Sign in to follow this  
seansmall

TheMatrixHasYou

Recommended Posts

Ok, we're not done yet Sean.

 

I just got your uploaded files at the upload site.

http://www.thespykiller.co.uk/forum/index.php?topic=1853.0

 

Are those 3 files still on your system? The Ewido report showed that it deleted them. Please look and let me know. If found you need to delete these:

C:\WINDOWS\SYSTEM32\CSBXJ.EXE

C:\WINDOWS\SYSTEM32\CSGZW.EXE

C:\WINDOWS\SYSTEM32\DMVGD.EXE

 

Also, please scan wtih HijackThis and post a fresh log. I need to see if that 020 item is still there and we'll need to get rid of it.

Share this post


Link to post
Share on other sites

I've been out of town, so I haven't been able to take care of this for a couple of days. I don't have any of those 3 files on the computer, but I do have file called "comdlj32.dll". Ewido keeps finding it, but can't clean it. AdAware can't delete it, so I don't know what to do. I'll post a new HijackThis log in a second.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 2:27:50 PM, on 6/18/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\smss.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GS.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\AOL\1136554450\ee\AOLSoftware.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Lexmark 7100 Series\lxbxmon.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe

C:\Program Files\Lexmark 7100 Series\ezprint.exe

C:\WINDOWS\system32\spoolsvv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

c:\program files\common files\aol\1136554450\ee\aim6.exe

C:\WINDOWS\system32\lxbxcoms.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Sean Pierce\Desktop\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: ohb - {E8888041-B24A-4B0B-911B-12B018E43F21} - C:\WINDOWS\system32\rlmtcs.dll (file missing)

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136554450\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [WUSB54GS] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe

O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,[email protected]

O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"

O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe

O23 - Service: WUSB54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GS.exe (file missing)

Share this post


Link to post
Share on other sites

Open HijackThis and choose *scan only*

When it finishes, checkmark these entries and press the *fix checked* button

 

O2 - BHO: ohb - {E8888041-B24A-4B0B-911B-12B018E43F21} - C:\WINDOWS\system32\rlmtcs.dll (file missing)

 

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

 

Close HiackThis

.............................................

Please download the Killbox by Option^Explicit.

http://www.downloads.subratam.org/KillBox.zip

 

Unzip/Extract the contents to your desktop

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

1. Open Killbox by clicking on Killbox.exe

 

2. Select *Delete on Reboot* in the first column

 

DeleteOnReboot.gif

 

3. Copy the following text shown in bold below to clipboard by highlighting the bold text and press Control + C

C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

 

4. Paste the clipboard contents into the white box that says: Full Path of File to Delete

 

5. Press the red button with the white x in it.

 

RedButtonWhiteX.gif

 

6. You will receive a prompt stating that files will be deleted on next reboot. Do you want to reboot now?

 

(Choose yes, if ready to reboot or no, if you need to close some other open items first.)

 

7. You can close all programs and any open windows.

 

8. Reboot your computer.

 

Back in normal mode, please scan once more with HijackThis and post a fresh log please.

 

Also post the Ewido scan log so I can see the file it's having a problem with.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 4:32:13 PM, on 6/19/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

Share this post


Link to post
Share on other sites

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GS.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\AOL\1136554450\ee\AOLSoftware.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe

C:\Program Files\Lexmark 7100 Series\lxbxmon.exe

C:\Program Files\Lexmark 7100 Series\ezprint.exe

C:\WINDOWS\system32\spoolsvv.exe

C:\WINDOWS\system32\ctfmon.exe

Share this post


Link to post
Share on other sites

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136554450\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [WUSB54GS] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe

O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,[email protected]

O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"

O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab

Share this post


Link to post
Share on other sites

Sorry about splitting up my HijackThis log over multiple posts. My internet is all screwed up and it's having trouble posting here. Also, Mozilla Firefox isn't connecting to the internet. I'll try to get the rest posted as soon as possible.

Share this post


Link to post
Share on other sites

C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

C:\WINDOWS\system32\lxbxcoms.exe

c:\program files\common files\aol\1136554450\ee\aim6.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\ewido anti-malware\SecuritySuite.exe

C:\Documents and Settings\Sean Pierce\Desktop\HijackThis\HijackThis.exe

Share this post


Link to post
Share on other sites

That's weird. Can you put the log file into a zip file and attach it to a reply?

