Windows - No Disk. Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c

BullGuard Antivirus Forum > General Security > Spyware > Windows - No Disk. Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

kennyk
New Member

Date Joined Jun 2007
Total Posts : 4

Posted 6-14-2007 5:51 (GMT +1)

Hi i got the Window - No Disk keep on popping out when my Window started and the IE explorer keep popping out too.
i did a scan using AVG anti-spyware and found a Adware.Virtumonde threat in my C:\Windows\System32\khfeeda.dll

Attempts to delete or quarantine it fails!
What should i do? Below is my hijackthis.log
Pls Advice. Thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 12:45:45 PM, on 6/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\uyhkjnrp.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\KENNYK~1\LOCALS~1\Temp\Rar$EX90.422\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ppstream.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P35 "EPSON Stylus CX3500 Series (Copy 1)" /O6 "USB001" /M "Stylus CX3500"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\dbskahcb.dll",realset
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O15 - Trusted Zone: http://www.lyricshosting.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\uyhkjnrp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 6-14-2007 6:14 (GMT +1)

Hi kennyk and welcome smile

Please download Vundofix http://www.atribune.org/ccount/click.php?id=4 to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Download and install DrWebCureit:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

http://spywareinfo.dk/download/drweb-cureit.exe

Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".

It will first make a quick scan of your system, let it clean what it find, and when it says "done"

Click on the green screwdriver-

Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -Delete

Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all

After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

After reboot, post the contents of the log from Dr.Web, along with C:\vundofix.txt, new hijackthis log in your next reply and tell how things are running.

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Member of - Alliance of Security Analysis Professionals

kennyk
New Member

Date Joined Jun 2007
Total Posts : 4

Posted 6-14-2007 2:02 (GMT +1)

hi Touch,
thanks for the quick reply.

As per your instruction i carried out the scans n the results are as of follow:

VundoFix V6.5.0

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 6:31:26 PM 6/14/2007

Listing files found while scanning....

C:\windows\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\ddeeg.tmp
C:\windows\system32\gebyaxw.dll
C:\WINDOWS\system32\geedd.dll
C:\windows\system32\khfeeda.dll

Beginning removal...

Attempting to delete C:\windows\system32\ddeeg.bak1
C:\windows\system32\ddeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\ddeeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.tmp
C:\WINDOWS\system32\ddeeg.tmp Has been deleted!

Attempting to delete C:\windows\system32\gebyaxw.dll
C:\windows\system32\gebyaxw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geedd.dll Could not be deleted.

Attempting to delete C:\windows\system32\khfeeda.dll
C:\windows\system32\khfeeda.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geedd.dll Has been deleted!

Attempting to delete C:\windows\system32\khfeeda.dll
C:\windows\system32\khfeeda.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.0

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

DrWeb Log report:

pmbiheih.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
A0064246.dll;C:\System Volume Information\_restore{29849A7D-49FA-4B0C-8A95-BF5C1D026E30}\RP502;Trojan.DownLoader.18487;Deleted.;
A0068680.dll;C:\System Volume Information\_restore{29849A7D-49FA-4B0C-8A95-BF5C1D026E30}\RP509;Trojan.Virtumod;Deleted.;
A0069816.dll;C:\System Volume Information\_restore{29849A7D-49FA-4B0C-8A95-BF5C1D026E30}\RP509;Trojan.Virtumod;Deleted.;
A0069822.dll;C:\System Volume Information\_restore{29849A7D-49FA-4B0C-8A95-BF5C1D026E30}\RP509;Trojan.Virtumod;Deleted.;
A0069823.dll;C:\System Volume Information\_restore{29849A7D-49FA-4B0C-8A95-BF5C1D026E30}\RP509;Trojan.Virtumod;Deleted.;
gebyaxw.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
geedd.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
khfeeda.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
pmbiheih.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;

