Log check and a couple of questions

**InRetro** · 05-13-2007, 04:23 PM

After a few days of fun and games trying to clear my laptop of some nasties which appeared to have corrupted driver files on my system, I'm finally able to boot into normal mode. I've run full Symantec AV, Spybot, Spysweeper scans, which have all come up clean.

I've posted my current HJT scan below.

1) I'm assuming i should get rid of
a) the unknown file in winsock LSP
b) the first two BHO entries

Will deleting these items using HJT be sufficient to get rid of them, or should I be using another tool?

2) Using the Auto analyser the ctfmon.exe entry came up as bad - to remove. I thought this file is ok if running from \windows\system32

3) I've got some bad entries in my startup list, looked at from msconfig. Although I've unchecked them (in msconfig) so that they aren't run, they still appear there as options to re-select - how should I get rid of these once and for all?

Thanks,

Richard

---

Logfile of HijackThis v1.99.1
Scan saved at 22:09:12, on 13/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Administrator\Desktop\Hjtscan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.talktalk.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bicfs/
O2 - BHO: (no name) - {602ec513-3645-4034-b244-6946aa248b27} - C:\WINDOWS\system32\dpn079.dll
O2 - BHO: C:\WINDOWS\system32\ldhje783.dll - {8D5849A2-93F3-429D-FF34-260A2068897C} - C:\WINDOWS\system32\ldhje783.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: 3Com Wireless 11g PC Card.lnk = C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\erwgg.dll
O14 - IERESET.INF: START_PAGE_URL=http://bicfs/
O15 - Trusted Zone: milestone.cognisco.com (HKLM)
O15 - Trusted Zone: milestone400.cognisco.com (HKLM)
O15 - Trusted Zone: *.cognisco.com (HKLM)
O15 - Trusted Zone: *.passport.net (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.cognisco.com
O17 - HKLM\Software\..\Telephony: DomainName = internal.cognisco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.cognisco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.cognisco.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = internal.cognisco.com
O20 - AppInit_DLLs:
O20 - Winlogon Notify: dpn079 - C:\WINDOWS\SYSTEM32\dpn079.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

**jholland1964** · 05-13-2007, 05:05 PM

First of all, don't use the analyzer.
Secondly;

Will deleting these items using HJT be sufficient to get rid of them, or should I be using another tool?

No, HJT is not a fixer program it is a scanner program that can LATER be used to fix once other fixes are applied.
Your log shows you have disabled some start ups using msconfig. Please go back and re-enable these items.

Now please Download LSPFix Run the Program. Disconnect from the Internet and close all Internet Explorer Windows. Check the "I know what I'm doing" Button and place all listings of erwgg.dll into the remove section by clicking on the button that points to the right. When all instances of this dll are in the Remove section. Press the finish button.

Reboot the computer.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

**InRetro** · 05-14-2007, 09:08 AM

One step forward, two steps back...

Thank you for the pointers

I ran vundo fix first - it found two file instances which i removed. The program then prompted a system restart and that was the end... BSOD very early in the boot process, both into normal mode and into any kind of safe mode.

In desperation, as I wanted to leave any bigger scans running overnight, I restarted from to a system restore point as that seemed to be the only way I could actually get back onto the machine (I had previously disabled system restore as soon as the problems appeared).

Adaware ran on restart and found the same issue as it did previously - win32.trojan.agent (about 30 items).

Once into windows, I ran LSPfix first this time and it came back with no problems. Running Vundofix also came up clean. I left the computer this morning running stinger. I have also updated msconfig so that it runs a 'normal' boot from now on.

What other scans/fixes could i run before i re-boot again?

Whatever the problem is seems to be in some way corrupting key drivers/system files that initialise during the boot sequence, hence the frequent BSODs. Before the initial clean, the BSODs were all related to NDIS.sys, which I think is something to do with the network interface. So the challenge is to try and clean/fix the key issue before I have to re-boot or I'm back to square one again, having to return to the same restore point...

Below is an HJT scan from this morning (which may be worse than the first due to the system restore!) This is taken after the adaware scan, lsp and vundofix, but before the stinger scan. I notice that the registry entry for xxxuuu.dll is still there, which I thought was part of the Vundo issue.

