Tech Support Forum - View Single Post

tristan_m43 · 06-28-2007, 09:46 AM

OK. Sorry, but too late for me not to fix anything. I had already removed the entry
O2 - BHO: (no name) - {AA72DDA4-672D-4783-8FD4-4BB3CDE8A409} - C:\WINDOWS\system32\mljji.dll (file missing)
from the registry using hijackthis, before I received your reply.

I went ahead with your instructions. Upload of catchme.zip went ok. Used hijackthis to remove the single entry for "about:blank". Ran the combofix with combofix-do.txt.

Tried to run virusscanner in IE, clicked yes for ActiveX, but IE would not allow it to run anyway.

So here are the logs I have for fresh hijackthis, and combofix:
"Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:41:22 AM, on 6/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\zane\My Documents\temp\hijackthis\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\ZANE\Application Data\Mozilla\Profiles\default\jel2oqe9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\ZANE\Application Data\Mozilla\Profiles\default\jel2oqe9.slt\prefs.js)
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.dstsystems.com/,Dana...java+dwa7W.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 2907 bytes"

""zane" - 2007-06-28 10:12:29 - ComboFix 07-06-28.2 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\zane\My Documents\temp\combofix-do.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\SYSTEM32\chbianhu.dll
C:\WINDOWS\SYSTEM32\eqwkepwa.dll

((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-28 )))))))))))))))))))))))))))))))

2007-06-27 17:55 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-22 14:13 <DIR> d-------- C:\VundoFix Backups
2007-06-13 11:22 7,680 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\motccgpfl.sys
2007-06-13 11:22 6,400 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\motswch.sys
2007-06-13 11:22 21,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\motport.sys
2007-06-13 11:22 21,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\motmodem.sys
2007-06-13 11:22 17,792 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\motccgp.sys
2007-06-13 11:22 1,419,232 --a------ C:\WINDOWS\SYSTEM32\wdfcoinstaller01005.dll
2007-06-13 11:21 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-06-13 11:21 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-28 15:15:16 16 ----a-w C:\WINDOWS\system32\docpsop2.dat
2007-06-28 15:15:16 16 ----a-w C:\WINDOWS\system32\activedy.dat
2007-06-28 15:15:16 14,772 ----a-w C:\WINDOWS\system32\mydocef.dat
2007-06-28 13:22:17 3,821 ----a-w C:\WINDOWS\system32\fxst3pd.dat
2007-06-28 13:22:17 2,421,321 ----a-w C:\WINDOWS\system32\nvrsnkpq.dat
2007-06-28 13:22:16 1,079 ----a-w C:\WINDOWS\system32\wmdmloa.dat
2007-06-28 13:21:16 16,118 ----a-w C:\WINDOWS\system32\tablet.dat
2007-06-22 16:29:15 -------- d-----w C:\Program Files\Windows NT
2007-06-13 16:23:32 -------- d-----w C:\Program Files\Motorola Phone Tools
2007-05-28 14:25:51 -------- d-----w C:\DOCUME~1\zane\APPLIC~1\Azureus
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-28 18:54:31 -------- d-----w C:\Program Files\Kodak Digital Science
2007-04-28 18:54:31 -------- d-----w C:\Program Files\Common Files\Kodak
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 14:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXM6Patch_981116]
C:\WINDOWS\p_981116.exe /Q:A

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c09cef3-4187-11d8-bb24-806d6172696f}]
AutoRun\command- D:\slideshow.exe

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-28 10:15:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

cmd.exe [2504]

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-28 10:16:11
C:\ComboFix-quarantined-files.txt ... 2007-06-28 10:16
C:\ComboFix2.txt ... 2007-06-27 18:04

--- E O F ---"

