View Full Version : Amaena and cohorts infestation (popups, etc.)
I have a computer that has constant popups advertising fake anti-spyware and anti-virus software. The common denominator appears to be www.amaena.com. I have run Spybot-S&D, Spyware Doctor (starter edition from google pack), and also run the CA online malware scanner. In addition, I have AVG antivirus running on that machine.
I ran all the scans while logged in as administrator. Most of the time my kids use the computer logged in as a limited account (under XP Home edition). The popups seem to happen only while logged in as the limited account. I've also run Spyware Dr. & S&D while logged in as the limited account.
Here's the online scan purportedly showing no infections:
eTrust Antivirus Web Scanner (CA) reports:
Scan Results: Scan Completed. 55584 files scanned. No viruses found.
File Infection Status Path
- No Infections
===
I've appended here TWO (2) HijackThis logs - one I got while logged in as administrator and one while logged in as the limited account. Thanks for any guidance.
-Yosh
===
HJT Log (logged in as administrator)
Logfile of HijackThis v1.99.1
Scan saved at 9:25:25 AM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Asante\AeroLAN AL5410-G\WlanCU.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\taskmgr.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/yessentials_cq/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_cq/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [j2 4.2] "C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: AL5410-G Utility.lnk = C:\Program Files\Asante\AeroLAN AL5410-G\WlanCU.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {76026873-0935-499C-B66A-9FF5EEF45BEA} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171315894893
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
===================
HJT Log (logged in as limited account)
Logfile of HijackThis v1.99.1
Scan saved at 10:29:53 AM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Asante\AeroLAN AL5410-G\WlanCU.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/yessentials_cq/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_cq/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [j2 4.2] "C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: AL5410-G Utility.lnk = C:\Program Files\Asante\AeroLAN AL5410-G\WlanCU.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Downloads\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Downloads\jc_link.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {76026873-0935-499C-B66A-9FF5EEF45BEA} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171315894893
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
I've spent some more time logged in as the Limited Account.
I notice that both IE & FireFox get popups advertising various alleged antivirus and anti-spyware products - many of them cleverly designed to look like they're coming from Windows itself. Some site domains include www dot spyware-secure dot com, www dot amaena dot com, others
In addition, I also saw a window pop up (in FireFox) of an adult porn site (www dot hotsexygirls dot com
I don't know if these phenomena are the result of one infection or two different ones.
I haven't experienced any of these popups (yet?) when logged in as the administrator account.
Hello and welcome to the Forums.
Sorry for the wait...
Please run a GMER Rootkit scan:
Download GMER's application from here:
http://www.gmer.net/gmer.zip
Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.
Thanks Mr. Jak3.
I did as you said. FYI, when I ran gmer, it posted two error messages as it came up:
-Gmer device: The system cannot find the file specified. <OK>
-System\CurrentControlSet\Services\gmer: The handle is invalid. <OK>
And then it came up and posted this message:
WARNING !!!
GMER has found system modification, which might have been caused by ROOTKIT activity.
Dou you want to fully scan your system ?
<Yes> <No>
to which I selected "No" so that I could follow your instructions.
At this point, there were two tabs "Rootkit" and ">>>>" and Rootkit was selected. In the list there was one entry in red as follows:
Process - hidden process(*** hidden ***) - 1780
Unfortunately, the Scan button was greyed out so I could not press it as you advised. I suspect it may have been because I was running as the limited account (which is where the problems occur).
At this point I exited and started over and answered yes when it asked if I wanted to scan.
It scanned & put up a message saying:
WARNING !!!
GMER has found system modification caused by ROOTKIT activity.
<OK>
I pressed Copy and here's what I got:
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-05-29 13:06:06
Windows 5.1.2600 Service Pack 2
---- Kernel code sections - GMER 1.0.12 ----
? C:\WINDOWS\System32\DRIVERS\update.sys
---- Processes - GMER 1.0.12 ----
Process hidden process (*** hidden *** ) 1780
---- EOF - GMER 1.0.12 ----
At this point the Scan button was no longer greyed out, so I went ahead and pressed Scan & copy, but the results were identical, so I didn't paste them here.
