Prompt
b. Change the Download unsigned ActiveX controls to Disable
c . Change the Initialize and script ActiveX controls not marked as safe to Disable
d. Change the Installation of desktop items to Prompt
e. Change the Launching programs and files in an IFRAME to Prompt
f. Change the Navigate sub-frames across different domains to Prompt
g. When all these settings have been made, click on the OK button.
h. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.

And please have a look at the great info by Mr,TK
So how did I get infected in the first place


Gogo wink.gif
LS CalamityJane
Dec 22 2006, 08:38 PM
Whoa!

These files are not bad and need to be restored to their original locations from the Avenger Backup file located at C:\avenger\backup.zip

Restore all of these:
File C:\WINDOWS\system32\viavoiceps.dll deleted successfully.
File C:\WINDOWS\system32\setrescn.dll deleted successfully.
File C:\WINDOWS\system32\PPgolnkV.DLL deleted successfully.
File C:\WINDOWS\system32\PPVWCMD.DLL deleted successfully.
File C:\WINDOWS\system32\PPWordWV.DLL deleted successfully.
File C:\WINDOWS\system32\conime.exe deleted successfully.

(three of those files belong to his PenPower program...it is legit)
.....................................

There is a bad BHO in your log however, and I would like to get a copy to submit for detection

In fact, You have a couple of suspicious files I'd like to examine further to determine what it is and the best way to remove it.

Go here to upload the files as attachments
http://www.thespykiller.co.uk/forum/index.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from sean26 at LS ),
fill in a short message & then in the attachments section, press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press the *Post* button to upload the files

Files to attach for upload:

C:\WINDOWS\system\IceHBO.dll

C:\update_4.exe

And these also (if found)
C:\DOCUMENTS AND SETTINGS~1\ADMINI~1\LOCALSETTINGS\Temprxzs.exe
C:\DOCUMENTS AND SETTINGS~1\ADMINI~1\LOCALSETTINGS\Temp\mhs2.exe

You DO NOT need to register to start a topic or upload, anybody can upload the files

You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect them from there and will reply to you back here.

When you have done that, close all browsers and any open windows. Open HijackThis and choose *System Scan only*

When it finishes, checkmark this entry in the list and then press the *fix checked* button

O2 - BHO: Flash 9 - {492B8F66-B8CF-4F7A-B0EE-B7383B92F5BA} - C:\WINDOWS\system\IceHBO.dll

Reboot your PC.

Then could I please have a fresh HijackThis log and a fresh scan with ComboFix.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.