[RESOLVED] phast2 - Hijack This Log - 20080119
-
[RESOLVED] phast2 - Hijack This Log - 20080119
Briefly, here's my situation:
1. I notice that, in my Security Center, Firewall and Virus Protection are sometimes being turned OFF. When I notice this, and then reboot, Firewall and Virus Protection are then back ON (at least at first).
2. I am having problems with Windows IE browsers crashing with
the "Please Tell Microsoft - Send Error Report - Don't Send" dialog.
I've never detected any useful information by selecting "Send Error
Report," so I don't bother.
3. I did uninstall Windows IE Version 7 (which I had installed some
time ago) but that hasn't really helped anything. So I'm back to
Windows IE Version 6 and I did download what are [supposedly and hopefully] the latest updates for it. I'm not sure yet if the browser crashing has now gone away completely or not.
4. When I open up System Restore and attempt to restore to an earlier
checkpoint, there are no previous checkpoints from which to select. This one seems particularly weird.
5. I have McAfee Virus Scan Enterprise 7.1.0, with Virus Definitions 5211 dated January 18, 2008 and Scan Engine 5.2.00. When I run a C: drive scan, I get no problems.
6. I ran SpyBot S&D 1.5, got latest updates, and the scan then found and fixed about 17 problems.
7. Below is my HiJack This log and Uninstall List.
************************************************** *******
HiJack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:01 AM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common
Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Sprint\Sprint PCS Connection
Manager\CMSPCSUtilSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\5xbss.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
=
http://as.starware.com/dp/search?x=w...Me69ZMbubcDsHk
hWqtO3eth9W0jfe6BbnIIdf+hwnn2y+Fm5JPWlurvOphJ6YLGe/BI2ijTsJz8VSVR7HXS3
CwS1XjT3IoUdhzdZW/eV7nESX3L8Jz3LTNtwqVCCkh7dypoxYaaGaEfyVqD75s4BAIf2 ar
LzdWzkqiwCLBgYo8s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyServer = http=localhost:8080
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0AF249B9-12FE-46E9-8A7D-1769AB365117} -
c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {0DC67DF6-35EB-415D-8791-EF74CA26DE45} -
c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {4C878D2F-44D8-497B-A53F-EF6681C46428} -
c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {532A3409-5F61-4C1E-856A-E723698547AC} -
c:\windows\system32\browsewmv.dll
O2 - BHO: Spybot-S&D IE Protection -
{53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C6ED45-996B-4768-B0CB-AC2F618A80F1} -
c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {57D9E5AA-7AFA-44F9-B4EC-D82AB18F85EC} -
c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {5D48B8D5-B283-44E3-8B0F-381A0063E731} -
c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {657E7AB3-4D72-43E5-9253-735A16C938BD} -
c:\windows\system32\browsewmv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7633203B-2813-42A9-975B-546EA9FA803F} -
c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {7CFE1761-C85C-48F5-A24F-D218031DBD9F} -
c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {8FF2C535-535A-4E55-ACD4-21EE28F7F186} -
c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {97C95FC9-5972-4E2E-A51D-329607C26132} -
c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {AC692467-A702-4251-B624-E806ECF00B9C} -
c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {C72B9CC8-10EF-4203-BEE6-50835B461BE7} -
c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {E2639859-DF57-4D37-A1BF-438B07D9B0AF} -
c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {E9E38B1E-6999-4BD2-9D1F-E360C8B2D8C3} -
c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {EDA9B3BC-8EB4-48E3-99FD-158252E0CCCC} -
c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {F718EC91-7BFA-4665-A426-1E11BF399172} -
C:\WINDOWS\system32\Audio3Dg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} -
C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program
Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network
Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network
Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Xerox WorkCentre 470cx Monitor] RUNDLL32.EXE
C:\WINDOWS\system32\X470SHLL.DLL,AutoUpdatePnPValu e
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe
-startgui
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe
/systray
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program
Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [5xbss] C:\WINDOWS\system32\5xbss.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft
Money\System\reminder.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS
Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media
Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [5xbss] C:\WINDOWS\system32\5xbss.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List -
res://C:\Program
Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print -
res://C:\Program
Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program
Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program
Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}
- C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583}
- C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer)
- http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload
Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
-
http://update.microsoft.com/microsof...s/en/x86/clien
t/muweb_site.cab?1136528112234
O16 - DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA} (Java Runtime
Environment 1.4.1_05) -
https://timekeeper.cmh.edu/WFC/plugi...ndows-i586.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer
Class) -
http://a532.g.akamai.net/f/532/6712/....akamai.com/67
12/player/install/installer.exe
O20 - Winlogon Notify: kaehgyto - C:\WINDOWS\SYSTEM32\browsewmv.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft -
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s.
- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program
Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program
Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network
Associates, Inc. - C:\Program Files\Network Associates\Common
Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network
Associates, Inc. - C:\Program Files\Network
Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) -
Network Associates, Inc. - C:\Program Files\Network
Associates\VirusScan\vstskmgr.exe
O23 - Service: OracleOraHome92TNSListener - Unknown owner -
C:\oracle\ora92\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceORCL - Unknown owner -
c:\oracle\ora92\bin\ORACLE.EXE (file missing)
O23 - Service: Sygate Security Agent (SmcService) - Sygate
Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C
- C:\Program Files\Sprint\Sprint PCS Connection
Manager\CMSPCSUtilSvc.exe
--
End of file - 11111 bytes
************************************************** *******
Uninstall List:
Ad-Aware 2007
Adobe Acrobat 5.0
Adobe Download Manager 1.2 (Remove Only)
Adobe Reader 8.1.1
Ahead InCD EasyWrite Reader
Apple Software Update
ArcSoft PhotoBase 3
ArcSoft PhotoStudio 5
Audacity 1.2.4
AVG Anti-Spyware 7.5
Barbie(TM) Beauty Boutique(TM) CD-ROM
BitPim 0.9.12
BlueSoleil
Canon Camera Window for ZoomBrowser EX
Canon CanoScan Toolbox 4.0
Canon PhotoRecord
Canon PIXMA iP1500
Canon Utilities Easy-PhotoPrint
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
CanoScan LiDE20,30 Manual
Clue
C-Media WDM Audio Driver
DirectX Media Runtime 5.1
DivX
DivX Player
Easy-WebPrint
eGames GameButler
eRAS Extranet Access Client
FREE Hi-Q Recorder 1.92
Gotta Groove(TM) CD-ROM
Great Adventures by Fisher-Price: Castle
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hoyle Casino '98
Hoyle Classic Games
Hoyle Mahjong Tiles
InCD
InterActual Player
iTunes
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.1_05
Java Web Start
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
Lernout & Hauspie TruVoice for Microsoft Agent
LogiSphere
Macromedia Flash Player 8
Macromedia Shockwave Player
MasterSplitter Program
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 99
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Office Visio Professional 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
Microsoft Works 4.5
Microsoft Works Calendar 1.0
Microsoft Works Setup Launcher
Miss Spider
Motorola V3m(Sprint) USB - Handset Manager V9.2
Move Networks Player for Internet Explorer
MSN
MSN Messenger 7.5
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
Multimedia Samples
My Amazing Human Body
My Disney Kitchen
Napster
Napster Burn Engine
Nero OEM
NeroMediaPlayer
NeroVision Express
OLYMPUS Master 2
OLYMPUS muvee theaterPack
OmniPage SE
Pagis Pro 2.0
PC Inspector smart recovery
Pdf995
PdfEdit995
PHOTORECOVERY 3.0
Poker Master
QuickTime
Reader Rabbit Math Ages 6-9
RealArcade
RealPlayer
S3 S3Chromo
S3 S3Config3D
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
S3 S3RefreshLock
S3 S3TrayPlus
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926247)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Sierra Utilities
SiteUnseen
SmartCDRipper Pro
Sprint Mobile Broadband for Phone as Modem
Sprint Remote Access Dialer
Spybot - Search & Destroy
StarFlyers Royal Jewel Rescue
Sygate Security Agent 3.5
TaxCut Premium 2006
Tera Term Pro
The Go Ronald Games
The Wild Thornberrys(TM) Rambler(TM)
Time Zone Data Update Tool for Microsoft Office Outlook
TWAIN Driver
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Virtools 3D Life Player
Who Wants To Be A Millionaire
Who Wants To Be A Millionaire 2nd Edition
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Joiner 1.2
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver
WinZip
Xerox WC470cx Printer Driver
-
Please do not post your log using 'word wrap' as this makes the readability very poor.
Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox: - C:\WINDOWS\system32\5xbss.exe
Click Send.
Please post the results of this scan to this thread.
SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=w...TsJz8VSVR7HXS3
CwS1XjT3IoUdhzdZW/eV7nESX3L8Jz3LTNtwqVCCkh7dypoxYaaGaEfyVqD75s4BAIf2 arLzdWzkqiwCLBgYo8s
O2 - BHO: (no name) - {0AF249B9-12FE-46E9-8A7D-1769AB365117} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {0DC67DF6-35EB-415D-8791-EF74CA26DE45} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {4C878D2F-44D8-497B-A53F-EF6681C46428} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {532A3409-5F61-4C1E-856A-E723698547AC} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {53C6ED45-996B-4768-B0CB-AC2F618A80F1} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {57D9E5AA-7AFA-44F9-B4EC-D82AB18F85EC} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {5D48B8D5-B283-44E3-8B0F-381A0063E731} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {657E7AB3-4D72-43E5-9253-735A16C938BD} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {7633203B-2813-42A9-975B-546EA9FA803F} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {7CFE1761-C85C-48F5-A24F-D218031DBD9F} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {8FF2C535-535A-4E55-ACD4-21EE28F7F186} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {97C95FC9-5972-4E2E-A51D-329607C26132} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {AC692467-A702-4251-B624-E806ECF00B9C} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {C72B9CC8-10EF-4203-BEE6-50835B461BE7} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {E2639859-DF57-4D37-A1BF-438B07D9B0AF} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {E9E38B1E-6999-4BD2-9D1F-E360C8B2D8C3} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {EDA9B3BC-8EB4-48E3-99FD-158252E0CCCC} - c:\windows\system32\browsewmv.dll
O20 - Winlogon Notify: kaehgyto - C:\WINDOWS\SYSTEM32\browsewmv.dll
Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.
DELETE FILES: (upon reboot if necessary):
C:\WINDOWS\SYSTEM32\browsewmv.dll
POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.
-
Virus Total Results: (Sorry, didn't know which format to try for. Also, new Hijack This log will follow in next post).
Antivirus Version Last Update Result
AhnLab-V3 2008.1.19.10 2008.01.18 -
AntiVir 7.6.0.48 2008.01.20 TR/Crypt.Morphine.Gen
Authentium 4.93.8 2008.01.20 -
Avast 4.7.1098.0 2008.01.19 -
AVG 7.5.0.516 2008.01.19 -
BitDefender 7.2 2008.01.20 -
CAT-QuickHeal 9.00 2008.01.19 (Suspicious) - DNAScan
ClamAV 0.91.2 2008.01.20 -
DrWeb 4.44.0.09170 2008.01.19 -
eSafe 7.0.15.0 2008.01.16 Suspicious File
eTrust-Vet 31.3.5470 2008.01.18 -
Ewido 4.0 2008.01.19 -
FileAdvisor 1 2008.01.20 -
Fortinet 3.14.0.0 2008.01.19 -
F-Prot 4.4.2.54 2008.01.19 W32/Heuristic-114!Eldorado
F-Secure 6.70.13260.0 2008.01.19 Suspicious:W32/Malware!Gemini
Ikarus T3.1.1.20 2008.01.20 Trojan-Spy.Win32.BZub.btx
Kaspersky 7.0.0.125 2008.01.20 Heur.Trojan.Generic
McAfee 5211 2008.01.18 -
Microsoft 1.3109 2008.01.20 VirTool:Win32/Obfuscator.Q
NOD32v2 2807 2008.01.19 a variant of Win32/Small.BB
Norman 5.80.02 2008.01.18 -
Panda 9.0.0.4 2008.01.19 Suspicious file
Prevx1 V2 2008.01.20 -
Rising 20.27.50.00 2008.01.19 -
Sophos 4.24.0 2008.01.20 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.20 -
TheHacker 6.2.9.191 2008.01.19 -
VBA32 3.12.2.5 2008.01.19 -
VirusBuster 4.3.26:9 2008.01.19 -
Webwasher-Gateway 6.0.1 2008.01.20 Trojan.Crypt.Morphine.Gen
Additional information
File size: 16384 bytes
MD5: a20087631df1c825ae8ff026e75bdadf
SHA1: d018fbb3d517b8057d65e97a494fbc821b1d72bd
PEiD: -
packers: UPX
-
Thanks for your help.
I am unable to delete file C:\WINDOWS\SYSTEM32\browsewmv.dll. Error message is: "Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use."
I tried taking read-only off of the SYSTEM32 directory, but that didn't help. (That directory is back to read-only now.)
New Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:13 PM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\5xbss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=localhost:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {61C79349-454C-499B-BBC9-8CF11113321E} - c:\windows\system32\browsewmv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {80431083-B9B9-4430-84E9-5B33BDE3BC67} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {D9896522-A8AD-439E-9CD8-22397125AE6E} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {E9E38B1E-6999-4BD2-9D1F-E360C8B2D8C3} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {F718EC91-7BFA-4665-A426-1E11BF399172} - C:\WINDOWS\system32\Audio3Dg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Xerox WorkCentre 470cx Monitor] RUNDLL32.EXE C:\WINDOWS\system32\X470SHLL.DLL,AutoUpdatePnPValu e
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [5xbss] C:\WINDOWS\system32\5xbss.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [5xbss] C:\WINDOWS\system32\5xbss.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136528112234
O16 - DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_05) - https://timekeeper.cmh.edu/WFC/plugi...ndows-i586.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O20 - Winlogon Notify: kaehgyto - C:\WINDOWS\SYSTEM32\browsewmv.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceORCL - Unknown owner - c:\oracle\ora92\bin\ORACLE.EXE (file missing)
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
--
End of file - 9464 bytes
-
Submit the following file to VirusTotal for their analysis and post any related feedback:
C:\WINDOWS\system32\Audio3Dg.dll
-
Virus Total result:
File Audio3Dg.dll received on 01.20.2008 05:38:27 (CET)Antivirus Version Last Update Result
AhnLab-V3 2008.1.19.10 2008.01.18 -
AntiVir 7.6.0.48 2008.01.20 -
Authentium 4.93.8 2008.01.20 -
Avast 4.7.1098.0 2008.01.19 Win32:BHO-KD
AVG 7.5.0.516 2008.01.19 -
BitDefender 7.2 2008.01.20 -
CAT-QuickHeal 9.00 2008.01.19 -
ClamAV 0.91.2 2008.01.20 -
DrWeb 4.44.0.09170 2008.01.19 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5470 2008.01.18 Win32/Kvol!generic
Ewido 4.0 2008.01.19 -
FileAdvisor 1 2008.01.20 -
Fortinet 3.14.0.0 2008.01.20 -
F-Prot 4.4.2.54 2008.01.19 -
F-Secure 6.70.13260.0 2008.01.19 -
Ikarus T3.1.1.20 2008.01.20 Virus.Win32.BHO.KD
Kaspersky 7.0.0.125 2008.01.20 -
McAfee 5211 2008.01.18 -
Microsoft 1.3109 2008.01.20 -
NOD32v2 2807 2008.01.19 -
Norman 5.80.02 2008.01.18 -
Panda 9.0.0.4 2008.01.19 Suspicious file
Prevx1 V2 2008.01.20 Generic.Malware
Rising 20.27.50.00 2008.01.19 -
Sophos 4.24.0 2008.01.20 Sus/DelpDldr-A
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.20 -
TheHacker 6.2.9.191 2008.01.19 -
VBA32 3.12.2.5 2008.01.19 -
VirusBuster 4.3.26:9 2008.01.20 -
Webwasher-Gateway 6.6.2 2008.01.20 Win32.NewMalware.VU!83968
Additional information
File size: 83968 bytes
MD5: 62051f0edcf089701b41c9bfddaae1ca
SHA1: 7a9fc2fb7276786e3a265583c87ae800728ecf24
PEiD: -
packers: UPX
packers: UPX
packers: UPX
packers: PE_Patch.UPX, UPX
Prevx info: http://info.prevx.com/aboutprogramte...955100B1451CA1
-
Uninstall the following insecure versions of JAVA in Add/Remove Programs (Control Panel):
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.1_05
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
Read over the following directions. Ask if anything appears unclear to you.
Clean out TEMPORARY FILES procedures:
To clean your temp folder, recycle bin, etc..please download this free tool:
CCleaner http://www.ccleaner.com/downloadbuilds.asp
Install Options: - Don't install any Toolbars, or other programs, should it ask you!
- Just uncheck the option of installing the Yahoo toolbar.
It will put a shortcut on your Desktop.
Do not run CCleaner until requested later.
We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.
SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:
O2 - BHO: (no name) - {61C79349-454C-499B-BBC9-8CF11113321E} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {80431083-B9B9-4430-84E9-5B33BDE3BC67} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {D9896522-A8AD-439E-9CD8-22397125AE6E} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {E9E38B1E-6999-4BD2-9D1F-E360C8B2D8C3} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {F718EC91-7BFA-4665-A426-1E11BF399172} - C:\WINDOWS\system32\Audio3Dg.dll
O4 - HKLM\..\Run: [5XBSS] C:\WINDOWS\system32\5xbss.exe
O4 - HKCU\..\Run: [5XBSS] C:\WINDOWS\system32\5xbss.exe
O20 - Winlogon Notify: kaehgyto - C:\WINDOWS\SYSTEM32\browsewmv.dll
Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.
HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here
SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).
Delete TEMPORARY FILES: Now, use CCleaner to hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):
Run CCleaner.
FIRST-TIME USE:
Select the ”Options” BUTTON option (top LEFT), ”Advanced” BUTTON, and then UNCHECK the ”Only delete files in Windows Temp Folders older than 48 hours”. Set back to default afterwards.
Select the ”Cleaner” BUTTON option (top LEFT), if not already selected. Use the ”Windows” TAB up front by default.- Uncheck ”Cookies” option (advisable)
- Optionally, Uncheck ”Recently Typed URLs” option (potentially still useful)
- Click the ”Analyse” button.
- Thereafter, click ”Run Cleaner” after you have reviewed what it proposes to clean.
***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.
Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):
-- OR --
(Use <Windows+F KEYS> and paste the FULL FILENAME Search PATH lines (where available).
Windows KEY is located between the <Ctrl and Alt KEYS>.)
DELETE FILES:
c:\windows\system32\browsewmv.dll
C:\WINDOWS\system32\Audio3Dg.dll
C:\WINDOWS\system32\5xbss.exe
POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.
-
I followed all steps above (unless I goofed on something) and got to the DELETE FILES step, but still could not delete browsewmv.dll and Audio3Dg.dll. "Access denied" on both. I was able to delete 5xbss.exe.
I rebooted to normal mode, but I now have a red Windows Security Alert in lower right corner of my screen. Clicking it says Firewall is off. "Enable Now" fails and says to try turning it on manually from Control Panel. In Control Panel, clicking on Windows Firewall yields the following message:
"Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service"?
Clicking 'Yes' yields this message:
"Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) service."
(With no additional reason as to why or anything.)
I am sending this from a different computer now.
Latest Hijack This log (from the computer with the problem) follows directly in next post.
-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:23 AM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=localhost:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6ECD6D88-8C20-49A5-B373-047BA0D2C08C} - c:\windows\system32\browsewmv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A9E30ABA-AE51-4661-971A-5358F4F789D0} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {D7D9BB61-DA03-4FC6-B066-832C818B40DB} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {E9E38B1E-6999-4BD2-9D1F-E360C8B2D8C3} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {F718EC91-7BFA-4665-A426-1E11BF399172} - C:\WINDOWS\system32\Audio3Dg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Xerox WorkCentre 470cx Monitor] RUNDLL32.EXE C:\WINDOWS\system32\X470SHLL.DLL,AutoUpdatePnPValu e
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [5xbss] C:\WINDOWS\system32\5xbss.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136528112234
O16 - DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_05) -
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O20 - Winlogon Notify: kaehgyto - C:\WINDOWS\SYSTEM32\browsewmv.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceORCL - Unknown owner - c:\oracle\ora92\bin\ORACLE.EXE (file missing)
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
--
End of file - 9254 bytes
-
SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:
O2 - BHO: (no name) - {6ECD6D88-8C20-49A5-B373-047BA0D2C08C} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {A9E30ABA-AE51-4661-971A-5358F4F789D0} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {D7D9BB61-DA03-4FC6-B066-832C818B40DB} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {E9E38B1E-6999-4BD2-9D1F-E360C8B2D8C3} - c:\windows\system32\browsewmv.dll
O2 - BHO: (no name) - {F718EC91-7BFA-4665-A426-1E11BF399172} - C:\WINDOWS\system32\Audio3Dg.dll
O4 - HKLM\..\Run: [5XBSS] C:\WINDOWS\system32\5xbss.exe
O20 - Winlogon Notify: kaehgyto - C:\WINDOWS\SYSTEM32\browsewmv.dll
Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.
1) Please download the Killbox.
Unzip it to the desktop and run it.
2) Select "Delete on Reboot".
3) Then Click the "All Files" button.
4) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
c:\windows\system32\browsewmv.dll
C:\WINDOWS\system32\Audio3Dg.dll
C:\WINDOWS\system32\5xbss.exe
5) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
6) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" to reboot next.
POst a revised HijackThis LOG and any current observations.