Meanwhile a couple days ago, while I was waiting Spyware Dr did one of its automatic updates & scans & it found some stuff that it cleaned up that seemed related to this (cookies from the bad sites & other stuff). However, the popups continue to occur. If you want I can post the relevant part of the Spyware Dr log. Should I allow Spyware Dr to continue to run during this time or should I disable it until we're done?
Thanks for all your help. I await your further instructions.
-Yosh
Hello :)
OK let's see what GMER tells in safe mode...
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run GMER and restart normally. Post the log to here.
Hi again.
OK, I did as you said & here's the log. Note that in Safe mode one must login as an administrator. The previous log I posted was while logged in as the Limited Account. Here's the new GMER log:
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-05-30 08:44:04
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwCreateKey
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwCreateProcess
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwCreateProcessEx
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwDeleteKey
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwDeleteValueKey
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwSetValueKey
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwTerminateProcess
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!_abnormal_termination + F0 804E274C 2 Bytes [ F4, 18 ]
.text ntoskrnl.exe!_abnormal_termination + F3 804E274F 1 Byte [ F9 ]
? C:\WINDOWS\System32\DRIVERS\update.sys
---- User code sections - GMER 1.0.12 ----
.text C:\Program Files\Spyware Doctor\swdsvc.exe[640] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ C7, 9E, C5, 83 ]
---- EOF - GMER 1.0.12 ----
Thanks,
Yosh
Ok we'll continue :)
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Here it is. FYI, I did it logged in as administrator, not in safe mode. thanks, yosh
---
"Yosh" - 2007-05-31 16:25:59 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Downloads\"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
"C:\WINDOWS\system32\nvs2.inf"
((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-31 ))))))))))))))))))))))))))))))))))
2007-05-31 11:48 83,552 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2007-05-31 11:48 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2007-05-24 14:30 4,643 --a------ C:\WINDOWS\system32\dbbjyqy.dat
2007-05-24 14:30 364 --a------ C:\WINDOWS\system32\dbbjyqy_navps.dat
2007-05-24 14:30 363,520 --a------ C:\WINDOWS\system32\dbbjyqy.exe
2007-05-24 14:30 262,293 --a------ C:\WINDOWS\system32\dbbjyqy_nav.dat
2007-05-20 12:38 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-05-16 21:49 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-16 18:13 <DIR> d-------- C:\Documents and Settings\Yosh\.housecall6.6
2007-05-16 18:13 <DIR> d-------- C:\DOCUME~1\Yosh\.housecall6.6
2007-05-15 23:35 <DIR> d-------- C:\HijackThis
2007-05-09 19:34 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-05-09 19:31 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-09 19:28 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-05-09 19:28 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-05-09 19:28 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-05-09 19:28 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-05-09 19:28 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-05-09 19:28 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-05-09 19:28 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-05-09 19:28 <DIR> d-------- C:\DOCUME~1\Yosh\APPLIC~1\PC Tools
2007-05-09 19:27 <DIR> d-------- C:\WINDOWS\system32\runtime
2007-05-09 19:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-05-09 19:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-05-09 19:17 <DIR> d-------- C:\Program Files\Google
2007-04-26 14:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-24 15:11 <DIR> d-------- C:\DOCUME~1\MANTIN~1\Contacts
2007-04-23 20:06 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-04-23 20:06 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-04-23 20:06 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-04-23 20:06 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-04-23 20:06 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-04-23 20:06 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-04-23 20:06 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-04-23 20:06 <DIR> d-------- C:\Documents and Settings\Yosh\Contacts
