Recommended Driver Scanner

Member Panel

Remember me ?

Forgot password?   

Join the PC Help Forum Team

Join PC Help Forum on Facebook

Join the PCHF Distributed Computing Teams

Try the NEW PC Help Forum Dark style

Link to PCHF from other parts of the Internet
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » [FIXED] Unknown process?

[Fixed] Hijackthis! Logs - [FIXED] Unknown process? posted in the Security & Safety forums; I have an unknown process. Awhile back I got hit real hard with PSGuard . Which in turn gave me the intell32.exe virus which i cannot manage to get rid ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
Page 1 of 2 1 2 >
  #1  
Old 11-08-2005
Bronze Member
  
Join Date: Nov 2005
Posts: 76
sumodeluxe - See this Members User comments on their Profile page
Default [FIXED] Unknown process?
I have an unknown process. Awhile back I got hit real hard with PSGuard . Which in turn gave me the intell32.exe virus which i cannot manage to get rid of indeffinetly. It keeps comming back. Ive tried so many different programs and even used a bootable linux disk to delete the file out of my system32 folder manualy. But it magically apeard. I just recently found this process. ybkpvmnv.exe if anyone knows where this is from or what it is doing please help me. If you have ever heard of this PSGuard hijack please give me some insite to see the light at the end of the tunnel. I really dont want to reformat beacause of a stupid trojan.

here is the current log.
Attached Files
File Type: txt log.txt (5.7 KB, 2 views)


Last edited by Hengis; 11-08-2005 at 11:35 PM.
  #2  
Old 11-08-2005
joe5's Avatar
Elite Member
My PC
 
Join Date: Jun 2005
Location: Netherlands
Posts: 9,036
joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page
Default
Hi there Sumodeluxe , welcome to PCHF.

Don't worry , formatting is only a last resort for malware problems here at PCHF and not very often used around here.


First lets make sure the Psguard is gone completly:


>
>
> Please download CCleaner
>
> http://www.ccleaner.com/ccdownload.asp
>
>
> Download Smitrem to your desktop
>
> http://noahdfear.geekstogo.com/click...click.php?id=1
>
> Run the installer and then press Start to Extract the
> files to the desktop, Do not run it yet.
>
>
> and download smitfraud.reg
>
> http://www.bleepingcomputer.com/files/reg/smitfraud.reg
>
>
> Download the trial version of Ewido Security Suite here
>
> http://www.ewido.net/en/download/
>
> Install ewido.
> During the installation, under "Additional Options"
> uncheck "Install background guard" and "Install scan via
> context menu".
> Launch ewido
> On the left side of the main screen click update
> Click on Start and let it update.
> DO NOT run a scan yet.
>
> Reboot into safe mode (Reboot and keep tapping F8 then
> choose safe mode from the list)
>
> Run SmitRem and smitfraud.reg:
>
> Open the SmitRem folder and double click the "RunThis.bat"
> file to start the tool , Follow the prompts on
> screen. Wait for the tool to complete and
>
> and double click on smitfraud.reg and allow it to merge with the registry.
>
> Next Run Ewido:
>
> Under "How to scan" all boxes should be selected
> Under "Possibly unwanted software" all boxes should be selected
> Under "What to scan" select scan every file
> Click OK, Complete system scan
> Let the program scan the machine
>
> NOTE:* We have been finding some cases of false
> positives with the new version of Ewido, so you need to step through
> the fixes one-by-one.* If Ewido finds something that you KNOW
> is legitimate (for example, parts of AVG Antivirus, AOL, pcAnywhere
> and the game "Risk" have been flagged.* In particular, watch for alerts
> that have the word "Heuristic" in them - if you recognize the file name
> as "friendly," these may actually be false positives) select "none" as the action.*

> DO NOT check "Perform action with all infections."* If you are
> unsure of an entry, select "none" for the time being.* We will see that
> in the log when you post it later and let you know if ewido needs to be run again.
>
> Once the scan has completed, there will be a button located on the bottom
> of the screen named Save report.
>
> Click Save report. Save the report to your desktop, exit ewido
>
>
> Note:
>
> If during your scan Ewido "crashes" or "hangs", please try scanning again.
> Before running the scan, click on 'Scanner' (the 3rd bar from the top on the left)
> and Choose 'Settings'. Uncheck 'Scan in NTFS Alternate Data Streams' as this can
> cause problems in overly infected systems. Click 'OK' and run a new scan.
>
>
> Then run Ccleaner to finish.
>
>
> Finally reboot back into normal mode
>
> You will need to reload your wallpaper as the SmitRem
> tool will reset it, you can do this by right clicking
> desktop and choosing properties, First check Theme and
> set it to Windows XP then click the Desktop tab and
> choose the one you want to use and press apply,
>
>
> Now please post the Ewido log , the smitrem log (C:\smitfiles.txt) and a
> new hijackthis log.
>
>


__________________
- PCHF Team. - (NL) - Mal-ware Eradicator! -

Last edited by joe5; 11-08-2005 at 11:54 PM.
  #3  
Old 11-09-2005
Bronze Member
  
Join Date: Nov 2005
Posts: 76
sumodeluxe - See this Members User comments on their Profile page
Default
Here are the logs you requested. I am unable to find my original xp theme. I think that the intell32 virus had somthing to do with this.

