Solved Trojan of BHO (no name) removal...

satria · 2008/04/02

[Resolved] Trojan of BHO (no name) removal...

Hello guys,

I've been to this forum before with the same problem and while in the mist of getting rid of the trojans with the help from one of your 'gurus' I was transfered to a different work location...sorry guys, and now I'm back to my old PC with the Trojans still popping out on the AVG virus detection .

Here I'm pasting the logs of ComboFix and Hijackthis....FYI before I run these programmes I've shut down the AVG and my BHO Demon.

For Hijackthis.exe...I've rename it to Apekis.exe

Please help me in getting rid of these trojans jgsd400h.dll & pttlsezb.dll ...

ComboFix Log:

ComboFix 08-04-01.2 - Dev 2008-04-03 10:47:50.11 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.67 [GMT 8:00]
Running from: C:\Documents and Settings\Dev\Desktop\zSAM\Appn\ComboFix\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\WLCtrl32.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))
.

2008-04-03 10:28 . 2008-04-03 10:28 <DIR> d-------- C:\!KillBox
2008-04-02 13:14 . 2008-04-02 13:14 <DIR> d-------- C:\VundoFix Backups
2008-04-01 16:31 . 2008-04-01 16:31 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-01 16:31 . 2008-04-01 16:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-28 18:15 . 2008-03-28 18:15 20,504 --a------ C:\Documents and Settings\Dev\Application Data\GDIPFONTCACHEV1.DAT
2008-03-18 17:12 . 2008-03-18 17:12 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-18 17:12 . 2008-03-18 17:13 <DIR> d-------- C:\Program Files\stc
2008-03-18 16:56 . 2008-03-18 16:56 104,341 --a------ C:\lhymx.exe
2008-03-18 16:29 . 26,624 C:\WINDOWS\system32\drivers\Inr83.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 16:17 1,024 ----a-w C:\Documents and Settings\All Users\Application Data\pdfdoc2.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-02_13.52.32.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-02 05:38:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-03 02:37:04 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-02 05:38:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-03 02:37:04 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-02 05:38:38 344,064 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-03 02:37:04 344,064 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA704D09-EB2B-4A94-954F-B4FF0A2CC763}]
2001-08-23 12:00 83968 --a------ c:\windows\system32\jgsd400h.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDE9E2C5-45D5-4AF0-BDD9-94E41638311E}]
2007-09-06 09:05 88064 --a------ c:\windows\system32\pttlsezb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49 4662776]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray "= "C:\WINDOWS\System32\sistray.EXE" [ ]
"SiSUSBRG "= "C:\WINDOWS\sisUSBrg.exe" [2002-04-25 08:06 32768]
"PCTVOICE "= "pctspk.exe" [2001-10-03 22:48 173056 C:\WINDOWS\system32\pctspk.exe]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 08:58 579072]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"InCD "= "C:\Program Files\Ahead\InCD\InCD.exe" [2002-09-13 01:13 1101824]
"NeroCheck "= "C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 16:50 155648]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-26 11:40 219136]

C:\Documents and Settings\Dev\Start Menu\Programs\Startup\
BHODemon 2.0.lnk - C:\Program Files\BHODemon 2\BHODemon.exe [2005-06-19 12:59:30 946176]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 09:01:04 83360]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2002-11-19 01:53:07 106560]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Inr83.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
appsecdll REG_EXPAND_SZ C:\WINDOWS\System32\AppCert\wsil32.dll

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\System32\DRIVERS\bsstor.sys [2002-06-06 07:07]
R0 girynokv;girynokv;C:\WINDOWS\System32\drivers\ugtemwkc.sys []
R0 Inr83;Inr83;C:\WINDOWS\System32\Drivers\Inr83.sys []
R1 as6eio;as6eio;C:\WINDOWS\System32\drivers\as6eio.SYS [1997-12-08 18:07]
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\System32\drivers\BsUDF.sys [2002-09-13 20:35]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\System32\DRIVERS\usbprint.sys [2002-08-29 01:50]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 10:51:07
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-03 10:52:11
ComboFix-quarantined-files.txt 2008-04-03 02:52:08
ComboFix2.txt 2008-04-02 05:52:58
Pre-Run: 3,722,141,696 bytes free
Post-Run: 3,712,393,216 bytes free

Hijackthis aka Apekis log

Logfile of HijackThis v1.99.1
Scan saved at 11:03, on 2008-04-03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\pctspk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Dev\Desktop\zSAM\Appn\Apekis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {CA704D09-EB2B-4A94-954F-B4FF0A2CC763} - c:\windows\system32\jgsd400h.dll
O2 - BHO: (no name) - {EDE9E2C5-45D5-4AF0-BDD9-94E41638311E} - c:\windows\system32\pttlsezb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe "
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB0_0_0 -reboot 1
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Thank you...appreciate it

noahdfear · 2008/04/02

Hi satria,

Please post the contents of the following logs before we continue. They should be located in C:\Qoobox

ComboFix2.txt
ComboFix-quarantined-files.txt

satria · 2008/04/02

Hi there Noah....these are the files...

