Mendoza Trojan Dropper [HijackThis Log]

sivagi · 2006/07/15

I have Windows XP Home Edition installed on my machine. When the machine comes up some Project1 automatically starts-up and some Mendoza.exe is dropped. Then some kybr_dad.exe starts running. Ad pages are opened automatically. I have tried full scan and have removed viruses using Norton Antivirus and other spywares as well. But the problem persists. Can anybody please help me out with this. Attached is the hijackthis log file contents as well. Thanks for the help and support.

-------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 16:46:33, on 08/07/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PCD32\Client32.exe
C:\PROGRA~1\CYBERA~1\casvc.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\progra~1\notes\ntmulti.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\xpfilesys.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\U2l2YXNoYW5rYXI\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Test\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gd.db.com/
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\hgggeff.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe "
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [CyberArmorLoader] pcsldr.exe
O4 - HKLM\..\Run: [PC-Duo System Snapshot] C:\PCD32\CLBOOT32.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [fbhzuavsyg] c:\windows\system32\fbhzuavsyg.exe -start
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Microsoft Telecoms Center] xpfilesys.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmd_5.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrd_5.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdd_5.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] xpfilesys.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Microsoft Telecoms Center] xpfilesys.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://gd.db.com
O15 - Trusted Zone: http://www.msn.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online Enterprise Edition) - http://www.msn.com/llclient/dbrasclassic/winxp/AXXPEE.dll
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://dbrasweb-hh1.uk.db.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {6E10F5D1-B3E1-4BC2-8E6F-DD859F10F66F} (CAgentLauncher Class) - http://rctoolbox2.uk.db.com/dbras-compliance/cgagent/web/ie/CGAgentATL.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126458710527
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zan...08f65cf85f7b:bdbde7aebc81a3f424a604ce84bc937c
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B2FB195-3A7B-4768-AB73-AD8A4F02BEAF}: NameServer = 192.168.1.1,61.1.96.71
O20 - AppInit_DLLs: cahooknt.dll
O20 - Winlogon Notify: hgggeff - C:\WINDOWS\SYSTEM32\hgggeff.dll
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\s0rs0a97ed.dll
O23 - Service: Client32 - Productive Computer Insight Ltd - C:\PCD32\Client32.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U2l2YXNoYW5rYXI\command.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - Unknown owner - C:\PROGRA~1\CYBERA~1\casvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\progra~1\notes\ntmulti.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
---------------------------------------------------------------------

TeMerc · 2006/07/15

Welcome to WindowsBBS Forums.

What you have here is a Look2Me infection with some other items as well. We have a special fix for it and we'll be running some other scans too.

Please download Look2Me-Destroyer to your desktop.

Close all windows before continuing.

Double-click Look2Me-Destroyer.exe to run it.

Put a check next to Run this program as a task.

You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK

When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.

Once it's done scanning, click the Remove L2M button.

You will receive a Done Scanning message, click OK.

When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.

Your computer will then shutdown.

Turn your computer back on.

Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from this link and place it in your C:\Windows\System32 Directory.

sivagi · 2006/07/15

Thanks a lot for the response. Have done the mentioned steps and following is the content of the two files requested.

