Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Live Safety Center and Online Security Guide icons Trojan Live Safety Center and Online Security Guide icons Trojan
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 10-23-2007, 07:07 AM   #1 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 7
OS: XP


Live Safety Center and Online Security Guide icons Trojan
Please help. Have a trojan I cannot fully remove. The symptoms are setting off avast virus detector, 2 icons on the desktop one called Safety Center and one called Online Security Guide. Also constant redirection to an spyware removal website.

Have already run vundofix.exe and combofix.exe, which seems to have temporarily fixed the problem. From the hijack this log can you tell if the problem is completely resolved?

Hijack This log below

Logfile of HijackThis v1.99.1
Scan saved at 14:21:26, on 23/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AC034D-14DF-4AF8-9D02-29E1F56A8235} (Virgin Digital Music Class) - http://www.virgindigital.co.uk/activeX/VirginWMA.cab
O16 - DPF: {2E4A92AB-F2C0-456A-9935-B715439790D7} (Setup Class) - https://www.opinionsquare.com/Config/CSetup_xp.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase2895.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Last edited by frenchfry : 10-23-2007 at 07:35 AM. Reason: Additional Information
frenchfry is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-25-2007, 09:31 PM   #2 (permalink)
Analyst, Security Team
 
MoralTerror's Avatar
 
Join Date: Nov 2005
Location: UK
Posts: 1,968
OS: xp


Re: Live Safety Center and Online Security Guide icons Trojan
Hi frenchfry and welcome to TSF

Sorry for the delay getting to you, the forum has been really busy and all our helpers are volunteers.

Please post the logs from vundofix and combofix

------------------
Required Logs

c:\vundofix.txt
c:\combofix.txt
__________________

Proud member of ASAP since 2007

Proud member of UNITE since 2008

Our help is completely free but please consider donating to the site to help keep it running
MoralTerror is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-26-2007, 12:26 AM   #3 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 7
OS: XP


Re: Live Safety Center and Online Security Guide icons Trojan
here are the logs - I have now installed the latest version of Java

VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 12:15:31 23/10/2007

Listing files found while scanning....

C:\WINDOWS\system32\bqdldihw.dll
C:\WINDOWS\system32\iowxnjsj.ini
C:\WINDOWS\system32\jsjnxwoi.dll
C:\WINDOWS\system32\xkdblygw.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bqdldihw.dll
C:\WINDOWS\system32\bqdldihw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iowxnjsj.ini
C:\WINDOWS\system32\iowxnjsj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jsjnxwoi.dll
C:\WINDOWS\system32\jsjnxwoi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xkdblygw.dll
C:\WINDOWS\system32\xkdblygw.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 12:48:03 23/10/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 13:31:23 23/10/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 11:13:29 24/10/2007

Listing files found while scanning....

C:\WINDOWS\system32\fsjyxemu.dll
C:\WINDOWS\system32\nhtlksbj.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\fsjyxemu.dll
C:\WINDOWS\system32\fsjyxemu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nhtlksbj.dll
C:\WINDOWS\system32\nhtlksbj.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 11:45:54 24/10/2007

Listing files found while scanning....

C:\WINDOWS\system32\nhtlksbj.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\nhtlksbj.dll
C:\WINDOWS\system32\nhtlksbj.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 11:03:41 25/10/2007

Listing files found while scanning....

C:\WINDOWS\system32\kbbnakvy.dll
C:\WINDOWS\system32\rodwexcv.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\kbbnakvy.dll
C:\WINDOWS\system32\kbbnakvy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rodwexcv.dll
C:\WINDOWS\system32\rodwexcv.dll Has been deleted!

Performing Repairs to the registry.
Done!

combofix log

ComboFix 07-10-23.2 - Mummy & Daddy 2007-10-25 11:18:10.5 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.152 [GMT 2:00]
Running from: C:\Documents and Settings\Mummy & Daddy\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Mummy & Daddy\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Mummy & Daddy\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Mummy & Daddy\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\__c00CEE79.dat
C:\WINDOWS\system32\byxwv.dll
C:\WINDOWS\system32\kbbnakvy.dllbox
C:\WINDOWS\system32\vwxyb.bak1
C:\WINDOWS\system32\vwxyb.bak2
C:\WINDOWS\system32\vwxyb.ini

.
((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 )))))))))))))))))))))))))))))))
.