Logfile of HijackThis v1.99.1
Scan saved at 9:54:31 AM, on 11/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\bsai\ybkpvmnv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Lyle Eboch\Desktop\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {3F56D3FC-B528-1EFB-F468-F44CAD396FC0} - C:\WINDOWS\System32\evjepnrf\ulpkqsiy.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ybkpvmnv] C:\WINDOWS\System32\bsai\ybkpvmnv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ptxexfucbntphlox - Unknown owner - C:\WINDOWS\System32\bntphlox\ptxexfuc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: ybkpvmnvbsai - Unknown owner - C:\WINDOWS\System32\bsai\ybkpvmnv.exe







---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 9:38:02 AM, 11/9/2005
+ Report-Checksum: AD114C93
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{370F6353-41C4-4FA6-A2DF-1BA57EE0FBB9} -> Spyware.eZula : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{370F6353-41C4-4FA6-A2DF-1BA57EE0FBB9}\TypeLib\\ -> Spyware.eZula : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTr ansporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTr ansporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\dealhelper -> Spyware.DealHelper : Cleaned with backup
HKLM\SOFTWARE\dealhelper\KeyWord -> Spyware.DealHelper : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}\\CLSID -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Mod uleUsage\C:/WINDOWS/Dhsigned.ocx\\.Owner -> Spyware.DealHelper : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Mod uleUsage\C:/WINDOWS/Dhsigned.ocx\\{FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} -> Spyware.DealHelper : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\DisplayUtility -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\ScreenSaver Manager -> Spyware.LZIO : Cleaned without backup
HKLM\SOFTWARE\Mvu -> Spyware.Delfin : Cleaned without backup
HKU\S-1-5-21-3133978997-954458941-3596433440-1005\Software\Mvu -> Spyware.Delfin : Cleaned without backup
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanag er[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\LocalService\Cookies\system@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned without backup
C:\Documents and Settings\LocalService\Cookies\system@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned without backup
C:\Documents and Settings\LocalService\Cookies\system@www.epilot[1].txt -> Spyware.Cookie.Epilot : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@com[2].txt -> Spyware.Cookie.Com : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@counter13.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@cz4.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@cz8.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@e-2dj6wfkigpajggp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@e-2dj6wflogoc5olq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@e-2dj6wfmigmcpcgq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@e-2dj6wgkigpazigp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@e-2dj6wjnysidzmlp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@e-2dj6wjnyugdpclq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@entrepreneur.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@free.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@programs.wegcash[1].txt -> Spyware.Cookie.Wegcash : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@www.pokerroom.net.19780.fb.dbbsrv[2].txt -> Spyware.Cookie.Dbbsrv : Cleaned without backup
C:\Documents and Settings\Lyle Eboch\Cookies\lyle eboch@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\6141426A-68D2-49E4-A1DB-96D346\0B67E6FD-EFB8-4E9E-A625-AB8C00 -> Adware.eZula : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\6141426A-68D2-49E4-A1DB-96D346\6D0AB09D-C14A-41CA-92E1-777BEE -> Adware.eZula : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\6141426A-68D2-49E4-A1DB-96D346\DAFB69E6-F8B0-4C1A-86E6-6800A1 -> Adware.eZula : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\66703AFA-1F80-486B-A64A-D49FBA\A6CA82A7-4442-4D9C-BD82-05E0C4 -> Spyware.FlashEnhancer : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9B465F39-91A2-427C-95A8-06F37B\F172DF9A-4C28-4029-9A25-AFE7BE -> Adware.PSGuard : Cleaned without backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9B465F39-91A2-427C-95A8-06F37B\F597619F-362A-44B1-BD7D-EA10CF -> Adware.PSGuard : Cleaned without backup
C:\WINDOWS\DHP2.dll -> Spyware.DealHelper : Cleaned without backup
C:\WINDOWS\SYSTEM32\yxod.exe -> Spyware.DealHelper : Cleaned without backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.00 1\npwthost.dll -> Spyware.WildTangent : Cleaned without backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.00 1\wtvh.dll -> Spyware.WildTangent : Cleaned without backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned without backup

::Report End








smitRem ? log file
version 2.7
by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 11/09/2005
The current time is: 7:35:02.56
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key present!
Running LTDFix/PSGuard.com fix!
checking for PSGuard.com key

PSGuard.com key not present!