L2M log file :
--------------------------

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 16/07/2006 05:05:06

Infected! C:\WINDOWS\system32\gpl6l33s1.dll
Infected! C:\WINDOWS\system32\t0r80a9ued.dll
Infected! C:\WINDOWS\system32\fpn0035me.dll
Infected! C:\WINDOWS\system32\uwtheme.dll
Infected! C:\WINDOWS\system32\scpblb.dll
Infected! C:\WINDOWS\system32\AJGJMPSV.dll
Infected! C:\WINDOWS\system32\gpl6l33s1.dll
Infected! C:\WINDOWS\system32\ijmon.dll
Infected! C:\WINDOWS\system32\nztrap.dll
Infected! C:\WINDOWS\system32\kpdfa.dll
Infected! C:\WINDOWS\system32\j8p00i7me8.dll
Infected! C:\WINDOWS\system32\nqlanui.dll
Infected! C:\WINDOWS\system32\ofengl32.dll
Infected! C:\WINDOWS\system32\o4840elqehqe0.dll
Infected! C:\WINDOWS\system32\slleay32.dll
Infected! C:\WINDOWS\system32\rDsadhlp.dll
Infected! C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP126\A0040481.dll
Infected! C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP126\A0040482.dll
Infected! C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP126\A0040489.dll
Infected! C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP127\A0041497.dll
Infected! C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041531.dll
Infected! C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041545.dll
Infected! C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041549.dll
Infected! C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041558.dll
Infected! C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041569.dll
Infected! C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041571.dll
Infected! C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041578.dll
Infected! C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041593.dll
Infected! C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041597.dll
Infected! C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041605.dll
Infected! C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041753.dll
Infected! C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041766.dll
Infected! C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041900.dll
Infected! C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041909.dll
Infected! C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041923.dll
Infected! C:\WINDOWS\System32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\gpl6l33s1.dll
C:\WINDOWS\system32\gpl6l33s1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\t0r80a9ued.dll
C:\WINDOWS\system32\t0r80a9ued.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fpn0035me.dll
C:\WINDOWS\system32\fpn0035me.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\uwtheme.dll
C:\WINDOWS\system32\uwtheme.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\scpblb.dll
C:\WINDOWS\system32\scpblb.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\AJGJMPSV.dll
C:\WINDOWS\system32\AJGJMPSV.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\gpl6l33s1.dll
C:\WINDOWS\system32\gpl6l33s1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ijmon.dll
C:\WINDOWS\system32\ijmon.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\nztrap.dll
C:\WINDOWS\system32\nztrap.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kpdfa.dll
C:\WINDOWS\system32\kpdfa.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\j8p00i7me8.dll
C:\WINDOWS\system32\j8p00i7me8.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\nqlanui.dll
C:\WINDOWS\system32\nqlanui.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ofengl32.dll
C:\WINDOWS\system32\ofengl32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\o4840elqehqe0.dll
C:\WINDOWS\system32\o4840elqehqe0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\slleay32.dll
C:\WINDOWS\system32\slleay32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\rDsadhlp.dll
C:\WINDOWS\system32\rDsadhlp.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP126\A0040481.dll
C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP126\A0040481.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP126\A0040482.dll
C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP126\A0040482.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP126\A0040489.dll
C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP126\A0040489.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP127\A0041497.dll
C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP127\A0041497.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041531.dll
C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041531.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041545.dll
C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041545.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041549.dll
C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041549.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041558.dll
C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041558.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041569.dll
C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041569.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041571.dll
C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041571.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041578.dll
C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041578.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041593.dll
C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041593.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041597.dll
C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041597.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041605.dll
C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041605.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041753.dll
C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041753.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041766.dll
C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041766.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041900.dll
C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041900.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041909.dll
C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041909.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041923.dll
C:\System Volume Information\_restore{D3FB0AEF-57DB-4035-9B70-4F853C045D83}\RP128\A0041923.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{46E645CA-B124-4093-98D3-E365198E3F6B} "
HKCR\Clsid\{46E645CA-B124-4093-98D3-E365198E3F6B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7E6F8E12-D198-4084-9B03-A9610D60680F} "
HKCR\Clsid\{7E6F8E12-D198-4084-9B03-A9610D60680F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{570C6542-EFDF-422C-A748-759C14CD3392} "
HKCR\Clsid\{570C6542-EFDF-422C-A748-759C14CD3392}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7F9D61F2-6ED0-4D77-BD52-26A8E2751F2A} "
HKCR\Clsid\{7F9D61F2-6ED0-4D77-BD52-26A8E2751F2A}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file
---------------------------

Hijackthis log file :
-------------------------
Logfile of HijackThis v1.99.1
Scan saved at 05:17:00, on 16/07/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\xpfilesys.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PCD32\Client32.exe
C:\PROGRA~1\CYBERA~1\casvc.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\progra~1\notes\ntmulti.exe
C:\Program Files\Network Monitor\netmon.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Test\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gd.db.com/
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\hgggeff.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe "
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [CyberArmorLoader] pcsldr.exe
O4 - HKLM\..\Run: [PC-Duo System Snapshot] C:\PCD32\CLBOOT32.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [fbhzuavsyg] c:\windows\system32\fbhzuavsyg.exe -start
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Microsoft Telecoms Center] xpfilesys.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmad_5.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrad_5.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdad_5.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] xpfilesys.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Microsoft Telecoms Center] xpfilesys.exe
O4 - HKCU\..\Run: [eq 32] C:\DOCUME~1\Test\APPLIC~1\CORNLI~1\junkacid.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://gd.db.com
O15 - Trusted Zone: http://www.msn.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online Enterprise Edition) - http://www.msn.com/llclient/dbrasclassic/winxp/AXXPEE.dll
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://dbrasweb-hh1.uk.db.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {6E10F5D1-B3E1-4BC2-8E6F-DD859F10F66F} (CAgentLauncher Class) - http://rctoolbox2.uk.db.com/dbras-compliance/cgagent/web/ie/CGAgentATL.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126458710527
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zan...08f65cf85f7b:bdbde7aebc81a3f424a604ce84bc937c
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B2FB195-3A7B-4768-AB73-AD8A4F02BEAF}: NameServer = 192.168.1.1,61.1.96.71
O20 - AppInit_DLLs: cahooknt.dll
O20 - Winlogon Notify: hgggeff - C:\WINDOWS\SYSTEM32\hgggeff.dll
O20 - Winlogon Notify: jkklk - C:\WINDOWS\System32\jkklk.dll (file missing)
O23 - Service: Client32 - Productive Computer Insight Ltd - C:\PCD32\Client32.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U2l2YXNoYW5rYXI\command.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - Unknown owner - C:\PROGRA~1\CYBERA~1\casvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\progra~1\notes\ntmulti.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--------------------------

TeMerc · 2006/07/16

Well, that removed a bit, but we still have some more to go, Wareout fix is next.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
Subratam
Bleeping Computing

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once rebooted please post the text that will open (report.txt) and a new Hijackthis log file into this thread.