2007-04-23 20:06 <DIR> d-------- C:\DOCUME~1\Yosh\Contacts
2007-04-23 20:05 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-04-23 20:01 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-04-23 19:57 <DIR> d-------- C:\Program Files\MSN Messenger
2007-04-23 16:04 <DIR> d-------- C:\Program Files\WebMediaPlayer
2007-04-12 18:50 2,783,048 --a------ C:\WINDOWS\system32\GPhotos.scr
2007-04-11 19:59 <DIR> d--h----- C:\WINDOWS\PIF
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-31 08:49:12 -------- d-----w C:\Program Files\LogMeIn
2007-05-29 19:26:45 26,176 ----a-w C:\WINDOWS\system32\LMIport.dll
2007-05-29 19:26:44 10,304 ----a-w C:\WINDOWS\system32\LMImirr2.dll
2007-05-29 19:26:44 10,144 ----a-w C:\WINDOWS\system32\drivers\LMImirr.sys
2007-05-29 19:26:43 24,000 ----a-w C:\WINDOWS\system32\LMImirr.dll
2007-05-29 19:26:42 63,040 ----a-w C:\WINDOWS\system32\LMIinit.dll
2007-05-15 19:48:15 10,702 ----a-w C:\WINDOWS\mozver.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-28 16:34:36 3,656,992 ----a-w C:\flashget182en.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 02:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}=c:\Program Files\Microsoft Money\System\mnyviewer.dll [2001-07-25 11:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-04-08 00:23 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2002-04-08 00:23 C:\WINDOWS\system32\atiptaxx.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-05-16 18:56]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-05-16 18:54]
"eabconfg.cpl"="C:\Program Files\Compaq\EAB\EabServr.exe" [2002-04-09 12:49]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 15:34]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-13 13:00]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 13:00]
"Cpqset"="c:\compaq\cpqsetup\cpqset.exe" [2002-05-09 15:13]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-21 20:34]
"j2 4.2"="C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe" [2006-07-14 23:03]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-05-29 22:28]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-05-20 18:28]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"WinVNC"="C:\Program Files\UltraVNC\winvnc.exe" [2006-06-18 15:56]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 02:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CPQDFWAG"=C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6517fb82-bcd4-11db-9d35-000094ce3d18}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe
*Newly Created Service* - LMIMAINT
*Newly Created Service* - LMIRFSCLIENTNP
*Newly Created Service* - LMIRFSDRIVER
Contents of the 'Scheduled Tasks' folder
2007-05-25 12:00:00 C:\WINDOWS\tasks\Norton Security Scan.job
2007-02-15 21:50:00 C:\WINDOWS\tasks\Registration reminder 1.job
2007-02-20 21:50:00 C:\WINDOWS\tasks\Registration reminder 2.job
2007-02-25 21:50:01 C:\WINDOWS\tasks\Registration reminder 3.job
********************************************************************
catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-31 16:33:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
********************************************************************
Completion time: 2007-05-31 16:36:03
C:\ComboFix-quarantined-files.txt ... 2007-05-31 16:36
--- E O F ---
I just noticed after I closed the notepad ComboFix opened that under it was a message from Spybot S&D asking if it's OK to delete or change some registry entries:
Category: Desktop Settings
Change: Value deleted
Entry: scrnsave.exe
Old data: C:\WINDOWS\System32\scrnsave.scr
--
Category: System Startup global entry
Change: Value deleted
Entry: Kernel Fault Check
Old data: %systemroot%\system32\dumprep 0 - k
--
Category: Browser page
Change: Value changed
Entry: Search Page
Old data:http://rd.yahoo.com/customize/yessentials_
New data: http://www.microsoft.com/isapi/redir.dll?prd
--
Category: Browser page
Change: Value deleted
Entry: Search Bar
Old data: http://store.presario.net/scripts/redirectors/
--
Category: Browser page
Change: Value changed
Entry: Start Page
Old data: http://store.presario.net/scripts/redirectors/
New data: about:blank
--
Category: NT Startup
Change: Value deleted
Entry: load
Old data:
--
I said OK to as I assume combofix did it and they looked "OK"...
Thanks,
Yosh
Hi again, we'll continue. You did the right thing with Spybot alerts.
You have a hidden infection.
