PDA

View Full Version : Please help me with my infections



BenBinary
2007-05-03, 10:36
Hello,
I have clicked on 1 bad link and now my computer is being molested by spyware... This is thfirst time in 10 years! and man its bad.

I have followed the instructions and here is my HiJackThis log from Safe Mode
Thanks in advance for your help.

Logfile of HijackThis v1.99.1
Scan saved at 12:20:08 AM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Ben\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CA2CFBDE-0F94-491B-9286-00C60C553954} - C:\WINDOWS\system32\fccccdb.dll (file missing)
O2 - BHO: (no name) - {F0F2F87A-B9BF-477C-B83A-38E30243CDBA} - C:\Program Files\WindowsUpdate\hoke.dll (file missing)
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe"
O4 - HKLM\..\Run: [MDGetStarted.exe] "C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: fccccdb - fccccdb.dll (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MacDriveService - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
O23 - Service: M-Audio Series II MIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
O23 - Service: Xpoint PCRadmin Server (PCRadminServer) - Unknown owner - C:\PROGRA~1\xpoint\pe\pcradmin.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Xpoint Admin Server (XPadminServer) - Unknown owner - C:\PROGRA~1\xpoint\xpadmin\xpadmin.exe
O23 - Service: Xpoint Agent Server (xpAgentServer) - Unknown owner - C:\PROGRA~1\xpoint\agent\Xpagent.exe

I have done the online virus scan before all this on ca.com and couldnt save the log file but i did clean what i could.

pskelley
2007-05-04, 15:44
Welcome to the forum, you are saying you read and followed these directions:
"BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.

I may need to see a online scan results since you posted none or no information about what it found and removed. HJT can not see everything, that is the reason for seeing the scan result, to make us aware of hidden infections.

The instruction say nothing about posting your HJT log in Safe Mode. I have no idea what is not running that may be malware, let's proceed like this:

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {CA2CFBDE-0F94-491B-9286-00C60C553954} - C:\WINDOWS\system32\fccccdb.dll (file missing)
O2 - BHO: (no name) - {F0F2F87A-B9BF-477C-B83A-38E30243CDBA} - C:\Program Files\WindowsUpdate\hoke.dll (file missing)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: fccccdb - fccccdb.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Post a new HJT log run in Normal Mode and describe any malware issue.

Thanks

BenBinary
2007-05-06, 09:14
Thankyou for your help, sorry about the safe mode mistake.

i followed your instructions and here is the HJT log in normal mode.


Logfile of HijackThis v1.99.1
Scan saved at 11:02:45 PM, on 5/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\PROGRA~1\xpoint\xpadmin\xpadmin.exe
C:\PROGRA~1\xpoint\agent\Xpagent.exe
C:\PROGRA~1\xpoint\EEClient\xpclient.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\xpoint\SAS\jre\bin\javaw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Ben\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\NOTEDAD.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe"
O4 - HKLM\..\Run: [MDGetStarted.exe] "C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [Uahe] "C:\PROGRA~1\ICROSO~1\cmd.exe" -vt yazb
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MacDriveService - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
O23 - Service: M-Audio Series II MIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
O23 - Service: Xpoint PCRadmin Server (PCRadminServer) - Unknown owner - C:\PROGRA~1\xpoint\pe\pcradmin.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Xpoint Admin Server (XPadminServer) - Unknown owner - C:\PROGRA~1\xpoint\xpadmin\xpadmin.exe
O23 - Service: Xpoint Agent Server (xpAgentServer) - Unknown owner - C:\PROGRA~1\xpoint\agent\Xpagent.exe


I get internet popups and interupted typing


Thanks again for your help.
Cheers
Ben

pskelley
2007-05-06, 14:31
Thanks for returning your information and the feedback. You have a nasty infection that I have not dealt with before so we will be learning together.

http://vil.nai.com/vil/content/v_132935.htm
http://www.castlecops.com/startuplist-14222.html

You also have this infection: http://www.castlecops.com/startuplist-12836.html
http://www.fileresearchcenter.com/I/IPWINS.EXE-7650.html

I see Kaspersky in your services: Kaspersky Anti-Virus 6.0 but I do not see it running anywhere in the HJT log? Do you have it working/running? Check to make sure it is functioning properly.