TeMerc · 2006/07/16

Oppppsss

sivagi · 2006/07/16

report from fixwareout :

------------------
Check for missing files
.....
C:\WINDOWS\system32\AUTOEXEC.NT not there
.....
End check for missing files
.....
VXD Check
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers]
"VDD "=hex(7):43,3a,5c,50,52,4f,47,52,41,7e,31,5c,53,79,6d,61,6e,74,65,63,5c,53,\
33,32,45,56,4e,54,31,2e,44,4c,4c,00,00
.....
End vxd check
.....
please post this at the forum

---------------------

Hijackthis Log FIle :

------------------
Logfile of HijackThis v1.99.1
Scan saved at 17:11:20, on 16/07/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\xpfilesys.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PCD32\Client32.exe
C:\WINDOWS\U2l2YXNoYW5rYXI\command.exe
C:\PROGRA~1\CYBERA~1\casvc.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\progra~1\notes\ntmulti.exe
C:\Program Files\Network Monitor\netmon.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\taskmgr.exe
c:\progra~1\intern~1\iexplore.exe
C:\Documents and Settings\Test\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gd.db.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe "
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [CyberArmorLoader] pcsldr.exe
O4 - HKLM\..\Run: [PC-Duo System Snapshot] C:\PCD32\CLBOOT32.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [fbhzuavsyg] c:\windows\system32\fbhzuavsyg.exe -start
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Microsoft Telecoms Center] xpfilesys.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmad_5.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrad_5.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdad_5.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] xpfilesys.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Microsoft Telecoms Center] xpfilesys.exe
O4 - HKCU\..\Run: [eq 32] C:\DOCUME~1\Test\APPLIC~1\CORNLI~1\junkacid.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://gd.db.com
O15 - Trusted Zone: http://www.msn.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online Enterprise Edition) - http://www.msn.com/llclient/dbrasclassic/winxp/AXXPEE.dll
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://dbrasweb-hh1.uk.db.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {6E10F5D1-B3E1-4BC2-8E6F-DD859F10F66F} (CAgentLauncher Class) - http://rctoolbox2.uk.db.com/dbras-compliance/cgagent/web/ie/CGAgentATL.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126458710527
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zan...08f65cf85f7b:bdbde7aebc81a3f424a604ce84bc937c
O17 - HKLM\System\CCS\Services\Tcpip\..\{408D495B-8713-49BF-9262-504777F001D6}: NameServer = 218.248.255.145 61.1.96.69
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B2FB195-3A7B-4768-AB73-AD8A4F02BEAF}: NameServer = 192.168.1.1,61.1.96.71
O20 - AppInit_DLLs: cahooknt.dll
O23 - Service: Client32 - Productive Computer Insight Ltd - C:\PCD32\Client32.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U2l2YXNoYW5rYXI\command.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - Unknown owner - C:\PROGRA~1\CYBERA~1\casvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\progra~1\notes\ntmulti.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

-----------------

TeMerc · 2006/07/16

I'm afraid we had an error due to a missing file and the Fixwareout didn't execute properly.

Go here and run the fix appropriate to your version of Windows:

http://www.tech-forums.net/computer/topic/29806.html

Then re-run Fixwareout please and provide new logs, sorry about that.

sivagi · 2006/07/18

The report.txt did not come up when the system was rebooted. The fixwareout seems to have run fine. It downloaded some zip file and said that a script has been registered to run when the system reboots. But could not see the report.txt coming up when the system rebooted and the system did not take a long time to come back as well. It came up as normal - so not sure if the script actually ran. Anyways I have attached the output of hijackthis log file below.

----------------------------
Logfile of HijackThis v1.99.1
Scan saved at 18:16:15, on 18/07/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\xpfilesys.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PCD32\Client32.exe
C:\PROGRA~1\CYBERA~1\casvc.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\progra~1\notes\ntmulti.exe
C:\Program Files\Network Monitor\netmon.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Documents and Settings\Test\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gd.db.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe "
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [CyberArmorLoader] pcsldr.exe
O4 - HKLM\..\Run: [PC-Duo System Snapshot] C:\PCD32\CLBOOT32.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [fbhzuavsyg] c:\windows\system32\fbhzuavsyg.exe -start
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Microsoft Telecoms Center] xpfilesys.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] xpfilesys.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Microsoft Telecoms Center] xpfilesys.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://gd.db.com
O15 - Trusted Zone: http://www.msn.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online Enterprise Edition) - http://www.msn.com/llclient/dbrasclassic/winxp/AXXPEE.dll
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://dbrasweb-hh1.uk.db.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {6E10F5D1-B3E1-4BC2-8E6F-DD859F10F66F} (CAgentLauncher Class) - http://rctoolbox2.uk.db.com/dbras-compliance/cgagent/web/ie/CGAgentATL.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126458710527
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B2FB195-3A7B-4768-AB73-AD8A4F02BEAF}: NameServer = 192.168.1.1,61.1.96.71
O20 - AppInit_DLLs: cahooknt.dll
O23 - Service: Client32 - Productive Computer Insight Ltd - C:\PCD32\Client32.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - Unknown owner - C:\PROGRA~1\CYBERA~1\casvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\progra~1\notes\ntmulti.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

------------------------------

TeMerc · 2006/07/18

OK, if you would, please do a search for 'report.txt' on your system to see wheer that log file is, thanks.

Ok, I thnk we can fix up everything now with HJT.

Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.

Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

First thing we need to do is stop the Network Monitor service:
Go to: Start > Run > type " services.msc ", then click OK

Scroll down to the Network Monitorservice.

Click it to highlight it, then <right-click> and select: Properties
Select and set "Service Status" option to "Stop"
Select: "Startup type" and set it to "Disabled ", click Apply, then OK.

