Help needed... very annoying malware...

nbamaniac · 07-20-2008, 01:34 AM

I need your help in this matter... For some reason, spybot just automatically scans at startup even when I didn't set it to run at startup.. And then, my spyware guard and ad-aware real-time protection alerts me of .dll files being modified or added at startup.. I blocked them but they persist until you allow them...

Following the advice of my friend, I tried doing malware scans.. so far SuperAntispyware has the most number of detections.. I removed it but it but after rebooting, the problem still existed.. So I tried using SmitFraudFix at safe mode and it removed some infections but the problem concerning the startups still persists.. Please help me, it really very annoying...

I'm going to post 3 logs... Hijackthis, the SuperAntiSpyware log and the one attached is the log of SmifraudFix.... Thanks in advance!

==============================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:24:38, on 7/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\CameraFixer.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.com
O2 - BHO: (no name) - {2A65BE74-EC8D-401E-93DF-5BDA3DC05505} - (no file)
O2 - BHO: (no name) - {36F2561C-40C5-40E3-A36E-BC2272DE6180} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A2AA5CB2-B015-43C6-9807-5D1EDABD8693} - (no file)
O2 - BHO: (no name) - {E61395A7-ED0D-4721-BF2C-B177C86AA095} - (no file)
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3292] cmd /c del "C:\WINDOWS\system32\jkkHWOIy.dll"
O4 - Startup: FreeRAM XP Pro.lnk = C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: jkkHWOIy - C:\WINDOWS\
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 4988 bytes

==================================================================

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/20/2008 at 03:11 PM

Application Version : 4.15.1000

Core Rules Database Version : 3508
Trace Rules Database Version: 1499

Scan type : Complete Scan
Total Scan Time : 00:21:36

Memory items scanned : 327
Memory threats detected : 3
Registry items scanned : 4823
Registry threats detected : 15
File items scanned : 20550
File threats detected : 21

Trojan.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\UCYUKKEC.DLL
C:\WINDOWS\SYSTEM32\UCYUKKEC.DLL
C:\WINDOWS\SYSTEM32\UVUUGZ.DLL
C:\WINDOWS\SYSTEM32\XGJHQD.DLL

Trojan.Vundo-Variant/Small-GEN
C:\WINDOWS\SYSTEM32\JKKHWOIY.DLL
C:\WINDOWS\SYSTEM32\JKKHWOIY.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A65BE74-EC8D-401E-93DF-5BDA3DC05505}
HKCR\CLSID\{2A65BE74-EC8D-401E-93DF-5BDA3DC05505}
HKCR\CLSID\{2A65BE74-EC8D-401E-93DF-5BDA3DC05505}\InprocServer32
HKCR\CLSID\{2A65BE74-EC8D-401E-93DF-5BDA3DC05505}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66AEE125-0509-4B6A-ADCD-F0AFD47473C4}
HKCR\CLSID\{66AEE125-0509-4B6A-ADCD-F0AFD47473C4}
HKCR\CLSID\{66AEE125-0509-4B6A-ADCD-F0AFD47473C4}\InprocServer32
HKCR\CLSID\{66AEE125-0509-4B6A-ADCD-F0AFD47473C4}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{2A65BE74-EC8D-401E-93DF-5BDA3DC05505}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\jkkHWOIy

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\EFCBURQJ.DLL
C:\WINDOWS\SYSTEM32\EFCBURQJ.DLL

Trojan.DLLCache32-Fake
[dllcache32.exe] C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\DLLCACHE32.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\DLLCACHE32.EXE
C:\WINDOWS\Prefetch\DLLCACHE32.EXE-27EC63A7.pf

Adware.Tracking Cookie
C:\Documents and Settings\Bryan Pineda\Cookies\bryan pineda@ads.chikka[2].txt
C:\Documents and Settings\Bryan Pineda\Cookies\bryan pineda@wmvmedialease[1].txt

Trojan.Media-Codec
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\sc.html
C:\Program Files\PCHealthCenter\sex1.ico

C:\Program Files\PCHealthCenter

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\aoprndtws
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\RemoveRP
HKU\S-1-5-21-299502267-1202660629-839522115-1003\Software\Microsoft\rdfa

BearShare File Sharing Client
C:\PROGRAM FILES\BEARSHARE APPLICATIONS\BEARSHARE\BEARSHARE.EXE
C:\WINDOWS\Prefetch\BEARSHARE.EXE-28E0B5DC.pf

Trojan.Vundo-Variant/Small-V2
C:\WINDOWS\SYSTEM32\TBDDEOPR.DLL
C:\WINDOWS\SYSTEM32\YINOYPLX.DLL

=================================================================

nbamaniac · 07-20-2008, 03:10 PM

No!... The startup became much longer than usual!...

nbamaniac · 07-21-2008, 01:37 AM

It's not that urgent, but your help is highly appreciated! Thank you very much!

nbamaniac · 07-23-2008, 03:43 AM

Problem already solved.... XD.. Mods please close this thread... =)

07-20-2008, 03:10 PM	#2 (permalink)
nbamaniac Registered User Join Date: Apr 2007 Location: Zamboanga City, Philippines Posts: 14 OS: Windows XP Professional	Re: Help needed... very annoying malware... No!... The startup became much longer than usual!...

07-21-2008, 01:37 AM	#3 (permalink)
nbamaniac Registered User Join Date: Apr 2007 Location: Zamboanga City, Philippines Posts: 14 OS: Windows XP Professional	Re: Help needed... very annoying malware... It's not that urgent, but your help is highly appreciated! Thank you very much!

07-23-2008, 03:43 AM	#4 (permalink)
nbamaniac Registered User Join Date: Apr 2007 Location: Zamboanga City, Philippines Posts: 14 OS: Windows XP Professional	Re: Help needed... very annoying malware... Problem already solved.... XD.. Mods please close this thread... =)