I suggest you keep this computer offline as much as possible and though I can find no information about it, I would be concerned about other passwords also.

Open Start > Control Panel > Add Remove programs and uninstall PuritySCAN By OIN, OIN, OuterInfo IPWins, Yazzle or any other program you know should not be there.

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks

BenBinary
2007-05-06, 22:32
Open Start > Control Panel > Add Remove programs and uninstall PuritySCAN By OIN, OIN, OuterInfo IPWins, Yazzle or any other program you know should not be there.



OpenInfo wont remove from System... It tries to download an uninstaller!

What should i do ?

I will continue with your instructions.

Thanks to ps kelley + sUBs and anyone else who helped with this fix.

BenBinary
2007-05-06, 23:00
OK

I removed Imap and then OpenInfo let me uninstall it !

So i followed your instructions and here is the ComboFix Log

Then the HJT Log.


ComboFix ------------------------------------------------>

"Ben" - 07-05-06 12:41:34 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Ben\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe
C:\windows\system32\explorer.exe
C:\WINDOWS\system32\IExplorer.dll .dbt
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\notedad.exe
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\Ben
C:\qoobox\purity\C\DOCUME~1\Ben\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\Ben\APPLIC~1\ECURIT~1
C:\qoobox\purity\C\DOCUME~1\Ben\APPLIC~1\SSEMBL~1
C:\qoobox\purity\C\Program Files\ICROSO~1
C:\qoobox\purity\C\Program Files\RACLE~1
C:\qoobox\purity\C\WINDOWS\CROSOF~1
C:\qoobox\purity\C\WINDOWS\CROSOF~1\bak


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\core
-------\LEGACY_CORE


((((((((((((((((((((((((((((((( Files Created from 2007-04-06 to 2007-05-06 ))))))))))))))))))))))))))))))))))


2007-05-02 17:39 6,144 --a------ C:\WINDOWS\system32\perfc000.dat
2007-05-02 01:39 25,281 --a------ C:\WINDOWS\system32\winupd_KB92380205.exe
2007-04-30 18:24 32,768 --a------ C:\WINDOWS\system32\mp43.exe
2007-04-30 01:11 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-04-29 16:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-04-29 15:21 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-04-29 15:21 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-04-29 15:20 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-04-29 15:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-04-29 15:19 6,232,608 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-04-29 15:19 42,016 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-04-29 15:19 <DIR> d-------- C:\kav
2007-04-29 14:44 353 ---hs---- C:\WINDOWS\system32\twvwa.ini2
2007-04-29 14:43 2 --a------ C:\WINDOWS\system32\wnstsisv.exe
2007-04-29 01:13 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-29 01:13 <DIR> d-------- C:\DOCUME~1\Ben\APPLIC~1\Lavasoft
2007-04-28 20:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-28 15:55 <DIR> d-------- C:\Program Files\CyberDefender
2007-04-28 14:35 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-04-28 14:03 <DIR> d-------- C:\WINDOWS\bak
2007-04-28 12:59 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-04-28 12:59 <DIR> d-------- C:\WINDOWS\system32\smpi1
2007-04-28 12:59 <DIR> d-------- C:\WINDOWS\system32\SBO
2007-04-28 12:59 <DIR> d-------- C:\Temp\tn3
2007-04-28 12:59 <DIR> d-------- C:\Temp\17O7
2007-04-28 12:59 <DIR> d-------- C:\Temp
2007-04-13 22:26 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-04-06 00:45 86,016 --a------ C:\WINDOWS\system32\MA_CMIDN.DLL
2007-04-06 00:45 82,944 --a------ C:\WINDOWS\system32\usbmn1x1.dll
2007-04-06 00:45 24,128 --a------ C:\WINDOWS\system32\drivers\USBMM1X1.SYS
2007-04-06 00:45 22,208 --a------ C:\WINDOWS\system32\drivers\usbmn1x1.sys
2007-04-06 00:45 21,888 --a------ C:\WINDOWS\system32\drivers\MA_CMIDI.SYS
2007-04-06 00:45 17,920 --a------ C:\WINDOWS\system32\USBMM1X1.DLL
2007-04-06 00:45 17,920 --a------ C:\WINDOWS\system32\MA_CMIDI.DLL
2007-04-06 00:45 13,504 --a------ C:\WINDOWS\system32\drivers\usb11ldr.sys
2007-04-06 00:45 <DIR> d-------- C:\Program Files\M-Audio
2007-04-06 00:39 <DIR> d-------- C:\Program Files\Nord modular editor v3.03