 

(in the reply box, scroll down and you see the File Attachments section where you can browse to the logfile on your computer)

Share this post


Link to post
Share on other sites

And, got it! But, guess what! I can't seem to get a post to go through on this thread with the log either. So it's not just you! :D I will try to start a new topic (maybe this one is polluted? :lol: )

Share this post


Link to post
Share on other sites

Nope - even a new topic doesn't take. We'll stay here and I'll analyze this without posting the log. And post back with a reply with my findings (hopefully) ...something about this log is evil? :D

Share this post


Link to post
Share on other sites

*test*...works (it's just the log that won't work for some reason)

 

Open HijackThis and do a *scan only*

When it finishes, checkmark these entries and press *fix checked*

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/

 

F2 - REG:system.ini: UserInit=userinit.exe

 

O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe

 

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

 

O23 - Service: Windows Management Updater (WinManUpdater) - Unknown owner - C:\WINDOWS\smss.exe (file missing)

.............................

Please download the Killbox by Option^Explicit.

http://www.downloads.subratam.org/KillBox.zip

 

Unzip/Extract the contents to your desktop

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

1. Open Killbox by clicking on Killbox.exe

 

2. Select *Delete on Reboot* in the first column

 

DeleteOnReboot.gif

 

3. Press the *All Files* button IMPORTANT STEP!

 

AllFilesButton.gif

 

4. Copy the following text shown in bold below to clipboard by highlighting the bold text and press Control + C

 

C:\WINDOWS\system32\spoolsvv.exe

C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

C:\WINDOWS\smss.exe

 

5. In Killbox, select the "File" tab at the top

 

6. Choose "Paste from Clipboard" in the drop down menu

 

7. Press the red button with the white x in it.

 

8. You will receive a prompt stating that files will be deleted on next reboot. Do you want to reboot now?

 

(Choose yes, if ready to reboot or no, if you need to close some other open items first.)

 

9. You can close all programs and any open windows.

 

10. Reboot your computer.

 

Note: Backups will be stored in the following directory created on the Hard-drive (usually C):

C:\!KillBox

 

11. Navigate to the Killbox backup folder:

C:\!KillBox

 

a. Right–click the file or folder

 

b. Point to Send To

 

c. Then click Compressed (zipped) Folder

 

This will make a compressed folder, identified by a zipper icon, which displays the same name as the file you compressed.

C:\!KillBox.zip

 

12. Go here to upload the files as attachments

http://www.thespykiller.co.uk/forum/index.php?topic=1853.0

 

File to upload: C:\!KillBox

Share this post


Link to post
Share on other sites

Got the files, thanks!

 

Can you reboot and scan with HijackThis and post a fresh HijackThis log?

 

spoolsvv.exe was the only thing in there...some sort of Spambot. I'll be submitting this one for detection!

Complete scanning result of "spoolsvv.exe", received in VirusTotal at 06.21.2006, 03:10:32 (CET).

 

Antivirus Version Update Result

AntiVir 6.35.0.13 06.20.2006 TR/Crypt.F.Gen

Authentium 4.93.8 06.20.2006 no virus found

Avast 4.7.844.0 06.20.2006 no virus found

AVG 386 06.20.2006 Downloader.Tibs

BitDefender 7.2 06.21.2006 GenPack:Generic.Malware.SMY.C5D6B29A

CAT-QuickHeal 8.00 06.20.2006 no virus found

ClamAV devel-20060426 06.21.2006 no virus found

DrWeb 4.33 06.20.2006 Trojan.Spambot

eTrust-InoculateIT 23.72.43 06.20.2006 no virus found

eTrust-Vet 12.6.2267 06.21.2006 Win32/Vxidl!generic

Ewido 3.5 06.20.2006 no virus found

Fortinet 2.77.0.0 06.21.2006 PossibleThreat!05824

F-Prot 3.16f 06.20.2006 no virus found

Ikarus 0.2.65.0 06.20.2006 no virus found

Kaspersky 4.0.2.24 06.21.2006 no virus found

McAfee 4789 06.21.2006 no virus found

Microsoft 1.1481 06.21.2006 no virus found

NOD32v2 1.1611 06.20.2006 probably unknown NewHeur_PE virus

Norman 5.90.21 06.20.2006 no virus found

Panda 9.0.0.4 06.20.2006 Suspicious file

Sophos 4.06.0 06.20.2006 no virus found

Symantec 8.0 06.21.2006 Trojan.Fivesec

TheHacker 5.9.8.162 06.20.2006 no virus found

UNA 1.83 06.20.2006 no virus found

VBA32 3.11.0 06.20.2006 Trojan.Spambot

VirusBuster 4.3.7:9 06.20.2006 no virus found

 

Aditional Information

File size: 27634 bytes

MD5: 6d5113db367dff6e6d2b5b33b562fabd

SHA1: 25e922707ef48673a758ac467ea926e4d382bd33

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 10:11:36 PM, on 6/20/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GS.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\AOL\1136554450\ee\AOLSoftware.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe

C:\Program Files\Lexmark 7100 Series\lxbxmon.exe

C:\Program Files\Lexmark 7100 Series\ezprint.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

c:\program files\common files\aol\1136554450\ee\aim6.exe

C:\WINDOWS\system32\lxbxcoms.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Sean Pierce\Desktop\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136554450\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [WUSB54GS] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe

O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,[email protected]

O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll (file missing)

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe

O23 - Service: Windows Management Updater (WinManUpdater) - Unknown owner - C:\WINDOWS\smss.exe (file missing)

O23 - Service: WUSB54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GS.exe (file missing)

Share this post


Link to post
Share on other sites

Looking better!