Logfile of HijackThis v1.99.1
Scan saved at 08:57:12, on 14/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\Monitor.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Administrator\Desktop\Hjtscan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.talktalk.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bicfs/
O2 - BHO: C:\WINDOWS\system32\ldhje783.dll - {8D5849A2-93F3-429D-FF34-260A2068897C} - C:\WINDOWS\system32\ldhje783.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\xxxuuu.dll",realset
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R 2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Restore Operation] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svchots.exe
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogon.exe
O4 - Global Startup: 3Com Wireless 11g PC Card.lnk = C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\Monitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://bicfs/
O15 - Trusted Zone: milestone.cognisco.com (HKLM)
O15 - Trusted Zone: milestone400.cognisco.com (HKLM)
O15 - Trusted Zone: *.cognisco.com (HKLM)
O15 - Trusted Zone: *.passport.net (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.cognisco.com
O17 - HKLM\Software\..\Telephony: DomainName = internal.cognisco.com
O20 - AppInit_DLLs:
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

**jholland1964** · 05-14-2007, 01:01 PM

Ok, since you did a system restore this probably wiped out any fixes or at least parts of most fixes done.
Please discontinue doing fixes on your own until told to do so.
You need to go in and TURN OFF Spysweeper until told to turn it back on. Having this run during attempted fixes can stop them.
Now you say that you had a BSOD. If you get another we need the EXACT wording and error number. Just saying that the BSOD's were "were all related to NDIS.sys" really doesn't tell us anything.

You absolutely MUST go to this link because with the System Restore I feel you need to begin at the beginning;

READ ME Before Posting A Request For Assistance!

I want you to follow each step...exactly as given.

*note when running the AVG Anti-spy program in SAFE MODE be absolutely certain you tell it to fix everything found.

Once you have completed every step then post back here with the AVG Anti-spy log, a log from preferably the Kaspersky online scanner(which doesn't remove anything but will give us a listing of bad items found and their locations) and a new HJT log.

Don't run anything else unless you are told here to do so.

**InRetro** · 05-14-2007, 05:17 PM

I had no choice but to use system restore as i was unable to boot into normal mode or any safe mode

The BSODs appeared early in the boot sequence and just flashed up for a split second before re-starting the machine, so I couldn't tell you what they said....

When I first had the problems, I was only getting BSODs when booting into normal mode. They were either Bad Pool Caller, or IRQ Less Than Equal errors, both with the file NDIS.sys

I have a corporate version of symantec AV on the laptop (it's an old work laptop) which I can't seem to uninstall even as administrator. This is especially annoying as it now seems to be corrupted. But I asssume it's still best not try another AV prog as well if symantec is on the system?

I also can't install AVG Anti-spyware as it won't run on 64 bit windows.

I've just re-booted successfully into safe mode and am currently running the spybot scan, once that finishes I'll try re-booting into normal mode again (fingers crossed!) and post a new HJT log.

For reference, below is a log of what Symantec AV has quarantined since the problems appeared:

Date,Filename,Threat,Original Location,Status
5/9/2007 11:42:19 PM,tmp286.tmp.dll,Trojan.Vundo,C:\WINDOWS\system32 \,Infected
5/9/2007 11:41:50 PM,sony.exe.exe,Trojan Horse,C:\WINDOWS\system32\,Infected
5/9/2007 11:41:47 PM,sony.exe,Trojan Horse,C:\WINDOWS\system32\,Infected
5/9/2007 10:56:11 PM,sony[1].exe,Trojan Horse,C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\67QRSW0G\,Infected
5/9/2007 10:54:21 PM,wnset.exe,Trojan.Adclicker,C:\Documents and Settings\Administrator\Local Settings\Temp\,Infected
5/13/2007 5:12:52 PM,ndis.sys,Hacktool.Rootkit,C:\WINDOWS\system32\d rivers\,Infected
5/4/2007 12:59:30 AM,poof,Hacktool.Rootkit,C:\WINDOWS\system32\,Infe cted
5/4/2007 12:58:31 AM,kprof,Hacktool.Rootkit,C:\WINDOWS\system32\,Inf ected
5/4/2007 12:58:31 AM,koos.exe,Trojan.Alpiok,C:\WINDOWS\system32\,Inf ected
5/4/2007 12:58:23 AM,ipv6monl.dll_tobedeleted_old,Infostealer.Bzup,C :\WINDOWS\system32\,Infected
5/4/2007 12:10:48 AM,old-winlogon.exe,W32.Grum.A,C:\Documents and Settings\Administrator\Local Settings\Temp\,Infected

**InRetro** · 05-14-2007, 05:58 PM

Some success

I am now able to boot into Normal mode properly for the first time since the problems appeared