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-06 12:35 -------- d-------- C:\Program Files\imapsize
2007-05-03 01:41 73 --a------ C:\WINDOWS\system32\ssprs.dll
2007-05-03 01:41 205 --a------ C:\WINDOWS\system32\lsprst7.dll
2007-05-01 02:11 -------- d-------- C:\DOCUME~1\Ben\APPLIC~1\openoffice.org2
2007-04-29 16:12 -------- d--h----- C:\Program Files\windowsupdate
2007-04-28 14:03 -------- d-------- C:\Program Files\quicktime
2007-04-28 14:03 -------- d-------- C:\Program Files\itunes
2007-04-13 22:26 -------- d-------- C:\Program Files\vstplugins
2007-04-06 00:45 -------- d--h----- C:\Program Files\installshield installation information
2007-04-03 01:06 -------- d-------- C:\Program Files\filezilla
2007-04-01 15:11 -------- d-------- C:\Program Files\mediafour
2007-03-28 15:17 -------- d-------- C:\Program Files\ipod
2007-03-28 14:28 -------- d-------- C:\Program Files\dvd decrypter
2007-03-21 14:27 -------- d-------- C:\DOCUME~1\Ben\APPLIC~1\u3
2007-03-09 19:52 200768 --a------ C:\WINDOWS\system32\klogon.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"S3TRAY2"="S3Tray2.exe"
"ATIModeChange"="Ati2mdxx.exe"
"TPHOTKEY"="C:\\PROGRA~1\\ThinkPad\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"BMMGAG"="RunDll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\pwrmonit.dll,StartPwrMonitor"
"TP4EX"="tp4ex.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"UC_SMB"=""
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""
"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="\"C:\\Program Files\\Mediafour\\MacDrive 7\\MacDrive.exe\""
"MDGetStarted.exe"="\"C:\\Program Files\\Mediafour\\MacDrive 7\\MDGetStarted.exe\" /auto"
"SpybotSnD"="\"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\" /autocheck"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Uahe"="\"C:\\PROGRA~1\\ICROSO~1\\cmd.exe\" -vt yazb"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ C:\Program Files\Windows Media Player\profsyvy.html

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{CA2CFBDE-0F94-491B-9286-00C60C553954}"=""

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rundll32"
"hkey"="HKLM"
"command"="rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMLREF]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BMMLREF"
"hkey"="HKLM"
"command"="C:\\Program Files\\ThinkPad\\Utilities\\BMMLREF.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EzEjMnAp"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ibmmessages"
"hkey"="HKLM"
"command"="C:\\Program Files\\IBM\\Messages By IBM\\ibmmessages.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCWLICON]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QCWLICON"
"hkey"="HKLM"
"command"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPMN]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TpKmapMn"
"hkey"="HKLM"
"command"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapMn.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UnoInstallerService"=dword:00000002
"Ati HotKey Poller"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\BMMTask.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-06 12:46:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-06 12:46:25
C:\ComboFix-quarantined-files.txt ... 07-05-06 12:46



HJT log --------------------------------------------->


Logfile of HijackThis v1.99.1
Scan saved at 12:48:48 PM, on 5/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\PROGRA~1\xpoint\xpadmin\xpadmin.exe
C:\PROGRA~1\xpoint\agent\Xpagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\xpoint\EEClient\xpclient.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\xpoint\SAS\jre\bin\javaw.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\Documents and Settings\Ben\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe"
O4 - HKLM\..\Run: [MDGetStarted.exe] "C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Uahe] "C:\PROGRA~1\ICROSO~1\cmd.exe" -vt yazb
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MacDriveService - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
O23 - Service: M-Audio Series II MIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
O23 - Service: Xpoint PCRadmin Server (PCRadminServer) - Unknown owner - C:\PROGRA~1\xpoint\pe\pcradmin.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Xpoint Admin Server (XPadminServer) - Unknown owner - C:\PROGRA~1\xpoint\xpadmin\xpadmin.exe
O23 - Service: Xpoint Agent Server (xpAgentServer) - Unknown owner - C:\PROGRA~1\xpoint\agent\Xpagent.exe



