PDA

View Full Version : Help remove spyware



blitzo
2007-03-30, 19:50
I recently became heavily infected by spyware, I cleaned most of it up. I had things like schmidt-c and virtumonde. I thought I got everything but it seems something is still here. I slowly get random IE popups when I am idling at the desktop. I also get popups from ebay or some other search style website with a search for my last input at a different legit search site. I have tried just about everything so I am coming here to ask for help. Everything says I am clean.

blitzo
2007-03-30, 19:55
Logfile of HijackThis v1.99.1
Scan saved at 12:53:59 PM, on 3/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe
C:\Program Files\Port Explorer\PortExplorer.exe
C:\hijack\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = removed
O17 - HKLM\Software\..\Telephony: DomainName = removed.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = removed.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = removed.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)














I removed my domain from the log

pskelley
2007-03-31, 13:57
Welcome to the forum and thanks for the feedback. HJT is showing nothing and it looks like you ran online scans, but you did not post the results for me? Did you read this information?
"BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288

Popups can be either infections you mentioned, could you describe the frequency and tell me where they direct you to.

Remove any of Smitfraudfix you have onboard and download it new from here:
http://siri.geekstogo.com/SmitfraudFix.php <<< follow ONLY these directions:
Search: Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

Return to here: C:\hijack\HijackThis.exe <<< rename HJT.exe, call it blitzo.exe or whatever you wish. Restart the computer and post the C:\rapport.txt from Smitfraudfix, a new HJT log, any information I requested and any comments you think will help.
If you still have the scan results from any online scan, I would like to see it.

Thanks

blitzo
2007-03-31, 20:15
Thanks for the reply, sorry for the lack of info. I did a couple online scans and they only came up with a few cookies. Once they were gone scans came up clean. The cookies seem to be related to the popups I get. If I leave every program closed I get the IE popups 1 every 3 minutes or so. They popup and the address redirects, (they open up with lets says c5.zedo.com/adserv and go to some other ad like www.hollywood.com). If I set IE to work offline I get no more popups. Now upon doing some research it looks like my explorer.exe makes connections to some strange address's on port 80. One of these sites is www.in-t-e-r-n-e-t.com, I have gotten this address to resolve to a few different IP's. They other address is 64-194-221-33.wcg.net.

Posted below are some logs you requested.

blitzo
2007-03-31, 20:16
SmitFraudFix v2.162

Scan done at 13:01:31.31, Sat 03/31/2007
Run from C:\spy\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\jk


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\jk\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JK\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.72.65

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F3A359C5-F8EC-4C7C-ADB5-AADA77D534D2}: DhcpNameServer=192.168.72.65
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F3A359C5-F8EC-4C7C-ADB5-AADA77D534D2}: DhcpNameServer=192.168.72.65
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F3A359C5-F8EC-4C7C-ADB5-AADA77D534D2}: DhcpNameServer=192.168.72.65
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.72.65
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.72.65
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.72.65


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

blitzo
2007-03-31, 20:17
Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\TSF\nircmd.exe
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\jk\Cookies\jk@hitbox[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\jk\Cookies\jk@mediaplex[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\spy\SDFix\SDFix\apps\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\spy\SDFix\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\spy\SDFix.zip[SDFix.exe][SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\spy\SmitfraudFix\SmitfraudFix\Process.exe

blitzo
2007-03-31, 20:18
Logfile of HijackThis v1.99.1
Scan saved at 1:07:20 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\hijack\blitzo.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = edit
O17 - HKLM\Software\..\Telephony: DomainName = edit
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = edit
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = edit
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

blitzo
2007-03-31, 20:19
Here is a list of ads that popped up while I ran my scans.

http://www.pcsecurityshield.com/webApp/90076.asp?trk=WTK&affid=541
http://www.broadcaster.com/fresh/oj/index.html?bcsrtkr=a85d2&utm_campaign=Traffic&utm_source=Adon&utm_medium=popunder
http://www.maniatv.com/adlive?OTC-Adon&attr=adlive
http://www.3bsoftwarepromo.com/rr/e/20060405CCAREYRR9E/SCAN/index.html
http://www.hollywood.com/?CMP=OTC-gen0307adon
http://laughnetwork.com/d1.php

pskelley
2007-03-31, 20:55
Thanks for returning the information and the feedback, Smitfraudfix is clean and no Vundo infection showed, let's go looking for whatever this is.