ComboFix2

ComboFix 08-04-01.2 - Dev 2008-04-02 13:47:49.10 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.84 [GMT 8:00]
Running from: C:\Documents and Settings\Dev\Desktop\zSAM\Appn\ComboFix\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\180ax.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\default.htm
C:\WINDOWS\mspphe.dll
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\appcert
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-04-02 13:14 . 2008-04-02 13:14 <DIR> d-------- C:\VundoFix Backups
2008-04-01 16:31 . 2008-04-01 16:31 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-01 16:31 . 2008-04-01 16:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-28 18:15 . 2008-03-28 18:15 20,504 --a------ C:\Documents and Settings\Dev\Application Data\GDIPFONTCACHEV1.DAT
2008-03-18 17:12 . 2008-03-18 17:12 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-18 17:12 . 2008-03-18 17:13 <DIR> d-------- C:\Program Files\stc
2008-03-18 16:56 . 2008-03-18 16:56 104,341 --a------ C:\lhymx.exe
2008-03-18 16:29 . 26,624 C:\WINDOWS\system32\drivers\Inr83.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 16:17 1,024 ----a-w C:\Documents and Settings\All Users\Application Data\pdfdoc2.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA704D09-EB2B-4A94-954F-B4FF0A2CC763}]
2001-08-23 12:00 83968 --a------ c:\windows\system32\jgsd400h.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDE9E2C5-45D5-4AF0-BDD9-94E41638311E}]
2007-09-06 09:05 88064 --a------ c:\windows\system32\pttlsezb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49 4662776]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray "= "C:\WINDOWS\System32\sistray.EXE" [ ]
"SiSUSBRG "= "C:\WINDOWS\sisUSBrg.exe" [2002-04-25 08:06 32768]
"PCTVOICE "= "pctspk.exe" [2001-10-03 22:48 173056 C:\WINDOWS\system32\pctspk.exe]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 08:58 579072]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"InCD "= "C:\Program Files\Ahead\InCD\InCD.exe" [2002-09-13 01:13 1101824]
"NeroCheck "= "C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 16:50 155648]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-26 11:40 219136]

C:\Documents and Settings\Dev\Start Menu\Programs\Startup\
BHODemon 2.0.lnk - C:\Program Files\BHODemon 2\BHODemon.exe [2005-06-19 12:59:30 946176]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 09:01:04 83360]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2002-11-19 01:53:07 106560]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Inr83.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
appsecdll REG_EXPAND_SZ C:\WINDOWS\System32\AppCert\wsil32.dll

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\System32\DRIVERS\bsstor.sys [2002-06-06 07:07]
R0 girynokv;girynokv;C:\WINDOWS\System32\drivers\ugtemwkc.sys []
R0 Inr83;Inr83;C:\WINDOWS\System32\Drivers\Inr83.sys []
R1 as6eio;as6eio;C:\WINDOWS\System32\drivers\as6eio.SYS [1997-12-08 18:07]
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\System32\drivers\BsUDF.sys [2002-09-13 20:35]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\System32\DRIVERS\usbprint.sys [2002-08-29 01:50]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 13:51:42
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-02 13:52:56
ComboFix-quarantined-files.txt 2008-04-02 05:52:52
Pre-Run: 3,720,749,056 bytes free
Post-Run: 3,710,304,256 bytes free