 

Open HijackThis and do a *scan only*

Checkmark this item in the list and press the *fix checked* button

 

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll (file missing)

................

Ewido has a newer updated version, 4.0 just released.

 

Uninstall the present Ewido program please. You can choose *No* when it asks if you want to remove the quarantine and reports. But continue on with the uninstall. Then, this will require a reboot

 

Next, download, install, update and scan with the new v. 4.0 and post a log if it finds anything

 

http://www.ewido.net/en/download/

 

Also, when done, please post a fresh HijackThis log

Share this post


Link to post
Share on other sites

+ Created at: 3:27:59 PM 6/22/2006

 

+ Scan result:

 

 

 

C:\!KillBox.zip/!KillBox/spoolsvv.exe -> Proxy.Agent.kn : Cleaned with backup (quarantined).

C:\!KillBox.zip/!KillBox/spoolsvv.exe( 1) -> Proxy.Agent.kn : Cleaned with backup (quarantined).

C:\!KillBox\spoolsvv.exe -> Proxy.Agent.kn : Cleaned with backup (quarantined).

C:\!KillBox\spoolsvv.exe( 1) -> Proxy.Agent.kn : Cleaned with backup (quarantined).

C:\WINDOWS\Temp\art3BC9.tmp -> Proxy.Agent.kn : Cleaned with backup (quarantined).

 

::Report end

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 3:30:38 PM, on 6/22/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GS.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\AOL\1136554450\ee\AOLSoftware.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Lexmark 7100 Series\lxbxmon.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe

C:\Program Files\Lexmark 7100 Series\ezprint.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

c:\program files\common files\aol\1136554450\ee\aim6.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\lxbxcoms.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\Documents and Settings\Sean Pierce\Desktop\HijackThis\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136554450\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [WUSB54GS] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe

O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,[email protected]

O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe

O23 - Service: Windows Management Updater (WinManUpdater) - Unknown owner - C:\WINDOWS\smss.exe (file missing)

O23 - Service: WUSB54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GS.exe (file missing)

Share this post


Link to post
Share on other sites

I missed one:

 

Scan with HijackThis and checkmark this entry, then press the *fix checked* button

 

O23 - Service: Windows Management Updater (WinManUpdater) - Unknown owner - C:\WINDOWS\smss.exe (file missing)

 

It looks good. How are things looking on your end?

Share this post


Link to post
Share on other sites

Hi, my computer is infected so I came looking for a fix. Have downloaded and run the program and have this log file to post but computer is still infected. Can anyone help me to get rid of this please.

 

Many thanks in advance.

 

 

Fixwareout ver 1.003

Last edited 07/1/2006

Post this report in the forums please

 

Reg Entries that were deleted

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8A99A25D7DC3-994A-FAB4-18CB-BE774382{

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6A422AC692CA-A0BB-0DB4-C825-F416DAA5{

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0EA8A4B42B80-E1FB-7CC4-ECCE-D7F22134{

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DA39BAE12690-AEE9-C594-F52E-88AE31D5{

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A5D8232F8D45-08FA-7274-FFE4-8DBF682A{

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4FA960B57581-9E2B-1184-9F05-E3FE2BCC{

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\sjlmd

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3C446AC6F932-A45B-E174-7CB2-6DE05B5D{

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D3DB14E7B1A6-4D5A-49D4-E4A4-D53BD9F3{

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif

...

 

Microsoft ® Windows Script Host Version 5.6

Random Runs removed from HKLM

"dmljs.exe"=-

...

 

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Example ipsec6.exe is legitimate

 

»»»»» Search by size and names...

