Tech Support Forum - View Single Post

sUBs · 08-11-2007, 09:55 AM

Do a HijackThis scan (Not DSS) & place a check next to these items and select "Fix checked":

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {0FF078B0-0072-4FCA-AEDC-36C078A563D5} - C:\Program Files\Common Files\hoketoz455101.dll (file missing)
O2 - BHO: (no name) - {356EA4B8-0225-4C11-AF5E-B7CEE719E4D2} - \
O2 - BHO: (no name) - {3E66438B-D364-DFEF-1A15-F88DB123D49D} - C:\WINDOWS\system32\llbxjem.dll (file missing)
O2 - BHO: (no name) - {420C4981-32CC-AF09-C412-03797A5A3F37} - C:\Program Files\Brytaxrx\axwhrzbz.dll
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\l3acdb.dll (file missing)
O2 - BHO: 0 - {5DA6F8BC-0758-4541-5F85-7A23AF300F87} - C:\Program Files\Internet Explorer\lavunabiq.dll
O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll (file missing)
O4 - HKLM\..\Run: [i34yuc387] C:\WINDOWS\i34yuc387
O4 - HKLM\..\Run: [{85-52-22-2E-ZN}] c:\windows\system32\dwdsrngt.exe D4M001
O4 - HKLM\..\Run: [horyk] C:\Program Files\Windows Media Player\horyk22011.exe
O4 - HKLM\..\Run: [dgtghudc] rundll32.exe "C:\Program Files\dgtghudc\tgfgjgva.dll",Init
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\csrss.exe
O4 - HKLM\..\Run: [mezavkvd] C:\Program Files\Ozqaguwk\mezavkvd.exe
O4 - HKCU\..\Run: [Cxqbik] "C:\Documents and Settings\Thomas Barrie\My Documents\??sks\w?crtupd.exe"
O4 - HKCU\..\Run: [fmuu] C:\PROGRA~1\COMMON~1\fmuu\fmuum.exe
O4 - HKCU\..\Run: [ISMModule2] "C:\Program Files\ISM\ISMModule2.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O20 - Winlogon Notify: tuvvusr - tuvvusr.dll (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\profsycyrtypr.html
O24 - Desktop Component 1: (no name) - C:\Program Files\ComPlus Applications\profsycyrtypr.html

---------------

Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/173327-my-malware.html
Collect::
C:\WINDOWS\system32\uocvbpji.exe
C:\WINDOWS\system32\sihcsdvq.exe
C:\WINDOWS\system32\nwinqmdt.exe
C:\WINDOWS\system32\k.dat
C:\WINDOWS\system32\lpdsrngm.exe
C:\WINDOWS\i34yuc387.exe
C:\WINDOWS\system32\sdadlrow-t2.exe
C:\WINDOWS\system32\dwdsrngt.exe
Suspect::
C:\WINDOWS\uninst1017.exe
File::
C:\Program Files\Windows Media Player\horyk22011.exe
C:\Documents and Settings\Thomas Barrie\Start Menu\Programs\Startup\TA_Start.lnk
Folder::
C:\Program Files\SecCenter
C:\WINDOWS\system32\hblbdnun
C:\Program Files\Ozqaguwk
C:\Program Files\dgtghudc
C:\Program Files\Brytaxrx
C:\WINDOWS\fmuu
C:\Program Files\Common Files\fmuu
C:\WINDOWS\VGhvbWFzIEJhcnJpZQ
C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
C:\Program Files\ISM
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0FF078B0-0072-4FCA-AEDC-36C078A563D5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{356EA4B8-0225-4C11-AF5E-B7CEE719E4D2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E66438B-D364-DFEF-1A15-F88DB123D49D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{420C4981-32CC-AF09-C412-03797A5A3F37}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9815DA81-2E0C-478c-90E4-06E474E704D0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"i34yuc387"=-
"{85-52-22-2E-ZN}"=-
"horyk"=-
"dgtghudc"=-
"csrss"=-
"mezavkvd"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cxqbik"=-
"fmuu"=-
"ISMModule2"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvusr]

Save this as "CFScript"

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Additonally, ComboFix will generate a zipped file on your Desktop, called Submit [Date Time].zip
Please submit this file before proceeding to the next step.