ComboFix Quarantined Files

2008-03-18 16:57 4 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\winfrun32.bin.vir
2008-03-18 17:12 12800 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\WER8274.DLL.vir
2008-03-18 17:12 14848 --a------ C:\Qoobox\Quarantine\C\WINDOWS\cdsm32.dll.vir
2008-03-18 17:12 17920 --a------ C:\Qoobox\Quarantine\C\WINDOWS\salm.exe.vir
2008-03-18 17:12 21760 --a------ C:\Qoobox\Quarantine\C\WINDOWS\bjam.dll.vir
2008-03-18 17:12 22784 --a------ C:\Qoobox\Quarantine\C\WINDOWS\180ax.exe.vir
2008-03-18 17:12 26368 --a------ C:\Qoobox\Quarantine\C\WINDOWS\bokja.exe.vir
2008-03-18 17:12 27648 --a------ C:\Qoobox\Quarantine\C\WINDOWS\updatetc.exe.vir
2008-03-18 17:12 31744 --a------ C:\Qoobox\Quarantine\C\WINDOWS\mspphe.dll.vir
2008-03-18 17:12 8448 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\MSIXU.DLL.vir
2008-03-18 17:12 9984 --a------ C:\Qoobox\Quarantine\C\WINDOWS\saiemod.dll.vir
2008-03-18 17:13 12800 --a------ C:\Qoobox\Quarantine\C\WINDOWS\voiceip.dll.vir
2008-03-18 17:13 15360 --a------ C:\Qoobox\Quarantine\C\WINDOWS\stcloader.exe.vir
2008-03-18 17:13 31744 --a------ C:\Qoobox\Quarantine\C\WINDOWS\swin32.dll.vir
2008-03-19 09:04 1913 --a------ C:\Qoobox\Quarantine\C\WINDOWS\default.htm.vir
2008-04-02 14:01 11776 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\WLCtrl32.dll.vir
2008-04-03 10:50 78 --a------ C:\Qoobox\Quarantine\catchme.log

satria · 2008/04/02

Noah...FYI....those two files are orphan registry, detected by BHO Demon

noahdfear · 2008/04/02

First, you need to uninstall your current version of HijackThis and update to the latest version. Please download the HijackThis Installer from here and install it.

Then, once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
File::
C:\lhymx.exe
C:\WINDOWS\system32\drivers\Inr83.sys
C:\WINDOWS\System32\drivers\ugtemwkc.sys
Folder::
C:\Program Files\Sysmnt
C:\Program Files\stc
Driver::
girynokv
Inr83
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA704D09-EB2B-4A94-954F-B4FF0A2CC763}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDE9E2C5-45D5-4AF0-BDD9-94E41638311E}]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Inr83.sys]
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "QuickTime Task "=-
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log along with a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

satria · 2008/04/03

Noah...I've done the task and these are the log files

ComboFix

ComboFix 08-04-01.2 - Dev 2008-04-03 15:34:26.12 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.69 [GMT 8:00]
Running from: C:\Documents and Settings\Dev\Desktop\zSAM\Appn\ComboFix\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dev\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\lhymx.exe
C:\WINDOWS\system32\drivers\Inr83.sys
C:\WINDOWS\System32\drivers\ugtemwkc.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\lhymx.exe
C:\WINDOWS\system32\drivers\Inr83.sys
C:\WINDOWS\System32\drivers\ugtemwkc.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GIRYNOKV
-------\Legacy_INR83
-------\Service_girynokv
-------\Service_Inr83

((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))
.

2008-04-03 10:28 . 2008-04-03 10:28 <DIR> d-------- C:\!KillBox
2008-04-02 13:14 . 2008-04-02 13:14 <DIR> d-------- C:\VundoFix Backups
2008-04-01 16:31 . 2008-04-01 16:31 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-01 16:31 . 2008-04-01 16:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-28 18:15 . 2008-03-28 18:15 20,504 --a------ C:\Documents and Settings\Dev\Application Data\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 16:17 1,024 ----a-w C:\Documents and Settings\All Users\Application Data\pdfdoc2.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-02_13.52.32.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-13 02:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-31 00:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2008-04-02 05:38:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-03 02:57:52 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-02 05:38:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-03 02:57:52 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-02 05:38:38 344,064 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-03 02:57:52 344,064 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49 4662776]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray "= "C:\WINDOWS\System32\sistray.EXE" [ ]
"SiSUSBRG "= "C:\WINDOWS\sisUSBrg.exe" [2002-04-25 08:06 32768]
"PCTVOICE "= "pctspk.exe" [2001-10-03 22:48 173056 C:\WINDOWS\system32\pctspk.exe]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 08:58 579072]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"InCD "= "C:\Program Files\Ahead\InCD\InCD.exe" [2002-09-13 01:13 1101824]
"NeroCheck "= "C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 16:50 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-26 11:40 219136]

C:\Documents and Settings\Dev\Start Menu\Programs\Startup\
BHODemon 2.0.lnk - C:\Program Files\BHODemon 2\BHODemon.exe [2005-06-19 12:59:30 946176]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 09:01:04 83360]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2002-11-19 01:53:07 106560]