2007-10-25 10:54 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-25 09:48 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-25 01:16 84,544 --a------ C:\WINDOWS\system32\gacsnedk.dll
2007-10-25 01:13 340,032 --a------ C:\WINDOWS\system32\ofrtbeho.dll
2007-10-25 01:10 10,816 --a------ C:\WINDOWS\system32\dxbtwske.dll
2007-10-24 11:28 <DIR> d--hs---- C:\FOUND.001
2007-10-24 11:05 340,032 --a------ C:\WINDOWS\system32\ybecrsqm.dll
2007-10-24 11:05 19,520 --a------ C:\WINDOWS\system32\fdeaqfoh.dll
2007-10-23 19:49 <DIR> C:\Documents and Settings\Mummy 2007-10-23 19:49 <DIR> Daddy\Application Data\Help
2007-10-23 13:26 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-10-23 12:34 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-23 12:15 <DIR> d-------- C:\VundoFix Backups
2007-10-23 11:44 340,032 --a------ C:\WINDOWS\system32\kkamenlg.dll
2007-10-22 23:37 <DIR> d--h----- C:\Program Files\BHOvX
2007-10-22 23:37 145,929 --a------ C:\WINDOWS\system32\sysdl132.exe
2007-10-22 23:37 55,808 --------- C:\WINDOWS\system32\sysdl133.exe
2007-10-22 23:37 33,792 --a------ C:\WINDOWS\system32\rqroppn.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-31 23:27 --------- d-----w C:\Program Files\Real
2007-08-31 23:27 --------- d-----w C:\Program Files\Common Files\Real
2007-08-22 13:12 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:12 658,944 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:12 615,424 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:12 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:12 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:12 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:12 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:12 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:12 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:12 3,058,176 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:12 251,392 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:12 205,312 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:12 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:12 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:12 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:12 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:12 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:12 1,022,976 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:30 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-21 00:26 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-08-21 00:26 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-08-15 22:33 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-08-15 22:33 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-08-15 22:33 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-08-15 22:33 144,704 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-08-15 22:33 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-08-15 22:33 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-08-15 22:33 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-08-15 22:33 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-08-15 22:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-08-15 22:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-08-15 22:31 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-08-15 22:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-08-15 22:30 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-08-15 22:30 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-08-15 22:30 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-08-15 22:30 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
2007-08-15 22:30 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-30 17:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 17:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 17:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 17:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 17:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 17:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 17:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-23_12.45.02.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-27 12:48:00 465,472 ----a-w C:\WINDOWS\Downloaded Program Files\wlscBase.dll
+ 2007-03-13 08:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2005-05-24 10:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 13:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 13:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-10-25 09:22:14 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_6c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A27835AD-3A92-13DA-8324-0913200C9AA3}]
2007-10-22 23:37 95232 --a------ C:\Program Files\BHOvX\ie-improver.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 19:57]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 19:57]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 11:52]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 C:\WINDOWS\system32\bthprops.cpl]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-11 01:55]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-11 01:51]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2004-07-14 14:19]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2004-09-01 17:38]
"LManager"="C:\Program Files\Launch Manager\QtZgAcer.EXE" [2004-07-30 11:30]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06]
"UVS10 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe" [2006-03-07 00:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-07 12:44]
"320d18a1"="C:\WINDOWS\system32\gacsnedk.dll" [2007-10-25 01:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 17:47]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byxwv.dll

R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-25 11:22:31
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-25 11:24:04 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-24 12:05
C:\ComboFix3.txt ... 2007-10-24 11:44
.
--- E O F ---
frenchfry is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-26-2007, 04:35 PM   #4 (permalink)
Analyst, Security Team
 
