View Full Version : SurfSideKick has infected my computer
confusionsays
2006-01-08, 08:26
I have been using Spybot S & D 1.3 to scan for problems, as I am having some Trojan Horses (Tr/Dldr.TSUpdat.F.3)trying to gain access. But first I scan, then when I try to "fix problems" I get the error message "this application or dll c:\documents and setting\duane\application data\Sskknwrd.dll is not a valid windows image. Please check this against your installation diskette".
The last time I updated my Spybot was 2005.11.04
confusionsays
2006-01-10, 05:34
I posted a post on the 7th about a Trojan Horse of which I believe that I have now deleted with AVAST. But I apparently haven't removed everything bad, as I am still getting advertising popups when I am on the Net. I ran Spybot after the Trojans were cleaned out but SurfSideKick is still there.
HELP!!!!!!!
LonnyRJones
2006-01-10, 15:25
Hi confusionsays
Please use the add reply button rather than a new topic in the future
Go here and follow instructions.
Before you post a log
http://forums.spybot.info/showthread.php?t=288
Post the hjt log here in this thread.
Someone will then take a look at the system and advise you.
confusionsays
2006-01-10, 22:00
Logfile of HijackThis v1.99.0
Scan saved at 11:56:28 AM, on 1/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\AVPersonal\AVSched32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Network\network.exe
C:\windows\banmanpro.exe
C:\WINDOWS\newfrn.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\wmplayer\wmplayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\program files\valve\steam\steam.exe
C:\WINDOWS\system32\n?lookup.exe
C:\Program Files\rnee\eaed.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\XGMacroEn\XGProg.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\ZHVhbmU\command.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\duane\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {892392D3-2241-28E4-1643-2C50D6533590} - C:\WINDOWS\system32\nadieacq.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\Run: [enewsletterpro] C:\windows\enewsletterpro.exe
O4 - HKLM\..\Run: [banmanpro] C:\windows\banmanpro.exe
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\wmplayer\wmplayer.exe /auto
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000228.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Bptddqw] C:\WINDOWS\system32\n?lookup.exe
O4 - HKCU\..\Run: [Catt] "C:\Program Files\rnee\eaed.exe" -vt yazr
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: XGMacro.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: repairs302972988.dll
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Command Service - Unknown - C:\WINDOWS\ZHVhbmU\command.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
LonnyRJones
2006-01-11, 05:07
Hi
Please Go here and submit all the files in that network folder
C:\Program Files\Network unless your aware of what it is ?
http://www.thespykiller.co.uk/forum/index.php?board=1.0
Thanks
In windows control panel addremove programs uninstall surfsidekick and "Network Monitor".
Restart your PC.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Open a command prompt (start run type cmd press enter)
type
sc delete "Network Monitor"
press enter, type in
sc delete cmdservice
press enter, type exit and press enter to exit the command prompt
Make a new folder at this location
C:\ called "BFU"
Download/save (not open) Brute Force Uninstaller, By Merijn, author of Hijackthis.
from one of these locations
http://www.merijn.org/files/bfu.zip
http://castlecops.com/zx/Merijn/bfu.zip
extract the files inside and place them in the BFU folder
Doubleclick on BFU.exe, Click the round green icon (open script URL)
copy then paste in
http://downloads.subratam.org/BFUscripts/igetnetfreepod.BFU
Then click execute, when it is finished restart the PC.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O2 - BHO: (no name) - {892392D3-2241-28E4-1643-2C50D6533590} - C:\WINDOWS\system32\nadieacq.dll
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\Run: [enewsletterpro] C:\windows\enewsletterpro.exe
O4 - HKLM\..\Run: C:\windows\banmanpro.exe
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\wmplayer\wmplayer.exe /auto
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Bptddqw] C:\WINDOWS\system32\n?lookup.exe
O4 - HKCU\..\Run: [Catt] "C:\Program Files\rnee\eaed.exe" -vt yazr
====================================
Hit fix checked and close Hijackthis.
[B]Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post a fresh hijackthis log please, be sure to mention any current problems.
confusionsays
2006-01-11, 07:15
Hi Lonny,
I did all you asked me to do except I couldn't do a command prompt. I kept being told it was 'an illegal' action. I did the rest, but got a popup on the final
reboot, plus not all the files you asked me to deal with in HJT were there.