Please hit Hit 'Ctrl' + 'Alt' + 'Delete' to bring up running processes and 'End Task' on the following process(es):
C:\WINDOWS\System32\xpfilesys.exe

Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

O4 - HKLM\..\Run: [fbhzuavsyg] c:\windows\system32\fbhzuavsyg.exe -start

O4 - HKLM\..\Run: [Microsoft Telecoms Center] xpfilesys.exe

O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] xpfilesys.exe

O4 - HKCU\..\Run: [Microsoft Telecoms Center] xpfilesys.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
C:\Program Files\Network Monitor<<<<---folder
c:\windows\system32\fbhzuavsyg.exe <<<--file
C:\WINDOWS\System32\xpfilesys.exe<<<--file

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log back into this thread please, along with the reprot txt file if found.

sivagi · 2006/07/20

Thanks for the help. The steps mentioned have been completed and I have attached the HJT contents.Could not find the report.txt file.

HJT file :
-------------------------
Logfile of HijackThis v1.99.1
Scan saved at 16:53:06, on 20/07/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PCD32\Client32.exe
C:\PROGRA~1\CYBERA~1\casvc.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\progra~1\notes\ntmulti.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gd.db.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe "
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [CyberArmorLoader] pcsldr.exe
O4 - HKLM\..\Run: [PC-Duo System Snapshot] C:\PCD32\CLBOOT32.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://gd.db.com
O15 - Trusted Zone: http://www.msn.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online Enterprise Edition) - http://www.msn.com/llclient/dbrasclassic/winxp/AXXPEE.dll
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://dbrasweb-hh1.uk.db.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {6E10F5D1-B3E1-4BC2-8E6F-DD859F10F66F} (CAgentLauncher Class) - http://rctoolbox2.uk.db.com/dbras-compliance/cgagent/web/ie/CGAgentATL.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126458710527
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B2FB195-3A7B-4768-AB73-AD8A4F02BEAF}: NameServer = 192.168.1.1,61.1.96.71
O20 - AppInit_DLLs: cahooknt.dll
O23 - Service: Client32 - Productive Computer Insight Ltd - C:\PCD32\Client32.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - Unknown owner - C:\PROGRA~1\CYBERA~1\casvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\progra~1\notes\ntmulti.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
------------------------

Also the other thing I noticed is the mozilla browser still gets re-routed to some ad site automatically - even now when I tried to logon to windows bbs to post this reply.

TeMerc · 2006/07/20

What was your homepage previously with FF? Does IE stay on the page you set?

Reset your FF homepage see if it sticks.

Your log file appears clear of any malware indicators.

sivagi · 2006/07/21

My homepage with FF is blank and comes up as blank. But when I tried some pages and click on a link - lets say if I get into WindowsBBS and click on POst reply - it takes me to the reply page and before I can do anything there - it will take me to an ad page like 'goodrumor' or some junk like that. I will try with IE and let you know what happens.

Also the other question I had was to check how I could take preventive measures against these infections so that the laptop does not get infected with these kind of malwares in future.

Thanks for all the help so far.

TeMerc · 2006/07/21

OK, lets run another find\search tool:

Download combofix.exe

Double click combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

sivagi · 2006/07/24

Following is the error encountered when I ran the combofix.

Script : C:\sUBs\ntsys.vbs
Line : 2
Char : 1
Error : Library not registered
Code : 8002801D
Source : (null)

TeMerc · 2006/07/24

OK, it's possible that Norton is interfering with Combo fix, it was a bug that was supposedly fixed. I'll need you to disable Norton entirely and then try the fix again.

First DL a fresh copy of ComboFix then go to your task manager and be sure that all of Norton is disabled, then run the ComboFix and see if it runs.

Sorry for the inconvenience.

sivagi · 2006/07/25

Once I disabled Norton it ran and produced the following report.

Start Time= 25/07/2006 18:23:44.31
Running from: C:\Documents and Settings\Test\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbywu
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmklm
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{9CB82DD6-7A9E-4D52-9611-734BDD7AC887}]
@=" "

[HKEY_CLASSES_ROOT\clsid\{9CB82DD6-7A9E-4D52-9611-734BDD7AC887}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\clsid\{9CB82DD6-7A9E-4D52-9611-734BDD7AC887}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\clsid\{9CB82DD6-7A9E-4D52-9611-734BDD7AC887}\InprocServer32]
@= "C:\\WINDOWS\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

FILES REMOVED:

C:\WINDOWS\SYSTEM32\MXVCIRTD.DLL
C:\WINDOWS\SYSTEM32\MPC42D.DLL
C:\WINDOWS\SYSTEM32\dfvx_xx07.dll
C:\WINDOWS\SYSTEM32\unhisapi.dll
C:\WINDOWS\SYSTEM32\guard.tmp
C:\WINDOWS\SYSTEM32\euthook.dll
C:\WINDOWS\SYSTEM32\dzmv2clt.dll
C:\WINDOWS\SYSTEM32\silsrv32.dll
C:\WINDOWS\SYSTEM32\suell.dll
C:\WINDOWS\SYSTEM32\cSis2022.dll
C:\WINDOWS\SYSTEM32\en4sl1h71.dll
C:\WINDOWS\SYSTEM32\NQS.DLL
C:\WINDOWS\SYSTEM32\MTLT3032.DLL
C:\WINDOWS\SYSTEM32\usildll.dll
C:\WINDOWS\SYSTEM32\MFO5ENU.DLL
C:\WINDOWS\SYSTEM32\fycaxxv.dll
C:\WINDOWS\SYSTEM32\fp8m03l1e.dll
C:\WINDOWS\SYSTEM32\fp8s03l7e.dll
C:\WINDOWS\SYSTEM32\lvn4095qe.dll
C:\WINDOWS\SYSTEM32\dXdrm.dll