06-28-2007, 09:46 AM	#5 (permalink)
tristan_m43 Registered User Join Date: Jun 2007 Location: KC Posts: 13 OS: xp	Re: cannot remove pmnooli.dll, vundo file OK. Sorry, but too late for me not to fix anything. I had already removed the entry O2 - BHO: (no name) - {AA72DDA4-672D-4783-8FD4-4BB3CDE8A409} - C:\WINDOWS\system32\mljji.dll (file missing) from the registry using hijackthis, before I received your reply. I went ahead with your instructions. Upload of catchme.zip went ok. Used hijackthis to remove the single entry for "about:blank". Ran the combofix with combofix-do.txt. Tried to run virusscanner in IE, clicked yes for ActiveX, but IE would not allow it to run anyway. So here are the logs I have for fresh hijackthis, and combofix: "Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 10:41:22 AM, on 6/28/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe C:\Program Files\Netscape\Netscape\Netscp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\zane\My Documents\temp\hijackthis\HiJackThis_v2.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\ZANE\Application Data\Mozilla\Profiles\default\jel2oqe9.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\ZANE\Application Data\Mozilla\Profiles\default\jel2oqe9.slt\prefs.js) O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.dstsystems.com/,Dana...java+dwa7W.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe -- End of file - 2907 bytes" ""zane" - 2007-06-28 10:12:29 - ComboFix 07-06-28.2 - Service Pack 2 NTFS Command switches used :: C:\Documents and Settings\zane\My Documents\temp\combofix-do.txt ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\SYSTEM32\chbianhu.dll C:\WINDOWS\SYSTEM32\eqwkepwa.dll ((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-28 ))))))))))))))))))))))))))))))) 2007-06-27 17:55 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-22 14:13 <DIR> d-------- C:\VundoFix Backups 2007-06-13 11:22 7,680 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\motccgpfl.sys 2007-06-13 11:22 6,400 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\motswch.sys 2007-06-13 11:22 21,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\motport.sys 2007-06-13 11:22 21,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\motmodem.sys 2007-06-13 11:22 17,792 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\motccgp.sys 2007-06-13 11:22 1,419,232 --a------ C:\WINDOWS\SYSTEM32\wdfcoinstaller01005.dll 2007-06-13 11:21 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE 2007-06-13 11:21 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-28 15:15:16 16 ----a-w C:\WINDOWS\system32\docpsop2.dat 2007-06-28 15:15:16 16 ----a-w C:\WINDOWS\system32\activedy.dat 2007-06-28 15:15:16 14,772 ----a-w C:\WINDOWS\system32\mydocef.dat 2007-06-28 13:22:17 3,821 ----a-w C:\WINDOWS\system32\fxst3pd.dat 2007-06-28 13:22:17 2,421,321 ----a-w C:\WINDOWS\system32\nvrsnkpq.dat 2007-06-28 13:22:16 1,079 ----a-w C:\WINDOWS\system32\wmdmloa.dat 2007-06-28 13:21:16 16,118 ----a-w C:\WINDOWS\system32\tablet.dat 2007-06-22 16:29:15 -------- d-----w C:\Program Files\Windows NT 2007-06-13 16:23:32 -------- d-----w C:\Program Files\Motorola Phone Tools 2007-05-28 14:25:51 -------- d-----w C:\DOCUME~1\zane\APPLIC~1\Azureus 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-04-28 18:54:31 -------- d-----w C:\Program Files\Kodak Digital Science 2007-04-28 18:54:31 -------- d-----w C:\Program Files\Common Files\Kodak 2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 14:12] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "SpecifyDefaultButtons"=0 (0x0) "Btn_Search"=0 (0x0) "NoBandCustomize"=0 (0x0) "NoToolbarCustomize"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] C:\WINDOWS\UpdReg.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c09cef3-4187-11d8-bb24-806d6172696f}] AutoRun\command- D:\slideshow.exe HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C} rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub ************************************************************************ catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-28 10:15:38 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... cmd.exe [2504] scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-06-28 10:16:11 C:\ComboFix-quarantined-files.txt ... 2007-06-28 10:16 C:\ComboFix2.txt ... 2007-06-27 18:04 --- E O F ---"