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.
Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE (http://metallica.geekstogo.com/EGDACCESS.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover.
Save it in the same folder you made earlier (c:\BFU).
Do not do anything with these yet!
Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
3. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select EGDACCESS.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Please run Killbox.
Select "Delete on Reboot".
Select "All Files".
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\dbbjyqy.dat
C:\WINDOWS\system32\dbbjyqy_navps.dat
C:\WINDOWS\system32\dbbjyqy.exe
C:\WINDOWS\system32\dbbjyqy_nav.dat
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
Reboot into normal windows.
Post a fresh HijackThis log to here.
OK, did all that - thanks!
FYI, I did not get "Pending Operations prompt".
After I did Paste from clipboard, I looked at the dropdown file list - it had only the .exe file in it. I don't know if that matters. I verified the clipboard DID have all the rows you said to copy (I pasted it into notepad to doublecheck).
After rebooting, my computer was very sluggish. At any rate, here's the new HJT log - running as admin.
BTW, was there more than one infection (so far)? Many, many thanks for your help! --Yosh
-----------
Logfile of HijackThis v1.99.1
Scan saved at 12:20:21 PM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Asante\AeroLAN AL5410-G\WlanCU.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\taskmgr.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_cq/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [j2 4.2] "C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: AL5410-G Utility.lnk = C:\Program Files\Asante\AeroLAN AL5410-G\WlanCU.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {76026873-0935-499C-B66A-9FF5EEF45BEA} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171315894893
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe" -service (file missing)
Hello :)
Ok good, how is the computer running?
Download F-Secure Blacklight (http://www.f-secure.com/blacklight/try_blacklight.html) and save it to your desktop.
Doubleclick fsbl.exe, accept the agreement, click Scan, then click Next
You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).
DON'T choose Rename if something was found!
Post the contents of fsbl.xxxx.log to here (blacklight log from your desktop)
Hi. I've been trying to not use the computer, so I can't say how it's running. However, since you asked, I will log in as limited user & see if it's still getting the popup browsers.
Meanwhile, here's the log. It said it didn't find anything. I await your next instructions.
thanks,
yosh
06/03/07 17:36:35 [Info]: BlackLight Engine 1.0.61 initialized
06/03/07 17:36:35 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/03/07 17:36:36 [Note]: 7019 4
06/03/07 17:36:36 [Note]: 7005 0
06/03/07 17:36:44 [Note]: 7006 0
06/03/07 17:36:44 [Note]: 7011 492
06/03/07 17:36:45 [Note]: 7026 0
06/03/07 17:36:45 [Note]: 7026 0
06/03/07 17:37:04 [Note]: FSRAW library version 1.7.1021
06/03/07 17:51:01 [Note]: 7007 0
Ok nothing bad there either.
Could you use the computer and let me know how it is running :)
Also please restart the computer in safe mode and run HijackThis and save the log (in safe mode). Then restart the computer normally and post the log to here.
Hi. OK, I left it with browser windows open for several hours (nothing else) and nothing popped up (yet). That's a good sign. Beforehand I'll let my daughter use it now for a day & see if anything happens and will report back. This evening I'll run the HJT in safe mode.
BTW, is there any difference (in non-safe mode) between running HJT as admin or limited? I was a little surprised that this infection only affected the limited account and not the admin account (which is why I started by running HJT in both modes).
Again, many many thanks for your help.
-Yosh
Hi :)
Well the user account depends on the infection...
Please restart the computer in safe mode and run HijackThis and save the log (in safe mode). Then restart the computer normally and post the log to here.