Again, Thanks for your help,
I hope this is all correct.
Cheers
Ben

pskelley
2007-05-06, 23:38
Thanks for returning the information and your feedback, please follow these instructions:

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKCU\..\Run: [Uahe] "C:\PROGRA~1\ICROSO~1\cmd.exe" -vt yazb

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\PROGRAM FILES~1\ICROSO~1\ <<< delete that folder (may be gone, just do not miss it)

5) This was a nasty infection, I would like to run another scan to make sure nothing is hiding. Follow the instructions in this link wo download, install, update and run AVG Anti-Spyware. Make sure you delete or quarantine anything it finds and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

7) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Restart the computer and post the scan report from AVG Anti-Spyware, the uninstall list and a new HJT log. Please tell me how the computer is running now.

Thanks

BenBinary
2007-05-07, 08:06
Hi there,
Man this is killing me, Avg froze at the end of the scans,
OuterInfo retuned and my computer is being raped by this virus.

HJT closed when i tried to save the uninstaller list so i will post the HJT log and the avg list then reboot and try and get the HJT uninstall list.

Logfile of HijackThis v1.99.1
Scan saved at 9:57:58 PM, on 5/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\PROGRA~1\xpoint\xpadmin\xpadmin.exe
C:\PROGRA~1\xpoint\agent\Xpagent.exe
C:\PROGRA~1\xpoint\EEClient\xpclient.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\xpoint\SAS\jre\bin\javaw.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ben\Desktop\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe"
O4 - HKLM\..\Run: [MDGetStarted.exe] "C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\ivdywtfj.dll",realset
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [rmkq] C:\PROGRA~1\COMMON~1\rmkq\rmkqm.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MacDriveService - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
O23 - Service: M-Audio Series II MIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
O23 - Service: Xpoint PCRadmin Server (PCRadminServer) - Unknown owner - C:\PROGRA~1\xpoint\pe\pcradmin.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Xpoint Admin Server (XPadminServer) - Unknown owner - C:\PROGRA~1\xpoint\xpadmin\xpadmin.exe
O23 - Service: Xpoint Agent Server (xpAgentServer) - Unknown owner - C:\PROGRA~1\xpoint\agent\Xpagent.exe



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:45:35 PM 5/6/2007

+ Scan result:



C:\Documents and Settings\Ben\Local Settings\Temp\cmdinst.exe -> Adware.CommAd : Cleaned.
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\07S5MLAP\installer[1].exe -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048498.dll -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048500.exe -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048493.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048496.exe -> Adware.PurityScan : Cleaned.
C:\WINDOWS\b136.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048545.dll -> Adware.TargetServer : Cleaned.
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\QHWNS3OB\is66953[1].exe -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048489.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048491.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048499.dll -> Adware.Virtumonde : Cleaned.
C:\Program Files\webHancer -> Adware.Webhancer : Cleaned.
C:\Program Files\webHancer\Programs -> Adware.Webhancer : Cleaned.
C:\Program Files\webHancer\Programs\license.txt -> Adware.Webhancer : Cleaned.
C:\Program Files\webHancer\Programs\readme.txt -> Adware.Webhancer : Cleaned.
C:\Program Files\webHancer\Programs\sporder.dll -> Adware.Webhancer : Cleaned.
C:\Program Files\webHancer\Programs\whAgent.ini -> Adware.Webhancer : Cleaned.
C:\Program Files\webHancer\Programs\whinstaller.exe -> Adware.Webhancer : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048478.exe -> Adware.WebHancer : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048479.dll -> Adware.WebHancer : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048480.dll -> Adware.WebHancer : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048529.dll -> Adware.WebHancer : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048557.exe -> Adware.WebHancer : Cleaned.
C:\WINDOWS\b129.exe -> Adware.WebHancer : Cleaned.
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj -> Adware.WebHancer : Cleaned.
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj.1 -> Adware.WebHancer : Cleaned.
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj\CurVer -> Adware.WebHancer : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent -> Adware.WebHancer : Cleaned.
HKLM\SOFTWARE\webhancer -> Adware.WebHancer : Cleaned.
HKLM\SOFTWARE\webhancer\CC -> Adware.WebHancer : Cleaned.
HKLM\SOFTWARE\webhancer\ESO -> Adware.WebHancer : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048539.exe -> Downloader.Age : Cleaned.
C:\Documents and Settings\Ben\Local Settings\Temp\YazzleBundle-1281.exe -> Downloader.PurityScan.eg : Cleaned.
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\07S5MLAP\YazzleBundle-1281[1].exe -> Downloader.PurityScan.eg : Cleaned.
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\07S5MLAP\po[1].exe -> Downloader.PurityScan.eg : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048538.exe -> Downloader.PurityScan.eg : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048536.exe -> Downloader.PurityScan.eh : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048537.exe -> Downloader.PurityScan.eh : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048544.exe -> Downloader.Small.buy : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048535.exe -> Downloader.TSUpdate.f : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048533.exe -> Downloader.TSUpdate.l : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048543.exe -> Downloader.TSUpdate.o : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048534.exe -> Downloader.TSUpdate.r : Cleaned.
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\07S5MLAP\2_z[1].htm -> Dropper.Small.j : Cleaned.
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\IHQD8DWN\0_z[1].htm -> Dropper.Small.j : Cleaned.
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\IHQD8DWN\1_z[1].htm -> Dropper.Small.j : Cleaned.
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\IHQD8DWN\cxcxyeiwe[1].htm -> Dropper.Small.j : Cleaned.
C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned.
C:\Documents and Settings\Ben\Cookies\ben@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Ben\Cookies\ben@nba.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Ben\Cookies\ben@4.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Ben\Cookies\ben@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Ben\Cookies\ben@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Ben\Cookies\ben@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Ben\Cookies\ben@www.epilot[1].txt -> TrackingCookie.Epilot : Cleaned.
C:\Documents and Settings\Ben\Cookies\ben@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Ben\Cookies\ben@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Ben\Cookies\ben@searchportal.information[2].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Ben\Cookies\ben@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Ben\Cookies\ben@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Ben\Cookies\ben@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Ben\Cookies\ben@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Ben\Cookies\ben@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048540.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048541.exe -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP139\A0048542.vbs -> Trojan.Small : Cleaned.


::Report end




Thanks for your help.

This took me hours to complete and i had to reboot several times because of crashes... i think i have made mistakes so if these logs show inconsistencies,
i should maybe start a new to-do-list.

Cheers
Ben

pskelley
2007-05-07, 14:02
Ben...you have a new infection that was NOT in your log before. You must keep this computer offline until we get it clean, the junk reaches out to the internet and downloads stuff while you are online!!!
The NEW junk:
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe

This junk is never as easy to get off as it was to get on, and if you are going to add more as we work, we don't have a chance.

Follow these instructions carefully:

1) You System Restore files are corrupted, DO NOT use System Restore for any reason until we clean them later.

2) C:\Documents and Settings\Ben\Desktop\hijackthis\HijackThis.exe <<< return here and rename HJT.exe, call it BenBinary.exe or what ever you wish.

3) Follow the directions in this link to uninstall that webhancer junk:
http://webhancer.com/support/index.asp?s=30
This is what you need: http://webhancer.com/support/index.asp?s=34

4) I still do not have the uninstall list:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

5) Be sure all files and folders are enabled

6) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

7) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\ivdywtfj.dll",realset
O4 - HKCU\..\Run: [rmkq] C:\PROGRA~1\COMMON~1\rmkq\rmkqm.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

8) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Program Files\webHancer\ <<< delete that folder

C:\WINDOWS\system32\ivdywtfj.dll <<< delete that file

C:\PROGRAM FILES~1\COMMON FILES~1\rmkq\ <<< delete that folder

9) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the uninstall list and a new HJT log.

Thanks

BenBinary
2007-05-13, 09:11
I only have this computer so i had to format my HD and reinstall xp
and all my apps.

Thanks for your help.
Much appreciated !!!

Cheers
Ben

pskelley
2007-05-13, 14:08
I appreciate your letting us know, this member decided to reformat because of the infections and this topic is closed.

Thanks