Granting sedebugprivilege to Administrators ... successful

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\misc001
C:\Program Files\Common Files\simtest
C:\Program Files\Common Files\svchostsys
C:\Documents and Settings\LocalService\Application Data\NetMon

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-07-16 17:09:36 39437 ( ..SH. ) "C:\WINDOWS\system32\xxyabyw.dll "
2006-07-16 16:54:42 39437 ( ..SH. ) "C:\WINDOWS\system32\efcbywu.dll "
2006-07-16 16:01:52 573492 ( ..SH. ) "C:\WINDOWS\system32\pmklm.dll "
2006-07-16 05:29:10 39437 ( ..SH. ) "C:\WINDOWS\system32\fccaxxv.dll "
2006-07-16 05:17:40 39437 ( ..SH. ) "C:\WINDOWS\system32\tuvwxyv.dll "
2006-07-16 05:15:04 39437 ( ..SH. ) "C:\WINDOWS\system32\awtqnlj.dll "
2006-07-16 05:03:32 39437 ( ..SH. ) "C:\WINDOWS\system32\ddcbaya.dll "
2006-07-16 04:55:36 39437 ( ..SH. ) "C:\WINDOWS\system32\gebbbyv.dll "
2006-07-16 03:45:58 573492 ( ..SH. ) "C:\WINDOWS\system32\vtutu.dll "
2006-07-16 03:44:10 39437 ( ..SH. ) "C:\WINDOWS\system32\fccbyxv.dll "
2006-07-15 20:01:18 39437 ( ..SH. ) "C:\WINDOWS\system32\hggedeb.dll "
2006-07-15 19:54:52 39437 ( ..SH. ) "C:\WINDOWS\system32\xxyvtts.dll "
2006-07-15 14:21:40 39437 ( ..SH. ) "C:\WINDOWS\system32\fccawww.dll "
2006-07-08 16:40:20 39437 ( ..SH. ) "C:\WINDOWS\system32\yayxyyw.dll "
2006-07-08 15:22:54 83208 ( A.... ) "C:\WINDOWS\system32\S32EVNT1.DLL "
2006-07-08 15:20:24 39437 ( ..SH. ) "C:\WINDOWS\system32\khfcyvu.dll "
2006-07-08 04:04:32 39437 ( ..SH. ) "C:\WINDOWS\system32\jkkkkkh.dll "
2006-07-01 09:30:00 39437 ( ..SH. ) "C:\WINDOWS\system32\vturrpp.dll "
2006-07-01 08:25:12 39437 ( ..SH. ) "C:\WINDOWS\system32\ddcddax.dll "
2006-06-30 09:00:06 39437 ( ..SH. ) "C:\WINDOWS\system32\iifcaxu.dll "
2006-06-30 08:38:22 39437 ( ..SH. ) "C:\WINDOWS\system32\gebbbxy.dll "
2006-06-25 15:05:04 39437 ( ..SH. ) "C:\WINDOWS\system32\pmnnnlm.dll "
2006-06-25 08:00:00 39437 ( ..SH. ) "C:\WINDOWS\system32\xxyxvvu.dll "
2006-06-25 08:00:00 ( .D... ) "C:\Documents and Settings\Test\Application Data\Lavasoft "
2006-06-25 07:59:58 39437 ( ..SH. ) "C:\WINDOWS\system32\khfccbc.dll "
2006-06-25 07:58:00 ( .D... ) "C:\Program Files\SpywareBlaster "
2006-06-25 07:57:18 ( .D... ) "C:\Program Files\Lavasoft "
2006-06-24 11:58:58 39437 ( ..SH. ) "C:\WINDOWS\system32\mljigge.dll "
2006-06-24 09:16:40 39437 ( ..SH. ) "C:\WINDOWS\system32\awtuuro.dll "
2006-06-24 08:47:42 39437 ( ..SH. ) "C:\WINDOWS\system32\ssqqnmm.dll "
2006-06-20 10:57:14 39437 ( ..SH. ) "C:\WINDOWS\system32\nnnlmmm.dll "
2006-06-20 10:57:14 39437 ( ..SH. ) "C:\WINDOWS\system32\nnnkiff.dll "
2006-06-20 10:39:18 39437 ( ..SH. ) "C:\WINDOWS\system32\fccdcax.dll "
2006-06-20 10:39:18 39437 ( ..SH. ) "C:\WINDOWS\system32\efcbcab.dll "
2006-06-20 03:59:22 39437 ( ..SH. ) "C:\WINDOWS\system32\pmnkhff.dll "
2006-06-20 03:59:22 39437 ( ..SH. ) "C:\WINDOWS\system32\hgggeff.dll "
2006-06-17 04:58:54 91563 ( A...R ) "C:\WINDOWS\system32\telcoms.exe "
2006-06-10 06:14:58 ( .D... ) "C:\Program Files\corn link memo "
2006-06-10 05:49:38 24576 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll "
2006-06-07 18:55:52 3753 ( A.... ) "C:\Program Files\html2.htm "
2006-06-07 18:55:52 3626 ( A.... ) "C:\Program Files\html1.htm "
2006-06-03 17:28:44 ( .D... ) "C:\Program Files\HFXP "
2006-03-21 11:58:40 262144 ( A.... ) "C:\Program Files\NTUSER.DAT "
2006-03-21 11:58:40 1024 ( A..H. ) "C:\Program Files\NTUSER.DAT.LOG "
2006-03-21 11:55:36 262144 ( A.... ) "C:\Program Files\NTUSER.DAT.RMC.backup "