Hi Mr. Jak,
Here's the log, from safe mode. So far, still no bad behavior from the computer. Thanks, Yosh
----
Logfile of HijackThis v1.99.1
Scan saved at 9:27:56 PM, on 6/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/yessentials_cq/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_cq/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [j2 4.2] "C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: AL5410-G Utility.lnk = C:\Program Files\Asante\AeroLAN AL5410-G\WlanCU.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {76026873-0935-499C-B66A-9FF5EEF45BEA} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171315894893
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe" -service (file missing)
Hi again Mr. Jak,
As I mentioned previously, Spyware Dr. (the free version in the Google Pack) is running on the computer. After I did the safe-mode HJT (log posted last night), Spyware Dr. downloaded an update and did its scan. It found 34 "infections", including some cookies related to amaena & winantivirus, winantispyware, etc. and some other stuff. Here's the log from Spyware Dr, FYI.
I await your further instructions. Thanks so much for all your help.
Thanks,
Yosh
----
6/6/2007 2:56:19 AM:738 Scan Started
Scan Type - Full Scan
6/6/2007 2:56:55 AM:509 Infection was detected on this computer
Threat Name - Tracking Cookie(s)
Type - Cookie
Risk Level - Low
Infection - bravenet.com/ bravenet.com
6/6/2007 2:56:55 AM:699 Infection was detected on this computer
Threat Name - Advertising
Type - Cookie
Risk Level - Low
Infection - www1.addfreestats.com/ www1.addfreestats.com
6/6/2007 2:56:55 AM:720 Infection was detected on this computer
Threat Name - Tracking Cookie(s)
Type - Cookie
Risk Level - Low
Infection - imrworldwide.com/ imrworldwide.com
6/6/2007 2:58:06 AM:912 Infection was detected on this computer
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - aff .drivecleaner.com
6/6/2007 2:58:06 AM:912 Infection was detected on this computer
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - z www.drivecleaner.com
6/6/2007 2:58:06 AM:912 Infection was detected on this computer
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - link .drivecleaner.com
6/6/2007 2:58:06 AM:912 Infection was detected on this computer
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - cnt .drivecleaner.com
6/6/2007 2:58:06 AM:912 Infection was detected on this computer
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - lng .drivecleaner.com
6/6/2007 2:58:06 AM:912 Infection was detected on this computer
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - ad .drivecleaner.com
6/6/2007 2:58:06 AM:912 Infection was detected on this computer
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - siteAID_drivecleaner stats.drivecleaner.com
6/6/2007 2:58:06 AM:912 Infection was detected on this computer
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - siteLID_drivecleaner stats.drivecleaner.com
6/6/2007 2:58:06 AM:922 Infection was detected on this computer
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - tid stats.drivecleaner.com
6/6/2007 2:58:06 AM:922 Infection was detected on this computer
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - siteID stats.drivecleaner.com
6/6/2007 2:58:06 AM:922 Infection was detected on this computer
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - z drivecleaner.com
6/6/2007 2:58:07 AM:42 Infection was detected on this computer
Threat Name - Advertising
Type - Cookie
Risk Level - Low
Infection - ih ad.yieldmanager.com
6/6/2007 2:58:07 AM:42 Infection was detected on this computer
Threat Name - Advertising
Type - Cookie
Risk Level - Low
Infection - uid ad.yieldmanager.com
6/6/2007 2:58:07 AM:52 Infection was detected on this computer
Threat Name - Advertising
Type - Cookie
Risk Level - Low
Infection - pv1 ad.yieldmanager.com
6/6/2007 2:58:07 AM:132 Infection was detected on this computer
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - lng .www.amaena.com
6/6/2007 2:58:07 AM:132 Infection was detected on this computer
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - lid .www.amaena.com
6/6/2007 2:58:07 AM:132 Infection was detected on this computer
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - affid .www.amaena.com
6/6/2007 2:58:07 AM:132 Infection was detected on this computer
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - cnt .www.amaena.com