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\System32\DRIVERS\bsstor.sys [2002-06-06 07:07]
R1 as6eio;as6eio;C:\WINDOWS\System32\drivers\as6eio.SYS [1997-12-08 18:07]
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\System32\drivers\BsUDF.sys [2002-09-13 20:35]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\System32\DRIVERS\usbprint.sys [2002-08-29 01:50]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 15:50:05
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-04-03 15:52:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-03 07:52:28
ComboFix3.txt 2008-04-02 05:52:58
ComboFix2.txt 2008-04-03 02:52:14
Pre-Run: 3,615,907,840 bytes free
Post-Run: 3,665,625,088 bytes free

HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:55, on 2008-04-03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn3\YTBSDK.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe "
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB0_0_0 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 5357 bytes

It seems have gone or is it too early to celebrate

noahdfear · 2008/04/03

Looks good, but don't celebrate just yet. Lets see what an online scan reveals. Please do an online scan with Kaspersky WebScanner

Click Scan Now and accept the agreement. You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:

Select My Computer

This will program will start and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log.

satria · 2008/04/07

Noah....sorry I'm out of town for the past three days and I've scan the machine with Kaspersky... , the virus still around...here's the log files

Kaspersky

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-04-07 13:21
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/04/2008
Kaspersky Anti-Virus database records: 687622
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 39897
Number of viruses found: 5
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 00:47:34

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\esnecil.ind Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Dev\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Dev\Local Settings\Temp\Perflib_Perfdata_744.dat Object is locked skipped
C:\Documents and Settings\Dev\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dev\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dev\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dev\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dev\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dev\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{5EC96DBB-E7D2-49A0-8FCC-2C771FBD0126}\RP100\A0021577.exe Infected: Trojan-Downloader.Win32.Mutant.ac skipped
C:\System Volume Information\_restore{5EC96DBB-E7D2-49A0-8FCC-2C771FBD0126}\RP102\A0021693.dll Object is locked skipped
C:\System Volume Information\_restore{5EC96DBB-E7D2-49A0-8FCC-2C771FBD0126}\RP103\A0022739.dll Object is locked skipped
C:\System Volume Information\_restore{5EC96DBB-E7D2-49A0-8FCC-2C771FBD0126}\RP105\A0022797.exe Infected: Trojan-Downloader.Win32.Mutant.ac skipped
C:\System Volume Information\_restore{5EC96DBB-E7D2-49A0-8FCC-2C771FBD0126}\RP105\A0022808.dll Object is locked skipped
C:\System Volume Information\_restore{5EC96DBB-E7D2-49A0-8FCC-2C771FBD0126}\RP105\A0022809.dll Object is locked skipped
C:\System Volume Information\_restore{5EC96DBB-E7D2-49A0-8FCC-2C771FBD0126}\RP105\A0022814.sys Object is locked skipped
C:\System Volume Information\_restore{5EC96DBB-E7D2-49A0-8FCC-2C771FBD0126}\RP105\change.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\WLCtrl32.dll.vir Infected: Trojan-Downloader.Win32.Agent.lkz skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\Inr83.sys.vir Infected: Email-Worm.Win32.Agent.du skipped
C:\QooBox\Quarantine\C\WINDOWS\default.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
C:\QooBox\Quarantine\C\lhymx.exe.vir Infected: Trojan-Downloader.Win32.Mutant.ac skipped
C:\QooBox\Quarantine\catchme2008-04-03_154947.57.zip/Documents and Settings/Dev/Desktop/catchme.zip/ugtemwkc.sys Infected: Rootkit.Win32.Agent.iy skipped
C:\QooBox\Quarantine\catchme2008-04-03_154947.57.zip/Documents and Settings/Dev/Desktop/catchme.zip Infected: Rootkit.Win32.Agent.iy skipped
C:\QooBox\Quarantine\catchme2008-04-03_154947.57.zip ZIP: infected - 2 skipped

Scan process completed.

HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:27, on 2008-04-07
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn3\YTBSDK.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe "
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB0_0_0 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 5557 bytes

noahdfear · 2008/04/07

All infected files are quarantined by ComboFix or in System Restore points. Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

How's the computer running now?

satria · 2008/04/07

Noah....thanks to you....very very much indeed, the computer works fine but I still need to remove the combofix files & others mentioned by you...

Again thank you very much & I appreciate it...

noahdfear · 2008/04/07

Once you've completed the ComboFix uninstallation, here's just a bit more of cleanup you should do.

Download ATF Cleaner by Atribune and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Prefetch

Java Cache

Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".

Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot

That should wrap things up. Your computer is now clean! Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Glad I could help, and you're most welcome. Surf safe!

satria · 2008/04/07

Thanks Noah...I'll read the information and recommendations given

Bye....

Log in or Sign up

Solved Trojan of BHO (no name) removal...

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Trojan of BHO (no name) removal...

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

noahdfear Inactive

satria Inactive Thread Starter

Share This Page

Useful Searches