ShudderLTD key was successfully removed!

if previously present, PSGuard.com key was successfully removed!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~
logfiles

~~~ Icons in System32 ~~~
ptainfo1
ptainfo2

~~~ Windows directory ~~~
sites.ini

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~
wininet.dll INFECTED!! Starting replacement procedure.

~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~

~~~~ C:\WINDOWS\system32\dllcache\wininet.dll Present! ~~~~

~~~~ Checking dllcache\wininet.dll for infection ~~~~

~~~~ dllcache\wininet.dll Clean! ~~~~
~~~ Replaced wininet.dll from dllcache ~~~

~~~ Upon reboot ~~~
wininet.old present!
oleadm.dll not present!
oleext.dll not present!

~~~ Upon completion ~~~
wininet.old not present!
oleadm.dll not present!
oleext.dll not present!

~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~

~~~~ C:\WINDOWS\system32\wininet.dll Clean! ~~~~
  #4  
Old 11-09-2005
joe5's Avatar
Elite Member
My PC
 
Join Date: Jun 2005
Location: Netherlands
Posts: 9,036
joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page
Default
Alright , that takes care of the PSguard infection , now we clean up the rest. :smiley:


Before using HijackThis Please Do the Following:


First uninstall WinPcap in add and remove programs (if present) , and Partypoker if you don't want it.


Show hidden files and folders:

For XP:
  1. On the Tools menu in Windows Explorer, click Folder Options.
  2. Click the View tab.
  3. Under Hidden files and folders, click Show hidden files and folders.
  4. If you see a warning message, click Yes.
  5. Click Apply.
  6. Click OK.


Disable System Restore to prevent re-infection.
(If you have/use it. You can turn it back on when youre PC is clean).

How to disable system restore:

WinXP.
  1. Click the Start button.
  2. Right-click My Computer, and then click Properties.
  3. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.



Please download CCleaner


Then boot in safemode(hit f8 when booting up)


Click Start>Run and type in: services.msc
Click OK
In the Services window find:
(one by one)

ptxexfucbntphlox

ybkpvmnvbsai

and:

Remote Packet Capture Protocol v.0

Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK
Open HJT and click config > misc tools > ?delete an NT service?
Copy and past:
(again , one by one)

ptxexfucbntphlox

rpcapd

and:

ybkpvmnvbsai


Click OK.


Then fix these with hjt:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {3F56D3FC-B528-1EFB-F468-F44CAD396FC0} - C:\WINDOWS\System32\evjepnrf\ulpkqsiy.dll
O4 - HKLM\..\Run: [ybkpvmnv] C:\WINDOWS\System32\bsai\ybkpvmnv.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)

fix these only if you don't want them:
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

O23 - Service: ptxexfucbntphlox - Unknown owner - C:\WINDOWS\System32\bntphlox\ptxexfuc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ybkpvmnvbsai - Unknown owner - C:\WINDOWS\System32\bsai\ybkpvmnv.exe
Then delete the files in bold and also delete:

C:\Windows\System32\wuauclt.dll (watchout that you don't delete almost similair named files)

After that run Ccleaner , reboot and post a new hjt log please.


PS , i would also recommend to pay windows update a visit.


__________________
- PCHF Team. - (NL) - Mal-ware Eradicator! -
  #5  
Old 11-09-2005
Bronze Member
  
Join Date: Nov 2005
Posts: 76
sumodeluxe - See this Members User comments on their Profile page
Default
ok so i took care of all of it but the remote packet ect.... and the wuauclt.dll all i found was an exe and a wuauclt1.exe. here is the hjt log after all that.


.cooLogfile of HijackThis v1.99.1
Scan saved at 11:12:40 AM, on 11/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Documents and Settings\Lyle Eboch\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  #6  
Old 11-09-2005
joe5's Avatar
Elite Member
My PC
 
Join Date: Jun 2005
Location: Netherlands
Posts: 9,036
joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page joe5 - See this Members User comments on their Profile page
Default
Looks like you are completly clean. :cool:

Have you been able to select youre original xp theme again by now?
And do you still have any problems?

Also you should pay winupdate a visit to get better protected for things like this.




PS , Have a look if you can find these files and if you do then delete them:


%System32\intell32.exe
%System32\oleext.dll
%System32\oleext32.dll
%System32\wppp.html
Windows\uninstIU.exe


__________________
- PCHF Team. - (NL) - Mal-ware Eradicator! -

Last edited by joe5; 11-09-2005 at 05:31 AM.
  #7  
Old 11-09-2005
Bronze Member
  
Join Date: Nov 2005
Posts: 76
sumodeluxe - See this Members User comments on their Profile page
Default
I have done some windows updating. I really didnt want to have to install sp2 if i didnt have to. I have sp2 on my desktop and it annoys the heck out of me. I still am unable to get my xp theme back. the start bar still looks weird. Thanks for all your help. I have noticed that the pop ups have gave up.

Reply
Satellite TV on your PC - over 3000 Channels! Click Here!
Page 1 of 2 1 2 >

Bookmarks