6/6/2007 2:58:07 AM:132 Infection was detected on this computer
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - aid .www.amaena.com
6/6/2007 2:58:07 AM:132 Infection was detected on this computer
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - tid stats1.reliablestats.com
6/6/2007 2:58:07 AM:132 Infection was detected on this computer
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteID stats1.reliablestats.com
6/6/2007 2:58:07 AM:132 Infection was detected on this computer
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteAID_winantispyware stats1.reliablestats.com
6/6/2007 2:58:07 AM:132 Infection was detected on this computer
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteLID_winantispyware stats1.reliablestats.com
6/6/2007 2:58:07 AM:132 Infection was detected on this computer
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteLP_winantispyware stats1.reliablestats.com
6/6/2007 2:58:07 AM:132 Infection was detected on this computer
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteLID_winantiantivirus stats1.reliablestats.com
6/6/2007 2:58:07 AM:132 Infection was detected on this computer
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteLP_winantiantivirus stats1.reliablestats.com
6/6/2007 2:58:07 AM:132 Infection was detected on this computer
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteAID_winantiantivirus stats1.reliablestats.com
6/6/2007 3:48:01 AM:248 Infection was detected on this computer
Threat Name - Trojan.PWS.Tanspy
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load
6/6/2007 3:48:04 AM:432 Infection was detected on this computer
Threat Name - Trojan.Downloader.Ruins
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls
6/6/2007 3:48:08 AM:268 Infection was detected on this computer
Threat Name - Instant Access
Type - Registry Value
Risk Level - High
Infection - HKEY_USERS\S-1-5-21-784569582-2317538923-1809067083-1010\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A, Blob
6/6/2007 3:48:08 AM:298 Infection was detected on this computer
Threat Name - Instant Access
Type - Registry Key
Risk Level - High
Infection - HKEY_USERS\S-1-5-21-784569582-2317538923-1809067083-1010\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A
6/6/2007 3:51:27 AM:504 Scan Finished
Scan Type - Full Scan
Items Processed - 147015
Threats Detected - 7
Infections Detected - 34
Infections Ignored - 0
6/6/2007 10:36:18 AM:853 Infection quarantined
Threat Name - Tracking Cookie(s)
Type - Cookie
Risk Level - Low
Infection - imrworldwide.com/ imrworldwide.com
6/6/2007 10:36:19 AM:294 Infection quarantined
Threat Name - Tracking Cookie(s)
Type - Cookie
Risk Level - Low
Infection - bravenet.com/ bravenet.com
6/6/2007 10:36:19 AM:394 Infection cleaned
Threat Name - Tracking Cookie(s)
Type - Cookie
Risk Level - Low
Infection - imrworldwide.com/ imrworldwide.com
6/6/2007 10:36:19 AM:434 Infection cleaned
Threat Name - Tracking Cookie(s)
Type - Cookie
Risk Level - Low
Infection - bravenet.com/ bravenet.com
6/6/2007 10:36:19 AM:805 Infection quarantined
Threat Name - Advertising
Type - Cookie
Risk Level - Low
Infection - pv1 ad.yieldmanager.com
6/6/2007 10:36:20 AM:145 Infection quarantined
Threat Name - Advertising
Type - Cookie
Risk Level - Low
Infection - uid ad.yieldmanager.com
6/6/2007 10:36:20 AM:325 Infection quarantined
Threat Name - Advertising
Type - Cookie
Risk Level - Low
Infection - ih ad.yieldmanager.com
6/6/2007 10:36:20 AM:606 Infection quarantined
Threat Name - Advertising
Type - Cookie
Risk Level - Low
Infection - www1.addfreestats.com/ www1.addfreestats.com
6/6/2007 10:36:20 AM:746 Infection cleaned
Threat Name - Advertising
Type - Cookie
Risk Level - Low
Infection - pv1 ad.yieldmanager.com
6/6/2007 10:36:20 AM:846 Infection cleaned
Threat Name - Advertising
Type - Cookie
Risk Level - Low
Infection - uid ad.yieldmanager.com
6/6/2007 10:36:20 AM:946 Infection cleaned
Threat Name - Advertising
Type - Cookie
Risk Level - Low
Infection - ih ad.yieldmanager.com
6/6/2007 10:36:20 AM:946 Infection cleaned
Threat Name - Advertising
Type - Cookie
Risk Level - Low
Infection - www1.addfreestats.com/ www1.addfreestats.com
6/6/2007 10:36:22 AM:909 Infection quarantined
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - z drivecleaner.com
6/6/2007 10:36:23 AM:69 Infection quarantined
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - siteID stats.drivecleaner.com
6/6/2007 10:36:23 AM:310 Infection quarantined