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

2006-07-16 17:09 39,437 C:\WINDOWS\system32\xxyabyw.dll
2006-07-16 16:54 39,437 C:\WINDOWS\system32\efcbywu.dll
2006-07-16 16:01 573,492 C:\WINDOWS\system32\pmklm.dll
2006-07-16 05:29 39,437 C:\WINDOWS\system32\fccaxxv.dll
2006-07-16 05:17 39,437 C:\WINDOWS\system32\tuvwxyv.dll
2006-07-16 05:15 39,437 C:\WINDOWS\system32\awtqnlj.dll
2006-07-16 05:03 39,437 C:\WINDOWS\system32\ddcbaya.dll
2006-07-16 04:55 39,437 C:\WINDOWS\system32\gebbbyv.dll
2006-07-16 03:44 573,492 C:\WINDOWS\system32\vtutu.dll
2006-07-16 03:44 39,437 C:\WINDOWS\system32\fccbyxv.dll
2006-07-15 20:01 39,437 C:\WINDOWS\system32\hggedeb.dll
2006-07-15 19:54 39,437 C:\WINDOWS\system32\xxyvtts.dll
2006-07-15 14:21 39,437 C:\WINDOWS\system32\fccawww.dll
2006-07-08 16:40 39,437 C:\WINDOWS\system32\yayxyyw.dll
2006-07-08 15:20 39,437 C:\WINDOWS\system32\khfcyvu.dll
2006-07-08 04:04 39,437 C:\WINDOWS\system32\jkkkkkh.dll
2006-07-01 09:29 39,437 C:\WINDOWS\system32\vturrpp.dll
2006-07-01 08:25 39,437 C:\WINDOWS\system32\ddcddax.dll
2006-06-30 09:00 39,437 C:\WINDOWS\system32\iifcaxu.dll
2006-06-30 08:38 39,437 C:\WINDOWS\system32\gebbbxy.dll
2006-06-25 15:05 39,437 C:\WINDOWS\system32\pmnnnlm.dll
2006-06-25 07:59 39,437 C:\WINDOWS\system32\xxyxvvu.dll
2006-06-25 07:59 39,437 C:\WINDOWS\system32\khfccbc.dll
2006-06-24 11:58 39,437 C:\WINDOWS\system32\mljigge.dll
2006-06-24 09:16 39,437 C:\WINDOWS\system32\awtuuro.dll
2006-06-24 08:47 39,437 C:\WINDOWS\system32\ssqqnmm.dll
2006-06-20 10:57 39,437 C:\WINDOWS\system32\nnnlmmm.dll
2006-06-20 10:57 39,437 C:\WINDOWS\system32\nnnkiff.dll
2006-06-20 10:39 39,437 C:\WINDOWS\system32\fccdcax.dll
2006-06-20 10:39 39,437 C:\WINDOWS\system32\efcbcab.dll
2006-06-20 03:59 39,437 C:\WINDOWS\system32\pmnkhff.dll
2006-06-20 03:59 39,437 C:\WINDOWS\system32\hgggeff.dll
2006-06-17 04:58 91,563 C:\WINDOWS\system32\telcoms.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1 "= "C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 "
"MSPY2002 "= "C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC "
"PHIME2002ASync "= "C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC "
"PHIME2002A "= "C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName "
"NvCplDaemon "= "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize "
"00THotkey "= "C:\\WINDOWS\\System32\\00THotkey.exe "
"000StTHK "= "000StTHK.exe "
"Tpwrtray "= "TPWRTRAY.EXE "
"TFncKy "= "TFncKy.exe /Type 20 "
"TosHKCW.exe "= "\ "C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\" "
"TFNF5 "= "TFNF5.exe "
"Apoint "= "C:\\Program Files\\Apoint2K\\Apoint.exe "
"TouchED "= "C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe "
"CyberArmorLoader "= "pcsldr.exe "
"PC-Duo System Snapshot "= "C:\\PCD32\\CLBOOT32.EXE "
"windows auto update "=" "
"Microsoft Works Update Detection "= "C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe "
"SpyHunter "=" "
"vptray "= "C:\\Program Files\\NavNT\\vptray.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe "= "C:\\WINDOWS\\System32\\ctfmon.exe "
"RealPlayer "= "\ "C:\\Program Files\\Real\\RealOne Player\\realplay.exe\" /RunUPGToolCommandReBoot "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags "=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft Telecoms Center "= "telcoms.exe "

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Microsoft Telecoms Center "= "telcoms.exe "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} "=" "

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\A2C88CAC919F007C.job

Completion time: 25/07/2006 18:26:13.61
ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt

TeMerc · 2006/07/25

OK, it's very likely I'm going to be getting some assistance with this, because we will need to create a registry fix.