1) Please download F-Secure BlackLight Beta:
https://europe.f-secure.com/exclude/blacklight/index.shtml

Save it to its own folder in the Desktop
Double-click blbeta.exe to run the program
Click : Scan
A list of all items found is created

The list is in the BlackLight folder on the Desktop, and named fsbl.xxxxxxx.log (xxxxxxx are numbers).

Please provide the log created by BlackLight in your next reply.
(please do not fix anything, most if not all will be valid)

2) Follow the directions in this link to download, install and update AVG Anti-Spyware. Make sure you delete or at least quarantine anything located and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165

3) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

4) You don't have the initial log from ComboFix and SDFix do you? If so, post them.

Restart the computrr and post the log from BlackLight, the scan report from AVG Anti-Spyware, the uninstall list and any comments you think will help.


For your information:
Port 80 information: http://www.google.com/search?hl=en&q=port+80&btnG=Search

http://forums.spywareinfo.com/index.php?showtopic=73125
http://whois.domaintools.com/wcg.net (64-194-221-33.wcg.net.)
http://www.benedelman.org/news/101805-1.html
http://www.google.com/search?hl=en&q=adserv+&btnG=Search
adserv cookie <<< You know you can block these cookies:
http://www.mvps.org/winhelp2002/cookies.htm
and these websites: http://www.rivier.edu/staff/acallahan/webpages/Internet%20Explorer/blockwebsite.htm

blitzo
2007-03-31, 21:40
03/31/07 14:09:57 [Info]: BlackLight Engine 1.0.61 initialized
03/31/07 14:09:57 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/31/07 14:09:57 [Note]: 7019 4
03/31/07 14:09:57 [Note]: 7005 0
03/31/07 14:10:01 [Note]: 7006 0
03/31/07 14:10:01 [Note]: 7011 1564
03/31/07 14:10:02 [Note]: 7026 0
03/31/07 14:10:02 [Note]: 7026 0
03/31/07 14:10:04 [Note]: FSRAW library version 1.7.1021
03/31/07 14:15:09 [Note]: 7007 0

blitzo
2007-03-31, 21:43
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:35:42 PM 3/31/2007

+ Scan result:



C:\Documents and Settings\jk\Cookies\jkrawczyk@aavalue[1].txt -> TrackingCookie.Aavalue : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@grouplotto.aavalue[2].txt -> TrackingCookie.Aavalue : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@adrevolver[1].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@ehg-hollywood.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@ehg-maniatv.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@ehg-pcsecurityshield.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.20:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Paypal : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@trafficmp[1].txt -> TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\jk\Cookies\jkrawczyk@zedo[1].txt -> TrackingCookie.Zedo : No action taken.


::Report end

blitzo
2007-03-31, 21:45
@icon sushi 1.21
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 8
Agnitum Outpost Firewall 1.0
Atheros Wireless LAN MiniPCI/PCIe card Driver
Atheros Wireless LAN MiniPCI/PCIe card Driver
ATI Control Panel
ATI Display Driver
AVG Anti-Spyware 7.5
AVG Free Edition
BLM 2.6.5
Blockpost plug-in for Agnitum Outpost Firewall (remove only)
CCleaner (remove only)
ClamWin Free Antivirus 0.88.7
DameWare NT Utilities
DiamondCS Port Explorer v2.150
Driver Magician 2.8
Ethereal 0.99.0
FileAlyzer 1.4
Foxit Reader
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
ImgBurn (Remove Only)
Karen's WhoIs
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Virtual PC 2004
Mozilla Firefox (2.0.0.1)
MSConfig CleanUp 1.2
MSXML 4.0 SP2 (KB927978)
Network Stumbler 0.4.0 (remove only)
Panda ActiveScan
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
SmartWhois
Spybot - Search & Destroy 1.4
Symantec pcAnywhere
Synaptics Pointing Device Driver
UltraVNC v1.0.1
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows Server 2003 Administration Tools Pack
Windows Support Tools
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinPcap 4.0
winpcap-nmap 3.1