MoralTerror's Avatar
 
Join Date: Nov 2005
Location: UK
Posts: 1,968
OS: xp


Re: Live Safety Center and Online Security Guide icons Trojan
Hi frenchfry

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
File::
C:\WINDOWS\system32\sysdl132.exe
C:\WINDOWS\system32\sysdl133.exe
C:\WINDOWS\system32\rqroppn.dll
C:\WINDOWS\system32\gacsnedk.dll
C:\WINDOWS\system32\ofrtbeho.dll
C:\WINDOWS\system32\dxbtwske.dll
C:\WINDOWS\system32\ybecrsqm.dll
C:\WINDOWS\system32\fdeaqfoh.dll
C:\WINDOWS\system32\kkamenlg.dll
C:\WINDOWS\system32\byxwv.dll

Folder::
C:\Program Files\BHOvX

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A27835AD-3A92-13DA-8324-0913200C9AA3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"320d18a1"=-
Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

---------------------------
Required Logs

c:\combofix.txt
kaspersky report
a new HijackThis log <<< taken after the online scan


Please also provide an update on system behaviour and details of any problems you may have encountered while carrying out these instructions
__________________

Proud member of ASAP since 2007

Proud member of UNITE since 2008

Our help is completely free but please consider donating to the site to help keep it running
MoralTerror is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-27-2007, 03:28 AM   #5 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 7
OS: XP


Re: Live Safety Center and Online Security Guide icons Trojan
Since running the last cobofix, vnufix and spybot s&d in safe mode and updating java the virus has not come back, which it was doing on a daily basis before. System has been running fine. When ran combofix today, it did come up with a error box saying a file not found (forgot to note the name), but combofix details are below along with the other logs requested.

ComboFix 07-10-23.2 - Mummy & Daddy 2007-10-27 11:19:54.6 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.120 [GMT 2:00]
Running from: C:\Documents and Settings\Mummy & Daddy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mummy & Daddy\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\byxwv.dll
C:\WINDOWS\system32\dxbtwske.dll
C:\WINDOWS\system32\fdeaqfoh.dll
C:\WINDOWS\system32\gacsnedk.dll
C:\WINDOWS\system32\kkamenlg.dll
C:\WINDOWS\system32\ofrtbeho.dll
C:\WINDOWS\system32\rqroppn.dll
C:\WINDOWS\system32\sysdl132.exe
C:\WINDOWS\system32\sysdl133.exe
C:\WINDOWS\system32\ybecrsqm.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\BHOvX
C:\Program Files\BHOvX\bho.dat
C:\Program Files\BHOvX\er.dat
C:\Program Files\BHOvX\ie-improver.dll
C:\Program Files\BHOvX\uninstall.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\dxbtwske.dll
C:\WINDOWS\system32\fdeaqfoh.dll
C:\WINDOWS\system32\gacsnedk.dll
C:\WINDOWS\system32\kkamenlg.dll
C:\WINDOWS\system32\ofrtbeho.dll
C:\WINDOWS\system32\rqroppn.dll
C:\WINDOWS\system32\sysdl132.exe
C:\WINDOWS\system32\sysdl133.exe
C:\WINDOWS\system32\ybecrsqm.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.

2007-10-25 11:39 <DIR> d-------- C:\Program Files\Java
2007-10-25 11:39 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-25 11:39 <DIR> C:\Documents and Settings\Mummy 2007-10-25 11:39 <DIR> Daddy\Application Data\Sun
2007-10-25 10:54 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-25 09:48 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-24 11:28 <DIR> d--hs---- C:\FOUND.001
2007-10-23 19:49 <DIR> C:\Documents and Settings\Mummy 2007-10-23 19:49 <DIR> Daddy\Application Data\Help
2007-10-23 13:26 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-10-23 12:34 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-23 12:15 <DIR> d-------- C:\VundoFix Backups