I'll post back later in the evening(my evening anyway)

Thanks for being patient.

TeMerc · 2006/07/26

Several files pointing to Vundo, so lets run that fix.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.

Put a check next to Run VundoFix as a task.

You will receive a message saying vundofix will close and re-open in a minute or less. Click OK

When VundoFix re-opens, click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will shutdown your computer, click OK.

Turn your computer back on.

Please post the contents of C:\vundofix.txt and a new HiJackThis log.

sivagi · 2006/07/26

Done that and following is the output.

Vundofix.txt

-------------------------

VundoFix V5.1.5

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Sun Java not detected
Scan started at 18:20:45 26/07/2006

Listing files found while scanning....

C:\windows\system32\pmnnnlm.dll
C:\windows\system32\hgggeff.dll
C:\windows\system32\pmnkhff.dll
C:\windows\system32\fccdcax.dll
C:\windows\system32\efcbcab.dll
C:\windows\system32\gebbbxy.dll
C:\windows\system32\ssqqnmm.dll
C:\windows\system32\awtuuro.dll
C:\windows\system32\mljigge.dll
C:\windows\system32\yayxyyw.dll
C:\windows\system32\iifcaxu.dll
C:\windows\system32\nnnlmmm.dll
C:\windows\system32\awtqnlj.dll
C:\windows\system32\tuvwxyv.dll
C:\windows\system32\nnnkiff.dll
C:\windows\system32\khfccbc.dll
C:\windows\system32\xxyxvvu.dll
C:\windows\system32\fccaxxv.dll
C:\windows\system32\ddcddax.dll
C:\windows\system32\vturrpp.dll
C:\windows\system32\pmklm.dll
C:\windows\system32\mlkmp.ini
C:\windows\system32\mlkmp.bak1
C:\windows\system32\mlkmp.ini2
C:\windows\system32\jkkkkkh.dll
C:\windows\system32\khfcyvu.dll
C:\windows\system32\efcbywu.dll
C:\windows\system32\fccawww.dll
C:\windows\system32\xxyvtts.dll
C:\windows\system32\hggedeb.dll
C:\windows\system32\xxyabyw.dll
C:\windows\system32\fccbyxv.dll
C:\windows\system32\vtutu.dll
C:\windows\system32\ututv.ini
C:\windows\system32\gebbbyv.dll
C:\windows\system32\ddcbaya.dll

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\pmnnnlm.dll
C:\windows\system32\pmnnnlm.dll Has been deleted!

Attempting to delete C:\windows\system32\hgggeff.dll
C:\windows\system32\hgggeff.dll Has been deleted!

Attempting to delete C:\windows\system32\pmnkhff.dll
C:\windows\system32\pmnkhff.dll Has been deleted!

Attempting to delete C:\windows\system32\fccdcax.dll
C:\windows\system32\fccdcax.dll Has been deleted!

Attempting to delete C:\windows\system32\efcbcab.dll
C:\windows\system32\efcbcab.dll Has been deleted!

Attempting to delete C:\windows\system32\gebbbxy.dll
C:\windows\system32\gebbbxy.dll Has been deleted!

Attempting to delete C:\windows\system32\ssqqnmm.dll
C:\windows\system32\ssqqnmm.dll Has been deleted!

Attempting to delete C:\windows\system32\awtuuro.dll
C:\windows\system32\awtuuro.dll Has been deleted!

Attempting to delete C:\windows\system32\mljigge.dll
C:\windows\system32\mljigge.dll Has been deleted!

Attempting to delete C:\windows\system32\yayxyyw.dll
C:\windows\system32\yayxyyw.dll Has been deleted!

Attempting to delete C:\windows\system32\iifcaxu.dll
C:\windows\system32\iifcaxu.dll Has been deleted!

Attempting to delete C:\windows\system32\nnnlmmm.dll
C:\windows\system32\nnnlmmm.dll Has been deleted!

Attempting to delete C:\windows\system32\awtqnlj.dll
C:\windows\system32\awtqnlj.dll Has been deleted!

Attempting to delete C:\windows\system32\tuvwxyv.dll
C:\windows\system32\tuvwxyv.dll Has been deleted!

Attempting to delete C:\windows\system32\nnnkiff.dll
C:\windows\system32\nnnkiff.dll Has been deleted!

Attempting to delete C:\windows\system32\khfccbc.dll
C:\windows\system32\khfccbc.dll Has been deleted!

Attempting to delete C:\windows\system32\xxyxvvu.dll
C:\windows\system32\xxyxvvu.dll Has been deleted!

Attempting to delete C:\windows\system32\fccaxxv.dll
C:\windows\system32\fccaxxv.dll Has been deleted!

Attempting to delete C:\windows\system32\ddcddax.dll
C:\windows\system32\ddcddax.dll Has been deleted!

Attempting to delete C:\windows\system32\vturrpp.dll
C:\windows\system32\vturrpp.dll Has been deleted!

Attempting to delete C:\windows\system32\pmklm.dll
C:\windows\system32\pmklm.dll Has been deleted!