Logfile of HijackThis v1.99.1
Scan saved at 8:54:20 PM, on 6/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\devldr32.exe
C:\DOCUME~1\KENNYK~1\LOCALS~1\Temp\Rar$EX00.891\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ppstream.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\pmbiheih.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\khfeeda.dll (file missing)
O2 - BHO: (no name) - {CB313540-96BC-4D8D-B6B4-D84B3018A634} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P35 "EPSON Stylus CX3500 Series (Copy 1)" /O6 "USB001" /M "Stylus CX3500"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\dbskahcb.dll",realset
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O15 - Trusted Zone: http://www.lyricshosting.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O20 - Winlogon Notify: winwea32 - C:\WINDOWS\SYSTEM32\winwea32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\uyhkjnrp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

After reboot, my AVG Anti-Spyware 7.5 found another infection (in uyhkjnrp.exe) and i had removed it(hopefully).
Everything seems to be operating fine. Awaiting your diagnosis. :P

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 6-15-2007 5:39 (GMT +1)

It looks better smile

Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.
Click fix checked:

O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\pmbiheih.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\khfeeda.dll (file missing)
O2 - BHO: (no name) - {CB313540-96BC-4D8D-B6B4-D84B3018A634} - C:\WINDOWS\system32\geedd.dll (file missing)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\dbskahcb.dll",realset

O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O20 - Winlogon Notify: winwea32 - C:\WINDOWS\SYSTEM32\winwea32.dll

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\uyhkjnrp.exe (file missing)

You may want to print this or save it to notepad as we will go to safe mode.

Re-start your PC in Safe Mode

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Delete the following files or folders (delete item in bold). Please do not be concerned if
any of the items are not found as they may have been automatically removed by actions I had
you take earlier in the cleaning process.

Delete-

Files:

C:\WINDOWS\SYSTEM32\winwea32.dll

Reboot normally

Please download Combofix:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

download.bleepingcomputer.com/sUBs/ComboFix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Note:
Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Member of - Alliance of Security Analysis Professionals

kennyk
New Member

Date Joined Jun 2007
Total Posts : 4

Posted 6-15-2007 10:23 (GMT +1)

hi touch!
i got problem deleting C:\WINDOWS\SYSTEM32\winwea32.dll
ACCESS BEING DENIED

ComboFix 07-06-13.3 - C:\Documents and Settings\Kenny Koh\Desktop\ComboFix.exe
"Kenny Koh" - 2007-06-15 17:17:10 - Service Pack 2 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\dbskahcb.dll
C:\WINDOWS\system32\vtogdgjp.dll
C:\WINDOWS\system32\winwea32.dll
C:\WINDOWS\system32\bchaksbd.ini
C:\WINDOWS\system32\pjgdgotv.ini

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\drsmartload2.dat

((((((((((((((((((((((((( Files Created from 2007-05-15 to 2007-06-15 )))))))))))))))))))))))))))))))