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - tid stats.drivecleaner.com
6/6/2007 10:36:23 AM:430 Infection quarantined
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - siteLID_drivecleaner stats.drivecleaner.com
6/6/2007 10:36:23 AM:570 Infection quarantined
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - siteAID_drivecleaner stats.drivecleaner.com
6/6/2007 10:36:23 AM:740 Infection quarantined
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - ad .drivecleaner.com
6/6/2007 10:36:23 AM:871 Infection quarantined
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - lng .drivecleaner.com
6/6/2007 10:36:24 AM:1 Infection quarantined
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - cnt .drivecleaner.com
6/6/2007 10:36:24 AM:101 Infection quarantined
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - link .drivecleaner.com
6/6/2007 10:36:24 AM:351 Infection quarantined
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - z www.drivecleaner.com
6/6/2007 10:36:24 AM:521 Infection quarantined
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - aff .drivecleaner.com
6/6/2007 10:36:24 AM:532 Infection cleaned
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - z drivecleaner.com
6/6/2007 10:36:24 AM:552 Infection cleaned
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - siteID stats.drivecleaner.com
6/6/2007 10:36:24 AM:552 Infection cleaned
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - tid stats.drivecleaner.com
6/6/2007 10:36:24 AM:562 Infection cleaned
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - siteLID_drivecleaner stats.drivecleaner.com
6/6/2007 10:36:24 AM:562 Infection cleaned
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - siteAID_drivecleaner stats.drivecleaner.com
6/6/2007 10:36:24 AM:582 Infection cleaned
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - ad .drivecleaner.com
6/6/2007 10:36:24 AM:582 Infection cleaned
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - lng .drivecleaner.com
6/6/2007 10:36:24 AM:582 Infection cleaned
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - cnt .drivecleaner.com
6/6/2007 10:36:24 AM:582 Infection cleaned
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - link .drivecleaner.com
6/6/2007 10:36:24 AM:582 Infection cleaned
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - z www.drivecleaner.com
6/6/2007 10:36:24 AM:582 Infection cleaned
Threat Name - Drive Cleaner
Type - Cookie
Risk Level - Medium
Infection - aff .drivecleaner.com
6/6/2007 10:36:24 AM:892 Infection quarantined
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteAID_winantiantivirus stats1.reliablestats.com
6/6/2007 10:36:25 AM:2 Infection quarantined
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteLP_winantiantivirus stats1.reliablestats.com
6/6/2007 10:36:25 AM:92 Infection quarantined
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteLID_winantiantivirus stats1.reliablestats.com
6/6/2007 10:36:25 AM:313 Infection quarantined
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteLP_winantispyware stats1.reliablestats.com
6/6/2007 10:36:25 AM:423 Infection quarantined
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteLID_winantispyware stats1.reliablestats.com
6/6/2007 10:36:25 AM:553 Infection quarantined
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteAID_winantispyware stats1.reliablestats.com
6/6/2007 10:36:25 AM:633 Infection quarantined
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteID stats1.reliablestats.com
6/6/2007 10:36:25 AM:743 Infection quarantined
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - tid stats1.reliablestats.com
6/6/2007 10:36:25 AM:863 Infection quarantined
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - aid .www.amaena.com
6/6/2007 10:36:25 AM:954 Infection quarantined
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - cnt .www.amaena.com
6/6/2007 10:36:26 AM:74 Infection quarantined
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - affid .www.amaena.com
6/6/2007 10:36:26 AM:174 Infection quarantined
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - lid .www.amaena.com
6/6/2007 10:36:26 AM:474 Infection quarantined
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - lng .www.amaena.com
6/6/2007 10:36:26 AM:484 Infection cleaned
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteAID_winantiantivirus stats1.reliablestats.com