blitzo
2007-03-31, 21:47
I have some old logs from vundofix and sdfix. I also have an original log from avg spyware the first time I ran it when I noticed the infections, its pretty loaded.



VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 10:24:47 AM 3/22/2007

Listing files found while scanning....

C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\lnylrcio.exe
C:\WINDOWS\system32\ptrtoinw.exe
C:\WINDOWS\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.bak2
C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\stvwa.ini2
C:\WINDOWS\system32\stvwa.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\lnylrcio.exe
C:\WINDOWS\system32\lnylrcio.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ptrtoinw.exe
C:\WINDOWS\system32\ptrtoinw.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\stvwa.bak2
C:\WINDOWS\system32\stvwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\stvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\stvwa.ini2
C:\WINDOWS\system32\stvwa.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\stvwa.tmp
C:\WINDOWS\system32\stvwa.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 10:37:09 AM 3/22/2007

Listing files found while scanning....

C:\WINDOWS\system32\awvts.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 10:56:30 AM 3/22/2007

Listing files found while scanning....

C:\WINDOWS\system32\awvts.dll

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 1:56:33 PM 3/29/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 10:38:37 AM 3/30/2007

Listing files found while scanning....

blitzo
2007-03-31, 21:49
SDFix: Version 1.74

Run by Administrator - Thu 03/22/2007 - 11:42:52.59

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\spy\SDFix\SDFix

Safe Mode:
Checking Services:





Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...




ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardPr

ofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network

Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\vexga3me2.exe"="C:\\WINDOWS\\system32\\vexga3me2.exe:*:Enabled:taskmgr32"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProf

ile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network

Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


Remaining Files:
---------------


Checking For Files with Hidden Attributes :

C:\Documents and Settings\jk\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
C:\WINDOWS\system32\ddcya.dll
C:\Program Files\Microsoft Virtual PC\updatedvmm.sys

Finished











SDFix: Version 1.74

Run by Administrator - Wed 03/21/2007 - 22:12:08.17

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\spy\SDFix\SDFix

Safe Mode:
Checking Services:

Name:
Client IP-IPX

"" -e te-110-12-0000271

Client IP-IPX Deleted


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\91J3GPEB\ICONS_~1.HTM - Deleted
C:\WINDOWS\system32\ldinfo.ldr - Deleted
C:\WINDOWS\system32\svchosts.exe - Deleted
C:\WINDOWS\Uninst2.htm - Deleted
C:\WINDOWS\Unist1.htm - Deleted

Could Not Remove C:\WINDOWS\system32\instcat.dll


ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\vexga3me2.exe"="C:\\WINDOWS\\system32\\vexga3me2.exe:*:Enabled:taskmgr32"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


Remaining Files:
---------------
C:\WINDOWS\system32\instcat.dll Found

Backups Folder: - C:\spy\SDFix\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\Documents and Settings\jk\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
C:\WINDOWS\system32\awvts.dll
C:\Program Files\Microsoft Virtual PC\updatedvmm.sys
C:\WINDOWS\system32\stvwa.tmp

Finished

blitzo
2007-03-31, 21:50
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:01:24 AM 3/22/2007

+ Scan result:



C:\Program Files\Common Files\{3854B583-05BA-1033-0912-060607270001}\Bar888.dll -> Adware.Bar888 : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008302.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008318.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008319.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008320.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008233.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008234.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008305.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008334.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008304.exe -> Adware.Relevant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008308.exe -> Adware.Relevant : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rlls.dll -> Adware.RK : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008132.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008133.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008134.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008136.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008137.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008138.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008181.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008278.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008279.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008280.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008288.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008336.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008290.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008299.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008303.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008296.exe -> Adware.UltimateDefender : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008236.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008297.exe -> Dialer.GBDialer.i : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008355.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008361.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\spy\SDFix\SDFix\backups\backups.zip/backups/svchosts.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008289.dll -> Downloader.VB.apq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rlvknlg.exe -> Proxy.Small.osw : Cleaned with backup (quarantined).
:mozilla.103:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.145:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.16:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.17:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.186:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.18:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.19:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.20:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.21:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.22:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.23:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.24:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.25:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.26:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.27:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.28:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.29:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.30:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.95:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.44:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.45:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.46:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.47:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.381:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.382:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.56:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.57:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.410:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.90:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.91:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.99:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.413:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.414:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.210:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.439:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.52:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.53:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.54:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.55:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.213:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.214:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.236:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.237:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.238:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.246:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.247:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.248:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.249:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.250:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.89:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.269:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.270:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.271:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.289:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.290:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.291:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Trafic : Cleaned.
:mozilla.294:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.346:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.374:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.327:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.328:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.329:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.330:C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008249.dll -> Trojan.Agent.acl : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\hsoawqar.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008277.exe -> Trojan.Crypt.y : Cleaned with backup (quarantined).
C:\WINDOWS\system32\user_32.dll -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP53\A0008360.dll -> Worm.Locksky.aw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\instcat.ddd -> Worm.Locksky.aw : Cleaned with backup (quarantined).
C:\spy\SDFix\SDFix\backups\backups.zip/backups/instcat.dll -> Worm.Locksky.aw : Cleaned with backup (quarantined).
[276] VM_3BF21000 -> Worm.Locksky.aw : Cleaned with backup (quarantined).
[748] VM_3BF21000 -> Worm.Locksky.aw : Cleaned with backup (quarantined).


::Report end

blitzo
2007-03-31, 21:53
If you need anything else let me know. Thanks for the information on the ports and address's, I'm not a big fan of IE, I should have locked it down as much as possible. I am currently blocking the addresses with a software firewall I recently installed.

pskelley
2007-03-31, 23:01
Here is what I see:
BlackLight is clean, no rootkit unless it is super hidden.

AVG Anti-Spyware - Scan Report
+ Created at: 2:35:42 PM 3/31/2007
all items: No action taken.
Some cookies look like the ones you are having trouble with.

Uninstall list. I am looking for security issues or malware, it is a good chance for you to look for stuff you no longer use.

ClamWin Free Antivirus 0.88.7 <<< you are using AVG Free (please make sure it is version 7.5) and don't confuse it with the AVG Anti-Spyware 7.5, to different programs doing two different job.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
I suggest you uninstall that program

I am not sure what you use this for:
http://www.liutilities.com/products/wintaskspro/processlibrary/awhost32/
but if these are not part of that, you may want to uninstall those also.
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)

Mozilla Firefox (2.0.0.1) <<< Firefox is out of date, if you are going to use it, you must keep it updated, just like IE.

Panda ActiveScan <<<I suggest you uninstall that program.

VundoFix V6.3.17Checking Java version...
Sun Java not detected
Scan started at 10:24:47 AM 3/22/2007
As far as I can see all Vundo was removed.
Delete that program if you still have it on the decktop and all files.

SDFix: Version 1.74
Run by Administrator - Thu 03/22/2007 - 11:42:52.59
Seems it remove junk also, you had a very bad infection. I may have suggested a reformat for this had I looked at it in the beginning. Hard to feel secure once backdoor trojans have been onboard.
Delete that program from your computer.

AVG Anti-Spyware - Scan Report
Created at: 12:01:24 AM 3/22/2007

You System Restore files are corrupted, if you have not dones so, follow these instructions to clean them:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Turn it off, reboot then turn it back on.