2007-06-15 17:16 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-15 16:45 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-15 01:35 <DIR> d-------- C:\DOCUME~1\KENNYK~1\APPLIC~1\Ulead Systems
2007-06-15 01:33 49,152 --------- C:\WINDOWS\system32\INETWH32.dll
2007-06-15 01:33 <DIR> d-------- C:\Program Files\Ulead Systems
2007-06-15 01:33 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2007-06-14 18:59 <DIR> d-------- C:\DOCUME~1\KENNYK~1\DoctorWeb
2007-06-14 02:46 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-14 02:33 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-06-14 02:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SystemDoctor Free
2007-06-13 23:07 <DIR> d-------- C:\Program Files\Sophos
2007-06-07 21:35 1,197 --a------ C:\WINDOWS\checkip.dat
2007-06-04 15:02 <DIR> d-------- C:\DOCUME~1\KENNYK~1\APPLIC~1\GameHouse
2007-06-04 15:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\n7-89-o9-3r-4t-r9
2007-06-03 21:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst
2007-06-03 20:50 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-06-02 23:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-06-02 21:09 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-21 22:24 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-05-21 22:24 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-05-21 22:24 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-05-21 22:24 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-05-21 22:24 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-05-21 22:24 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-05-21 22:24 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-05-21 22:24 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-14 17:33:34 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-14 13:12:01 -------- d-----w C:\Program Files\Malicious Software Removal Tool
2007-06-13 18:42:49 -------- d-----w C:\DOCUME~1\KENNYK~1\APPLIC~1\ppstream
2007-06-13 13:33:46 -------- d-----w C:\DOCUME~1\KENNYK~1\APPLIC~1\PlayFirst
2007-06-13 13:24:28 -------- d-----w C:\Program Files\GameHouse
2007-06-10 06:42:23 -------- d-----w C:\Program Files\PPStream
2007-06-09 19:08:05 -------- d-----w C:\Program Files\PPLive
2007-06-03 20:16:36 -------- d-----w C:\Program Files\eMule
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-12 09:08:36 -------- d-----w C:\DOCUME~1\KENNYK~1\APPLIC~1\GetRightToGo
2007-05-12 09:08:14 -------- d-----w C:\Program Files\NJStar Communicator
2007-05-12 09:08:14 -------- d-----w C:\DOCUME~1\KENNYK~1\APPLIC~1\NJStar
2007-05-12 08:46:02 -------- d-----w C:\Program Files\Chinese Star XP
2007-05-01 17:58:31 -------- d-----w C:\DOCUME~1\KENNYK~1\APPLIC~1\BitTorrent
2007-05-01 17:53:54 -------- d-----w C:\Program Files\BitTorrent
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-25 13:17:56 -------- d-----w C:\Program Files\MSN Messenger
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-17 13:45:03 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-23 20:12]
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}=C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2004-02-10 14:08]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-17 02:27]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-24 12:34]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-14 21:57]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 20:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton GoBack.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton GoBack.lnk
backup=C:\WINDOWS\pss\Norton GoBack.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Loader supervisory.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photo Loader supervisory.lnk
backup=C:\WINDOWS\pss\Photo Loader supervisory.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3500 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P26 "EPSON Stylus CX3500 Series" /O5 "LPT1:" /M "Stylus CX3500"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
rundll32.exe "C:\WINDOWS\system32\vtogdgjp.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\WINDOWS\system32\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector v2]
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"W32Time"=2 (0x2)
"WebClient"=2 (0x2)
"WmiApSrv"=3 (0x3)
"UPS"=3 (0x3)
"TapiSrv"=3 (0x3)
"LmHosts"=2 (0x2)
"SCardSvr"=3 (0x3)
"lanmanserver"=2 (0x2)
"seclogon"=2 (0x2)
"SSDPSRV"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RSVP"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"SysmonLog"=3 (0x3)
"mnmsrvc"=3 (0x3)
"CiSvc"=3 (0x3)
"PolicyAgent"=2 (0x2)
"helpsvc"=2 (0x2)
"ERSvc"=2 (0x2)
"Browser"=2 (0x2)
"BITS"=3 (0x3)
"Alerter"=2 (0x2)

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-15 17:20:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-15 17:21:54 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-15 17:21

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 5:27:07 PM, on 6/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\KENNYK~1\LOCALS~1\Temp\Rar$EX00.828\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ppstream.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://www.lyricshosting.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 6-15-2007 11:21 (GMT +1)

Thought so, however combofix get rid of it smile

Hijack log looks clean, how are things running now ?

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Member of - Alliance of Security Analysis Professionals

kennyk
New Member

Date Joined Jun 2007
Total Posts : 4

Posted 6-15-2007 2:32 (GMT +1)

everything seems running smoothly. Just alittle bit laggy.
but i guess everything should be fine.
thank touch!
u r a real great help!
:)

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 6-16-2007 5:55 (GMT +1)

My pleasure smile

You may want to read TonyKlein´s article about how to prevent against spyware/hijackers in the future

http://www.castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please PM a Moderator and we will reopen it for you

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Member of - Alliance of Security Analysis Professionals

Forum Information

Currently it is Friday, January 09, 2009 3:32 AM (GMT +1)
There are a total of 65.964 posts in 16.185 threads.
In the last 3 days there were 23 new threads and 96 reply posts. View Active Threads