* csr.exe C:\WINDOWS\System32\CSLWA.EXE

* csr.exe C:\WINDOWS\System32\CSGJC.EXE

* csr.exe C:\WINDOWS\System32\CSARQ.EXE

* csr.exe C:\WINDOWS\System32\CSPKQ.EXE

* csr.exe C:\WINDOWS\System32\CSGZJ.EXE

 

»»»»» Misc files

* thequicklink C:\WINDOWS\System32\{FB172~1.DLL

* thequicklink C:\WINDOWS\System32\{D2BB1~1.DLL

* thequicklink C:\WINDOWS\System32\{71EBE~1.DLL

* thequicklink C:\WINDOWS\System32\{679E8~1.DLL

 

»»»»» Checking for older varients covered by the Rem3 tool

 

»»»»»

Search five digit cs, dm and jb files

This WILL/CAN also list Legit Files, Submit them at Virustotal

C:\WINDOWS\SYSTEM32\CSLWA.EXE 51,251 2006-07-08

C:\WINDOWS\SYSTEM32\CSGJC.EXE 51,251 2006-07-08

C:\WINDOWS\SYSTEM32\CSARQ.EXE 51,251 2006-07-01

C:\WINDOWS\SYSTEM32\CSPKQ.EXE 51,251 2006-07-08

C:\WINDOWS\SYSTEM32\CSGZJ.EXE 51,251 2006-07-08

C:\WINDOWS\SYSTEM32\DMMGJ.EXE 44,127 2001-08-23

C:\WINDOWS\SYSTEM32\DMKEQ.EXE 44,127 2001-08-23

C:\WINDOWS\SYSTEM32\DMAQV.EXE 44,127 2001-08-23

C:\WINDOWS\SYSTEM32\DMFUE.EXE 44,127 2001-08-23

C:\WINDOWS\SYSTEM32\DMLJS.EXE 44,127 2001-08-23

C:\WINDOWS\SYSTEM32\DMRHL.EXE 44,130 2001-08-23

Other suspects

Directory of C:\WINDOWS\system32

{679E86A9-FFF7-406A-B7D9-F1D00ECAE3E0}.dll

{71EBE794-CFE1-4AF8-AFF6-6CE78711C4C8}.dll

{D2BB1710-B8CA-48D9-A083-2053E4115718}.dll

{FB172EBB-69A6-447D-8EFB-63646DB8985C}.dll

{3F9DB35D-4A4E-4D94-A5D4-6A1B7E41BD3D}.exe

{D5B50ED6-2BC7-471E-B54A-239F6CA644C3}.exe

{CCB2EF3E-50F9-4811-B2E9-18575B069AF4}.exe

{A286FBD8-4EFF-4727-AF80-54D8F2328D5A}.exe

{5D13EA88-E25F-495C-9EEA-09621EAB93AD}.exe

{43122F7D-ECCE-4CC7-BF1E-08B24B4A8AE0}.exe

{5AAD614F-528C-4BD0-BB0A-AC296CA224A6}.exe

{ABBC9624-47AE-4661-8C79-6543D25E6D8C}.exe

{4D8C35E9-A490-411F-A413-8F7B082A22A3}.exe

{73CB3942-C607-4E42-A55D-9FEFEFE3A6BF}.exe

{DDEF6FFC-9F05-4640-A9FB-3D2611FA45B8}.exe

{61C24DEF-D7D8-4204-9943-477B1D469F4F}.exe

{63D8140A-33A5-4107-85B0-9A49F6C0CA5F}.exe

{9AB9F6E2-9BFD-4F4B-9F28-8415942F505C}.exe

{CA196E04-86A1-465F-A11E-4E701660F5AD}.exe

{313B9332-1FB9-4DBB-97BD-542D8D8006BC}.exe

{46992D1C-D2C7-432A-BBB7-95526C6163DB}.exe

{8427B787-EAE1-4894-B02F-1E057C6DFA76}.exe

{8ECF2976-0A83-4838-B4AB-D90C455B12F6}.exe

{5193A5F3-0DC1-4522-85F2-59A241F743DF}.exe

{F75F173B-9CB0-4B93-9D3A-1EA74CF636B4}.exe

{F3EB3F68-C5E7-480A-A6CF-BE7B0AE6BB0C}.exe

{8AC26F93-F38C-4F84-BF05-A6A0C2477BAC}.exe

{592C729A-F037-43EE-AF2A-25234FA3F832}.exe

{18920E20-70BA-4DD3-B7B5-B94695CF5445}.exe

Share this post


Link to post
Share on other sites

I think I have fixed this so anyone who was going to help thanks but I nailed it.

 

I have AVG which shows you the files and viruses but only removes the viruses and not the file generating the viruses.

 

That file shows up on AVG first when you do a scan as a red coloured exe file that AVG cannot read but identifies.

 

This file changes it's name everytime you start up your computer.

 

I downloaded Hijack This and did a scan......I then compared the file names in Hijack This to the red unreadable file that AVG shows you in the first seconds of it's scan and viola there was a match.

 

I used Hijack This to fix that file.

 

Prior to this I disabled the system restore box in the Control Panel in "System".

 

After scanning and fixing the file I re-enabled the system restore box, shut the computer down, restarted and AVG did not come up with the unreadable red file.

 

I think that did the trick.

 

You should only check the matching file shown in both AVG and Hijack This though and no other box.

Share this post


Link to post
Share on other sites
Sign in to follow this