You also have a load of junk quarantined in this program, follow these instructions:
Clean the quarantine folder
You can remove the files from the AVG AS Quarantine:
-Launch AVG AS and click the Infections button.
-Click the Quarantine tab
-Choose: Select All
-Click: Remove finally
-A window pops asking "Are you sure you want to remove the selected files...??"
-Select: Yes

Once you get to here, post a new HJT log and let me know how things are running.

Thanks

blitzo
2007-03-31, 23:38
I now use AVG free for virus scans, clamwin is mostly an on demand scanner. I removed it anyways.

awhost32.exe is a part of pcanywhere I really don't use that part of the program.

Updated mozilla
removed sdfix and vundo fix
fixed restore files


popups are still here


hijack log

Logfile of HijackThis v1.99.1
Scan saved at 4:39:05 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe
C:\hijack\blitzo.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

pskelley
2007-03-31, 23:45
popups are still here
Thanks for the feedback, I have no idea where the popups are coming from. I'll give it some thought overnight and maybe have suggestions in the am. If you come up with any thoughts, post them. You are the one sitting in front of the computer.

Thanks

blitzo
2007-03-31, 23:48
Thanks I will continue searching for more information, I will keep the thread updated. Hopefully I can find something.

blitzo
2007-04-01, 00:52
I have been searching for similar problems, It seems everyone who has the same problem has vundo and hijack picks it up. Maybe I got a special case or we are overlooking things. I have been doing some research and I have something running on explorer.exe on port 1137. When I get popups ports in the range of 1890-1950 open up and connect to ad servers on port 80.

pskelley
2007-04-01, 02:37
Thanks for that feedback, we must work together if we want to be successful. I volunteer my time but I start early in the AM, and after many logs and many hours I am usually worthless in the early afternoon. At issue is the fact that much had been done and many tools run before I ever got a look at a log. These multinfections need to be removed in a certain order, if not bits and pieces are left behind by the tools and it can be near to impossible to clean it all. This situation if I might, is kind of like one mechanic tore a car all apart and then asked another one to put it back together again and have it working like new. Having looked over the logs at the amount of infection that was on this computer, I would have suggested it be reformated, unfortunately I did not see the computer before you started running fixes. If you have completed all instructions, look back over the them to be sure, then I would like to start like this.

1) Remove any of Vundo fix you have on the computer and follow these instructions:
Thanks to Atribune and any others who helped with this fix.

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

Thanks

blitzo
2007-04-01, 06:44
I ran vundofix and I am still coming up with nothing. Do you need me to upload anything?

VundoFix V6.3.18

Checking Java version...

Sun Java not detected
Scan started at 11:35:53 PM 3/31/2007

Listing files found while scanning....

No infected files were found.










Logfile of HijackThis v1.99.1
Scan saved at 11:45:16 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijack\blitzo.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

pskelley
2007-04-01, 15:10
Thanks for returning this information, If you would like to be heard about these hackers who have invaded your personal space, you can do that here:
http://www.malwarecomplaints.info/

I note that you do not appear to be running Sun Java, originally you said this:

I had things like schmidt-c and virtumonde <<< did you have issues removing Vundo at that time without Java?

If this Vundofix report is correct without SunJava running, and we checked for Smitfraud...none was present and also scanned for a possible Rootkit with BlackLight that showed nothing (we made need a deeper scan to be sure) We seem to have ruled out the two items you mentioned to start. Do you remember anything about symptoms from the original infection that might point us in a direction?
C:\WINDOWS\system32\awvts.dll <<< with all files and folder enabled, do a search for that file. I can't seem to see where it was deleted by Vundofix? Let me know about this.
C:\WINDOWS\system32\ddcya.dll <<< I am not sure if SDFix was run after Vundo, but search for that file also. Make sure all files and folder are enabled or you will not find them even if they are there:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Question: Have you run Combofix? If not, do not search for it and run it. We may later, it is a multipurpose tool that may help us.