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-31 23:27 --------- d-----w C:\Program Files\Real
2007-08-31 23:27 --------- d-----w C:\Program Files\Common Files\Real
2007-08-22 13:12 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:12 658,944 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:12 615,424 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:12 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:12 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:12 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:12 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:12 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:12 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:12 3,058,176 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:12 251,392 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:12 205,312 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:12 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:12 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:12 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:12 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:12 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:12 1,022,976 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:30 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-21 00:26 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-08-21 00:26 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-08-15 22:33 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-08-15 22:33 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-08-15 22:33 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-08-15 22:33 144,704 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-08-15 22:33 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-08-15 22:33 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-08-15 22:33 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-08-15 22:33 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-08-15 22:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-08-15 22:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-08-15 22:31 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-08-15 22:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-08-15 22:30 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-08-15 22:30 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-08-15 22:30 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-08-15 22:30 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
2007-08-15 22:30 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-30 17:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 17:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 17:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 17:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 17:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 17:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 17:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-23_12.45.02.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-27 12:48:00 465,472 ----a-w C:\WINDOWS\Downloaded Program Files\wlscBase.dll
+ 2007-03-13 08:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-03-13 08:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2007-09-24 20:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-24 20:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-24 21:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2005-05-24 10:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 13:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 13:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-10-27 09:23:26 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_6a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 19:57]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 19:57]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 11:52]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 C:\WINDOWS\system32\bthprops.cpl]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-11 01:55]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-11 01:51]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2004-07-14 14:19]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2004-09-01 17:38]
"LManager"="C:\Program Files\Launch Manager\QtZgAcer.EXE" [2004-07-30 11:30]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06]
"UVS10 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe" [2006-03-07 00:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-07 12:44]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 17:47]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 11:23:41
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-27 11:24:50 - machine was rebooted
C:\ComboFix3.txt ... 2007-10-24 12:05
C:\ComboFix2.txt ... 2007-10-25 11:24
.
--- E O F ---

Kaspersky Report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, October 27, 2007 11:39:19 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/10/2007
Kaspersky Anti-Virus database records: 446971
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\MUMMY&~1\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 14862
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:07:49

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6a0.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

Scan process completed.

Hijack This Report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:07, on 27/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {15AC034D-14DF-4AF8-9D02-29E1F56A8235} (Virgin Digital Music Class) - http://www.virgindigital.co.uk/activeX/VirginWMA.cab
O16 - DPF: {2E4A92AB-F2C0-456A-9935-B715439790D7} (Setup Class) - https://www.opinionsquare.com/Config/CSetup_xp.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase2895.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7097 bytes
Last edited by frenchfry : 10-27-2007 at 03:41 AM.
frenchfry is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-27-2007, 09:21 AM   #6 (permalink)
Analyst, Security Team
 
MoralTerror's Avatar
 
Join Date: Nov 2005
Location: UK
Posts: 1,968
OS: xp


Re: Live Safety Center and Online Security Guide icons Trojan
Hi frenchfry

Quote:
it did come up with a error box saying a file not found (forgot to note the name)
no probs I was expecting that to happen

Your logs are clean if there are no more issues you should be good to go

Kindly follow these simple steps in order to keep your computer clean and secure:

  1. REMOVE VUNDOFIX
    Vundofix is updated regularly, should you ever need it again you would need to download a fresh copy. Please delete vundofix.exe and the following quarantine folder

    C:\ VundoFix Backups


  2. UNINSTALL COMBOFIX
    This process will also perform some final cleanup steps
    Click Start > Run and type ComboFix /u

  3. ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  4. FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.


  5. Microsoft Windows Update
    Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  6. SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


  7. AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________

Proud member of ASAP since 2007

Proud member of UNITE since 2008

Our help is completely free but please consider donating to the site to help keep it running
MoralTerror is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-27-2007, 11:34 AM   #7 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 7
OS: XP


Re: Live Safety Center and Online Security Guide icons Trojan
Great, thanks a lot for your help. Having read other posts is it wise to create a restore point and delete any old ones? Once you have answered please feel free to close.

Thanks Again
frenchfry is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-27-2007, 12:14 PM   #8 (permalink)
Analyst, Security Team
 
MoralTerror's Avatar
 
Join Date: Nov 2005
Location: UK
Posts: 1,968
OS: xp


Re: Live Safety Center and Online Security Guide icons Trojan
Your very welcome glad we could help.

Combofix resets System Restore and creates a new restore point for you when it's uninstalled.

Safe surfing
__________________

Proud member of ASAP since 2007

Proud member of UNITE since 2008

Our help is completely free but please consider donating to the site to help keep it running
MoralTerror is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You <