Here is the current HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 00:24:21, on 15/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\Monitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\system32\userinit.exe
C:\Documents and Settings\Administrator\Desktop\Hjtscan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.talktalk.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bicfs/
O2 - BHO: C:\WINDOWS\system32\ldhje783.dll - {8D5849A2-93F3-429D-FF34-260A2068897C} - C:\WINDOWS\system32\ldhje783.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\xxxuuu.dll",realset
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R 2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Restore Operation] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svchots.exe
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogon.exe
O4 - Global Startup: 3Com Wireless 11g PC Card.lnk = C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\Monitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://bicfs/
O15 - Trusted Zone: milestone.cognisco.com (HKLM)
O15 - Trusted Zone: milestone400.cognisco.com (HKLM)
O15 - Trusted Zone: *.cognisco.com (HKLM)
O15 - Trusted Zone: *.passport.net (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.cognisco.com
O17 - HKLM\Software\..\Telephony: DomainName = internal.cognisco.com
O20 - AppInit_DLLs:
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

And here is the first part of the Spybot scan from safe mode (with the nasties it tried to remove):

--- Search result list ---
Smitfraud-C.: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rpcc

Smitfraud-C.: Library (File, fixing failed)
C:\WINDOWS\system32\rpcc.dll

Smitfraud-C.: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\WinOpts

Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-299502267-764733703-1060284298-500\Software\Microsoft\aldd

Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Araf15

Microsoft.WindowsSecurityCenter.FirewallBypass: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\S haredAccess\Parameters\FirewallPolicy\StandardProf ile\AuthorizedApplications\List\C:\WINDOWS\explore r.exe

Microsoft.WindowsSecurityCenter.FirewallBypass: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\S haredAccess\Parameters\FirewallPolicy\StandardProf ile\AuthorizedApplications\List\C:\WINDOWS\explore r.exe

**jholland1964** · 05-14-2007, 10:49 PM

Download smitfraudfix save it to the desktop;

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**InRetro** · 05-15-2007, 02:29 AM

Log results below:

SmitFraudFix v2.181

Scan done at 9:02:52.35, 15/05/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\Monitor.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{8D5849A2-93F3-429D-FF34-260A2068897C}"="Fdjskie8 jf8e"

[HKEY_CLASSES_ROOT\CLSID\{8D5849A2-93F3-429D-FF34-260A2068897C}\InProcServer32]
@="C:\WINDOWS\system32\ldhje783.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8D5849A 2-93F3-429D-FF34-260A2068897C}\InProcServer32]
@="C:\WINDOWS\system32\ldhje783.dll"

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" "

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3F511A42-60F4-4F96-A053-988CC173FE35}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3F511A42-60F4-4F96-A053-988CC173FE35}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3F511A42-60F4-4F96-A053-988CC173FE35}: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

**jholland1964** · 05-15-2007, 08:26 AM

Next step;
* Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
* Double-click smitfraudfix.exe
* Select 2 and hit Enter to delete infect files.
* You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
* The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Post back here with that report.

**InRetro** · 05-15-2007, 01:09 PM

New log results below

SmitFraudFix v2.181

Scan done at 19

35.33, 15/05/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{8D5849A2-93F3-429D-FF34-260A2068897C}"="Fdjskie8 jf8e"

[HKEY_CLASSES_ROOT\CLSID\{8D5849A2-93F3-429D-FF34-260A2068897C}\InProcServer32]
@="C:\WINDOWS\system32\ldhje783.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8D5849A 2-93F3-429D-FF34-260A2068897C}\InProcServer32]
@="C:\WINDOWS\system32\ldhje783.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3F511A42-60F4-4F96-A053-988CC173FE35}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3F511A42-60F4-4F96-A053-988CC173FE35}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3F511A42-60F4-4F96-A053-988CC173FE35}: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{8D5849A2-93F3-429D-FF34-260A2068897C}"="Fdjskie8 jf8e"

[HKEY_CLASSES_ROOT\CLSID\{8D5849A2-93F3-429D-FF34-260A2068897C}\InProcServer32]
@="C:\WINDOWS\system32\ldhje783.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8D5849A 2-93F3-429D-FF34-260A2068897C}\InProcServer32]
@="C:\WINDOWS\system32\ldhje783.dll"

»»»»»»»»»»»»»»»»»»»»»»»» End

Thread: Log check and a couple of questions

Thread Tools

Display

Log check and a couple of questions

Thread Information

Users Browsing this Thread

Posting Permissions