C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe <<< I am interested in what your firewall is telling you. I use ZoneAlarm Free and no program can access the internet without either approval or prior approval from me. Does your firewall not block internet access from programs you have not allowed access?

What I would appreciate would be if you will do this:

1) Update the program and run AVG Anti-Spyware, delete or quarantine anything it finds and post the scan report.

2)Thanks to miekiemoes for the canned:

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.


Restart, post those two report, any information I requested and any comments you think will help.

Thanks

blitzo
2007-04-01, 21:39
To answer some of your questions, I did not really have trouble getting rid of the spyware. I did some research grabbed some tools and went to work. Those 2 files you mention, (awvts.dll ddcya.dll) I had to manually remove those in recovery console along with a third file. As for combofix I believe I ran it but it did not come up with anything, I ran this towards the end of my progress.

I installed a firewall after I fixed my machine. It is outpost, I have everything locked up now. I have logs and I will provide some samples to you.

EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1141
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1140
EXPLORER.EXE unknown.Level3.net n/a Unknown TCP 1139
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1138
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1137
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1136
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1133
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1132
EXPLORER.EXE unknown.Level3.net n/a Unknown TCP 1131
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1130
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1129
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1128
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1125
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1124
EXPLORER.EXE unknown.Level3.net n/a Unknown TCP 1123
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1122
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1121
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1120
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1117
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1116
EXPLORER.EXE unknown.Level3.net n/a Unknown TCP 1115
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1114
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1113
EXPLORER.EXE unknown.Level3.net n/a Unknown TCP 1112
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1111
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP KPOP
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1108
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1107
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1106
EXPLORER.EXE unknown.Level3.net n/a Unknown TCP 1105
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1104
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1103
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1102




It start my computer and explorer.exe wants to make connections like those to those same addresses. Those ports are local and it wants to connect on port 80 of the remote address's. If I let it make the connections, you can see it forwards it to some kind of adserver, then I get my popups.

I ran avg spyware and came up clean, Dr. web cureit came up with some interesting things.

blitzo
2007-04-01, 21:40
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:37:10 PM 4/1/2007

+ Scan result:



Nothing found.



::Report end











backup-20070322-115430-895.dll;C:\hijack\backups;Trojan.Virtumod;Deleted.;
backup-20070322-115501-651.dll;C:\hijack\backups;Trojan.Virtumod;Deleted.;
backup-20070322-120027-284.dll;C:\hijack\backups;Trojan.Virtumod;Deleted.;
InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably DLOADER.Trojan;Deleted.;
A0000097.exe;C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP1;Tool.Prockill;Deleted.;
A0000117.exe;C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP1;Tool.Prockill;Deleted.;
A0000119.exe;C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP1;Tool.ShutDown.11;Deleted.;
A0000227.dll;C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP3;Trojan.Virtumod;Deleted.;
A0000228.dll;C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP3;Trojan.Virtumod;Deleted.;
A0000229.dll;C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP3;Trojan.Virtumod;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;

pskelley
2007-04-01, 21:51
Thanks for the feedback, keep in mind that I have no knowledge of the firewall you are running so the log you provided means nothing to me. Perhaps you should discuss the log with technical support at Outpost?

AVG Anti-Spyware - Scan Report Created at: 1:37:10 PM 4/1/2007

C:\hijack\backups <<< this is probably HJT backups which can not get back on the computer unless you restore them. I would clean the backups after a few days.

C:\System Volume Information\_restore <<< System restore, you have not done so, these instructions will purge those files:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Oops sorry, looks like the bottom report was DrWeb, same thing applies.

Thanks

blitzo
2007-04-01, 22:05
I just wanted to share the firewall log with you, I understand the log so if you need something more specific let me know. what I posted are blocked outgoing connections from explorer.exe, thats where my popups are coming from, something is opening those local ports and trying to contact those remote address's.