Attempting to delete C:\windows\system32\mlkmp.ini
C:\windows\system32\mlkmp.ini Has been deleted!

Attempting to delete C:\windows\system32\mlkmp.bak1
C:\windows\system32\mlkmp.bak1 Has been deleted!

Attempting to delete C:\windows\system32\mlkmp.ini2
C:\windows\system32\mlkmp.ini2 Has been deleted!

Attempting to delete C:\windows\system32\jkkkkkh.dll
C:\windows\system32\jkkkkkh.dll Has been deleted!

Attempting to delete C:\windows\system32\khfcyvu.dll
C:\windows\system32\khfcyvu.dll Has been deleted!

Attempting to delete C:\windows\system32\efcbywu.dll
C:\windows\system32\efcbywu.dll Could not be deleted.

Attempting to delete C:\windows\system32\fccawww.dll
C:\windows\system32\fccawww.dll Has been deleted!

Attempting to delete C:\windows\system32\xxyvtts.dll
C:\windows\system32\xxyvtts.dll Has been deleted!

Attempting to delete C:\windows\system32\hggedeb.dll
C:\windows\system32\hggedeb.dll Has been deleted!

Attempting to delete C:\windows\system32\xxyabyw.dll
C:\windows\system32\xxyabyw.dll Has been deleted!

Attempting to delete C:\windows\system32\fccbyxv.dll
C:\windows\system32\fccbyxv.dll Has been deleted!

Attempting to delete C:\windows\system32\vtutu.dll
C:\windows\system32\vtutu.dll Has been deleted!

Attempting to delete C:\windows\system32\ututv.ini
C:\windows\system32\ututv.ini Has been deleted!

Attempting to delete C:\windows\system32\gebbbyv.dll
C:\windows\system32\gebbbyv.dll Has been deleted!

Attempting to delete C:\windows\system32\ddcbaya.dll
C:\windows\system32\ddcbaya.dll Has been deleted!

Performing Repairs to the registry.
Done!
--------------------------

Hijackthis log file

-----------------------
Logfile of HijackThis v1.99.1
Scan saved at 18:26:51, on 26/07/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PCD32\Client32.exe
C:\PROGRA~1\CYBERA~1\casvc.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\progra~1\notes\ntmulti.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\CYBERA~1\pcs.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
c:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gd.db.com/
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\System32\efcbywu.dll
O2 - BHO: (no name) - {F90D6C39-8A58-4CCC-82AE-7B5F6F3AB728} - C:\WINDOWS\System32\pmklm.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe "
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [CyberArmorLoader] pcsldr.exe
O4 - HKLM\..\Run: [PC-Duo System Snapshot] C:\PCD32\CLBOOT32.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://gd.db.com
O15 - Trusted Zone: http://www.msn.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://dbrasweb-hh1.uk.db.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {6E10F5D1-B3E1-4BC2-8E6F-DD859F10F66F} (CAgentLauncher Class) - http://rctoolbox2.uk.db.com/dbras-compliance/cgagent/web/ie/CGAgentATL.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B2FB195-3A7B-4768-AB73-AD8A4F02BEAF}: NameServer = 192.168.1.1,61.1.96.71
O20 - AppInit_DLLs: cahooknt.dll
O23 - Service: Client32 - Productive Computer Insight Ltd - C:\PCD32\Client32.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - Unknown owner - C:\PROGRA~1\CYBERA~1\casvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\progra~1\notes\ntmulti.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
-----------------------

TeMerc · 2006/07/26

OK, looks like we're about done, lets run the Combo Fix again to see what may have hampered removal of this file:
C:\WINDOWS\System32\efcbywu.dll

I bet there is a hidden file hooking that one.

Post results here as previous.

Log in or Sign up

Mendoza Trojan Dropper [HijackThis Log]

sivagi Inactive Thread Starter

TeMerc Inactive Alumni

sivagi Inactive Thread Starter

TeMerc Inactive Alumni

TeMerc Inactive Alumni

sivagi Inactive Thread Starter

TeMerc Inactive Alumni

sivagi Inactive Thread Starter

TeMerc Inactive Alumni

sivagi Inactive Thread Starter

TeMerc Inactive Alumni

sivagi Inactive Thread Starter

TeMerc Inactive Alumni

sivagi Inactive Thread Starter

TeMerc Inactive Alumni

sivagi Inactive Thread Starter

TeMerc Inactive Alumni

TeMerc Inactive Alumni

sivagi Inactive Thread Starter

TeMerc Inactive Alumni

Share This Page

Log in or Sign up

Mendoza Trojan Dropper [HijackThis Log]

sivagi Inactive Thread Starter

TeMerc Inactive Alumni

sivagi Inactive Thread Starter

TeMerc Inactive Alumni

TeMerc Inactive Alumni

sivagi Inactive Thread Starter

TeMerc Inactive Alumni

sivagi Inactive Thread Starter

TeMerc Inactive Alumni

sivagi Inactive Thread Starter

TeMerc Inactive Alumni

sivagi Inactive Thread Starter

TeMerc Inactive Alumni

sivagi Inactive Thread Starter

TeMerc Inactive Alumni

sivagi Inactive Thread Starter

TeMerc Inactive Alumni

TeMerc Inactive Alumni

sivagi Inactive Thread Starter

TeMerc Inactive Alumni

Share This Page

Useful Searches