---------------

Click here perform an online scan >> Online Scanner

---------------

In your next post, please include fresh logs from:

Fresh Hijackthis log (not DSS) taken just before replying

Online scan

ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

08-11-2007, 09:55 AM	#6 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,494 OS: N/A	Re: My Malware Do a HijackThis scan (Not DSS) & place a check next to these items and select "Fix checked": R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: (no name) - {0FF078B0-0072-4FCA-AEDC-36C078A563D5} - C:\Program Files\Common Files\hoketoz455101.dll (file missing) O2 - BHO: (no name) - {356EA4B8-0225-4C11-AF5E-B7CEE719E4D2} - \ O2 - BHO: (no name) - {3E66438B-D364-DFEF-1A15-F88DB123D49D} - C:\WINDOWS\system32\llbxjem.dll (file missing) O2 - BHO: (no name) - {420C4981-32CC-AF09-C412-03797A5A3F37} - C:\Program Files\Brytaxrx\axwhrzbz.dll O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\l3acdb.dll (file missing) O2 - BHO: 0 - {5DA6F8BC-0758-4541-5F85-7A23AF300F87} - C:\Program Files\Internet Explorer\lavunabiq.dll O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll (file missing) O4 - HKLM\..\Run: [i34yuc387] C:\WINDOWS\i34yuc387 O4 - HKLM\..\Run: [{85-52-22-2E-ZN}] c:\windows\system32\dwdsrngt.exe D4M001 O4 - HKLM\..\Run: [horyk] C:\Program Files\Windows Media Player\horyk22011.exe O4 - HKLM\..\Run: [dgtghudc] rundll32.exe "C:\Program Files\dgtghudc\tgfgjgva.dll",Init O4 - HKLM\..\Run: [csrss] C:\WINDOWS\csrss.exe O4 - HKLM\..\Run: [mezavkvd] C:\Program Files\Ozqaguwk\mezavkvd.exe O4 - HKCU\..\Run: [Cxqbik] "C:\Documents and Settings\Thomas Barrie\My Documents\??sks\w?crtupd.exe" O4 - HKCU\..\Run: [fmuu] C:\PROGRA~1\COMMON~1\fmuu\fmuum.exe O4 - HKCU\..\Run: [ISMModule2] "C:\Program Files\ISM\ISMModule2.exe" O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O20 - Winlogon Notify: tuvvusr - tuvvusr.dll (file missing) O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\profsycyrtypr.html O24 - Desktop Component 1: (no name) - C:\Program Files\ComPlus Applications\profsycyrtypr.html --------------- Open notepad and copy/paste the text in the quotebox below into it: Code: http://www.techsupportforum.com/security-center/hijackthis-log-help/173327-my-malware.html Collect:: C:\WINDOWS\system32\uocvbpji.exe C:\WINDOWS\system32\sihcsdvq.exe C:\WINDOWS\system32\nwinqmdt.exe C:\WINDOWS\system32\k.dat C:\WINDOWS\system32\lpdsrngm.exe C:\WINDOWS\i34yuc387.exe C:\WINDOWS\system32\sdadlrow-t2.exe C:\WINDOWS\system32\dwdsrngt.exe Suspect:: C:\WINDOWS\uninst1017.exe File:: C:\Program Files\Windows Media Player\horyk22011.exe C:\Documents and Settings\Thomas Barrie\Start Menu\Programs\Startup\TA_Start.lnk Folder:: C:\Program Files\SecCenter C:\WINDOWS\system32\hblbdnun C:\Program Files\Ozqaguwk C:\Program Files\dgtghudc C:\Program Files\Brytaxrx C:\WINDOWS\fmuu C:\Program Files\Common Files\fmuu C:\WINDOWS\VGhvbWFzIEJhcnJpZQ C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon C:\Program Files\ISM Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0FF078B0-0072-4FCA-AEDC-36C078A563D5}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{356EA4B8-0225-4C11-AF5E-B7CEE719E4D2}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E66438B-D364-DFEF-1A15-F88DB123D49D}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{420C4981-32CC-AF09-C412-03797A5A3F37}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9815DA81-2E0C-478c-90E4-06E474E704D0}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "i34yuc387"=- "{85-52-22-2E-ZN}"=- "horyk"=- "dgtghudc"=- "csrss"=- "mezavkvd"=- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Cxqbik"=- "fmuu"=- "ISMModule2"=- [-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] [-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvusr] Save this as "CFScript" Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Additonally, ComboFix will generate a zipped file on your Desktop, called Submit [Date Time].zip Please submit this file before proceeding to the next step. --------------- Click here perform an online scan >> Online Scanner --------------- In your next post, please include fresh logs from: Fresh Hijackthis log (not DSS) taken just before replying Online scan ComboFix's log Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Question - what have you done for the community today?