I reset system restore again. Do you have anything else to try?

pskelley
2007-04-01, 23:02
There is no way to look at the logs from the firewall to tell what program is orginating internet access?

You may be able to locate freeware that will help you track where these are orginating on your computer.
http://www.google.com/search?hl=en&q=freeware+to+track+outgoing+internet+activity&btnG=Search

Here is another freeware rootkit tool you can try.
Click here to download AVG Anti Rootkit and save it to your desktop.
http://beta.grisoft.cz/beta/betarep.files/antirootkit/AVG_AntiRootkit_1.0.0.13.exe
Double-click on the AVG_AntiRootkit_1.0.0.13.exe file to run it.
Click "I Agree" to agree to the EULA.
By default it will install to "G:\Program Files\GRISOFT\AVG Anti-Rootkit Beta".
Click "Next" to begin the installation then click "Install".
It will then ask you to reboot now to finish the installation.
Click "Finish" and your computer will reboot.
After it reboots, double-click on the AVG Anti-Rootkit Beta shortcut that is now on your desktop.
Click on the "Perform in-depth search" button to begin the scan.
The scan will take a while so be patient and let it complete.
When the scan is finished, click the "Save result to file" button.
Save the scan results to your desktop then come back here to copy and paste the results in your next reply to this thread.


You can also give this tool a try to see if it shows anything
http://www.emsisoft.com/en/software/free/

Thanks

blitzo
2007-04-02, 00:42
the program originating the internet access is explorer.exe there is something attached to explorer that is opening the port.

AVG rootkit came up with nothing.

a-squared came up with this


C:\WINDOWS\voiceip.dll detected: Trace.File.2ndThought
C:\Documents and Settings\jk\Cookies\jk@media.adrevolver[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt:44 detected: Trace.TrackingCookie
C:\spy\SDFix.zip/SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\WINDOWS\system32\Process.exe detected: Riskware.RiskTool.Win32.Processor.20

blitzo
2007-04-02, 01:27
I GOT IT!!!!


I was browsing through my files and doing research and I seen something that didn't look right. I am not sure what it is but it was causing explorer.exe to open the ports. It was a file named core.sys and a file core.cache.dsk I removed them and everything is fine now. I did make backups copies of these files before I deleted them. I am sure you can take a copy of them or tell me what to do so we can prevent this happening to other users. Thank You!!

blitzo
2007-04-02, 01:28
forgot to add these files where inside \system32\drivers

pskelley
2007-04-02, 02:39
In case I did not post them, here are links you can save if you need to scan a file to find out what it is:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

C:\WINDOWS\voiceip.dll detected: Trace.File.2ndThought <<< I suggest you scan the file in red and delete it if it is bad.

two cookies: http://www.mvps.org/winhelp2002/cookies.htm

C:\spy\SDFix.zip/SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\WINDOWS\system32\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
Left from SDFix and Smitfraud, delete the folder in red.

That's great, we had some really long scans coming up with little hope of finding anything.

core.sys: http://www.google.com/search?hl=en&q=core.sys+&btnG=Search
core.cache.dsk: http://www.google.com/search?hl=en&q=core.cache.dsk+&btnG=Search

Experts would love to get hold of those files to see what they are, please follow the instruction here:
http://www.bleepingcomputer.com/submit-malware.php you can mention my name: Phil Skelley
and link them here: http://forums.spybot.info/member.php?u=233 I would appreciate it if possible, that you retain those until we hear from BleepingComputer in case Grinler needs those attached or sent elsewhere.

I would remove all tools we downloaded during the fix, if we did not use ATF-Cleaner, you might like that nice small tool:
http://forums.security-central.us/showthread.php?t=1925

If we recently cleaned the System Restore files, then cleaning them again is optional:

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

blitzo
2007-04-02, 04:25
I finished cleaning up my computer. I also sent those files off to bleepingcomputer. I gave them some details and asked to be kept informed.:bigthumb:

tashi
2007-04-07, 22:05
Glad we could help, :) this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.