6/6/2007 10:36:26 AM:484 Infection cleaned
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteLP_winantiantivirus stats1.reliablestats.com
6/6/2007 10:36:26 AM:494 Infection cleaned
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteLID_winantiantivirus stats1.reliablestats.com
6/6/2007 10:36:26 AM:494 Infection cleaned
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteLP_winantispyware stats1.reliablestats.com
6/6/2007 10:36:26 AM:494 Infection cleaned
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteLID_winantispyware stats1.reliablestats.com
6/6/2007 10:36:26 AM:504 Infection cleaned
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteAID_winantispyware stats1.reliablestats.com
6/6/2007 10:36:26 AM:504 Infection cleaned
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - siteID stats1.reliablestats.com
6/6/2007 10:36:26 AM:504 Infection cleaned
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - tid stats1.reliablestats.com
6/6/2007 10:36:26 AM:715 Infection cleaned
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - aid .www.amaena.com
6/6/2007 10:36:26 AM:715 Infection cleaned
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - cnt .www.amaena.com
6/6/2007 10:36:26 AM:725 Infection cleaned
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - affid .www.amaena.com
6/6/2007 10:36:26 AM:725 Infection cleaned
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - lid .www.amaena.com
6/6/2007 10:36:26 AM:735 Infection cleaned
Threat Name - Known Bad Sites
Type - Cookie
Risk Level - High
Infection - lng .www.amaena.com
6/6/2007 10:36:27 AM:536 Infection quarantined
Threat Name - Trojan.PWS.Tanspy
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load
6/6/2007 10:36:27 AM:566 Infection cleaned
Threat Name - Trojan.PWS.Tanspy
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load
6/6/2007 10:36:28 AM:17 Infection quarantined
Threat Name - Trojan.Downloader.Ruins
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls
6/6/2007 10:36:28 AM:17 Infection cleaned
Threat Name - Trojan.Downloader.Ruins
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls
6/6/2007 10:36:28 AM:447 Infection quarantined
Threat Name - Instant Access
Type - Registry Key
Risk Level - High
Infection - HKEY_USERS\S-1-5-21-784569582-2317538923-1809067083-1010\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A
6/6/2007 10:36:28 AM:587 Infection quarantined
Threat Name - Instant Access
Type - Registry Value
Risk Level - High
Infection - HKEY_USERS\S-1-5-21-784569582-2317538923-1809067083-1010\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A, Blob
6/6/2007 10:36:28 AM:627 Infection cleaned
Threat Name - Instant Access
Type - Registry Key
Risk Level - High
Infection - HKEY_USERS\S-1-5-21-784569582-2317538923-1809067083-1010\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A
6/6/2007 10:36:28 AM:627 Infection cleaned
Threat Name - Instant Access
Type - Registry Value
Risk Level - High
Infection - HKEY_USERS\S-1-5-21-784569582-2317538923-1809067083-1010\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A, Blob
6/6/2007 10:36:31 AM:552 Infections Quarantined/Removed Summary
Quarantined - 34
Quarantine Failed - 0
Removed - 34
Remove Failed - 0
Ok most of the findings are just cookies. Thse are easily dealt with. The reg entries were false positives or minor leftovers.
So the computer is running fine?
No problems in the last two days.
Anything else to do?
Once again, thank you very much,
yosh
Hi again, it is looking clean now :)
You can fix this leftover with HijackThis:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
You can remove the tools we used.
You don't seem to have a third-party firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) installed. You must install one firewall.
It is possible that you're using the Windows XP firewall. That is of course better than nothing but I recommend that you install a more advanced firewall that gives more protection. Windows firewall doesn't eg protect your computer from inbound threats. This means that any malware on your computer is free to "phone home" for more instructions. Remember to use only one firewall at the same time. I'll give you a few alternatives if you want to install a third-party firewall:
These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
Comodo (http://www.personalfirewall.comodo.com)
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)