LonnyRJones
2006-01-11, 08:12
Hi
I posted to the thread at the uploads forum, go look please
Where is the fresh Hiajckthis log ?
Also since your using an outdated SpyBot:
In windows addremove programs uninstall SpyBot then Restart the PC,
and delete SpyBots folder in program files,
usualy > C:\Program Files\Spybot - Search & Destroy
Then download and install 1.4 once thats done, check for updates, then check for problems, fix everything found, always reboot if SpyBots needs to, to finish the cleanup.
http://www.safer-networking.org/index.php?page=tutorial
Download found here http://www.safer-networking.org/en/download/index.html
confusionsays
2006-01-11, 20:24
Lonny,
here is the last HJT log. I have had no popups lately - Thanks!
Logfile of HijackThis v1.99.0
Scan saved at 10:22:18 AM, on 1/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\AVPersonal\AVSched32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\XGMacroEn\XGProg.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\ZHVhbmU\command.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\duane\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000228.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: XGMacro.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Command Service - Unknown - C:\WINDOWS\ZHVhbmU\command.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
I go now to exchange Spybot programs.
confusionsays
2006-01-11, 20:49
Lonny,
I did what you requested, and removed my old Spybot Program (1.3), then downloaded Spybot 1.4. I then ran it, and it ran fast & up popped
"Command", which I deleted. I then rebooted, and then e-mailed you.
LonnyRJones
2006-01-12, 03:13
Go here and attach
C:\Program Files\Network\network.exe
http://www.thespykiller.co.uk/forum/index.php?topic=1066.0
Thanks
Repeat these suggestions
Make a new folder at this location
C:\ called "BFU"
Download/save (not open) Brute Force Uninstaller, By Merijn, author of Hijackthis.
from one of these locations
http://www.merijn.org/files/bfu.zip (http://www.merijn.org/files/bfu.zip)
http://castlecops.com/zx/Merijn/bfu.zip (http://castlecops.com/zx/Merijn/bfu.zip)
extract the files inside and place them in the BFU folder
Doubleclick on BFU.exe, Click the round green icon (open script URL)
copy then paste in
Code:
http://downloads.subratam.org/BFUscripts/igetnetfreepod.BFU
Then click execute, when it is finished restart the PC.
=========================================
did you see a script execution completed message ?
Let me know if there were any problems
Now make and post a new Hiajckthis log
Also: post the rusults from this regsearch
Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in
command.exe
hit ok, wait, then when wordpad opens copy that back here please
Note: Your antivirus script protection might interfear, its safe, please allow it to run.
confusionsays
2006-01-13, 11:24
Lonny,
(a) attached the network.exe files to that site
(b) went into the BFU folder, and ran Brute Force. It executed very, very fast with no problems.
(c) below is the new HJT file:
Logfile of HijackThis v1.99.0
Scan saved at 1:21:19 AM, on 1/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\AVPersonal\AVSched32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\XGMacroEn\XGProg.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\duane\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000228.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: XGMacro.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
(d) downloaded the Registry Search Tool, and did as you said. Kept getting scripts that told me that I couldn't go there. Then I was unable to go any further, as no wordpad opened ?!!
LonnyRJones
2006-01-13, 11:51
"(b) went into the BFU folder, and ran Brute Force. It executed very, very fast with no problems."
Thats not how i suggested to run it or we are mis-comunicating.
Try to explain in more detail, next time please.
Bfu and the script was not ran correctly or something is hampering it,
if it was the items below would not be there now.
Lets skip running bfu for now
Tell me exactly what happens when you go start run and type cmd and press enter ?
Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll
O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000228.exe
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Set windows to show hidden extensions file's and folder's.
click for> instructions<. (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Delete these folders
C:\Program Files\Common Files\VCClient
C:\Program Files\rnee
C:\Program Files\Network
C:\Program Files\Freeprod Toolbar
C:\WINDOWS\ZHVhbmU
C:\Program Files\SurfSideKick 3
C:\Program Files\Common Files\InetGet
C:\Program Files\Common Files\InetGet2
and these files (if present)
C:\WINDOWS\system32\nadieacq.dll
C:\Program Files\Common Files\Windows\mc-110-12-0000228.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Common Files\system32.dll
C:\Program Files\Common Files\Windows\ack.html
C:\Program Files\Common Files\Windows\AutoIt3.exe
C:\Program Files\Common Files\Windows\request.html
C:\Program Files\Common Files\Windows\services32.exe
C:\windows\enewsletterpro.exe
C:\windows\banmanpro.exe
c:\drsmartloadb.exe
C:\WINDOWS\newfrn.exe
c:\documents and setting\duane\application data\Sskknwrd.dll
===========================
You have two antivirus programs, Uninstall one keep the other and reboot the pc.
(d) downloaded the Registry Search Tool, and did as you said. Kept getting scripts that told me that I couldn't go there. Then I was unable to go any further, as no wordpad opened ?!!
I need more details in order to understand
Post a fresh hijackthis log please, be sure to mention any current problems.
confusionsays
2006-01-13, 22:28
LONNY,
I apologise for my obtuseness about my computer, as it was build last year by a recently-deceased friend.
(a)The message I get from trying to run the "cmd" function is as follows:
C:\Windows\System 32\cmd.com
The NTVDM CPU has encountered an illegal instruction.
CS:0000 IP:019f OP:f0 f3 ee 00 f0 Choose "Close" to terminate the application.
(b) I ran HJT and deleted all the items that you mentioned.
I am off to work, so I will finish the rest of your instructions tonite.
confusionsays
2006-01-14, 21:22
Lonny,
(a) Okay I went and exposed my hidden files/folders. I couldn't find the following folders:
C:\Program Files\rnee
C:\ Program Files\SurfSideKick3
C:\Program Files\Common Files\InetGet2
C:\Windows\system32\nadieacq.dll
C:\Program Files\Common Files\services.exe
C:\Program Files\Common Files\system32.dll
C:\Program Files\Common Files\Windows\ack.html
I didn't find mc-110-12-000228 in the C:\Program Files\Common Files\Windows, but in C:\ (I deleted it).
I did find a mc-110-12-0000137 where the mc-110-12-000028 file was supposed to be (deleted that as well).
deleted Sskknwrd.dll, but also found Sskcwrd and Sskuknwrd (deleted both)
Had no luck deleting the C:\Program Files\Common Files\system32.exe
file, as I got a "Error Deleting File or Folder" message with:
"Cannot delete services.32: Access is denied
Make sure that the disk is not full or write-protected and that the file is not currently in use"
(b) deleted one of my antivirus programs
(c) below is the new HJT file:
Logfile of HijackThis v1.99.0
Scan saved at 10:47:13 AM, on 1/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\XGMacroEn\XGProg.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\duane\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000228.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: XGMacro.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
(d) no more popups lately, and no more drag on computer processes.
LonnyRJones
2006-01-15, 06:40
Hi
Fix this item with hijackthis, did you miss it
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000228.exe
restart your PC and now you should be able to delete
C:\Program Files\Common Files\system32.exe
Please download the trial version of Ewido Security Suite here:
install then from within the program check for updates BUT dont scan yet
ewido security suite: http://www.ewido.net/en/download/
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")..
Run an Ewido scan:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop
Close Ewido
confusionsays
2006-01-18, 08:46
LONNY,
Still can't find that system32. exe file, but I did clean up that file in HJT.
Downloaded "ewido", and ran the scan. I am deleting the problem files one-by-one, but there are 4555 to look through. Trojan Crypt.e is a nasty little bug I must have picked up through Limeware. I am still attacking it in the J's.
Will get back to you when I am through - hopefully in 24 hours.:eek:
LonnyRJones
2006-01-19, 22:45
Hi
Hows it going ?
If that file isnt there it isnt there
Also zip up and attach the contents of the
C:\Program Files\wmplayer folder please
http://www.thespykiller.co.uk/forum/index.php?topic=1066.0
Thanks
confusionsays
2006-01-20, 00:42
LONNY,
I went hard trying to get back to you so we can hopefully tie this up, and went through 1500 "infected" files pretty fast. But the last 300 viruses are taking forever - about 2-5 minutes per infected file. The warning comes up asking me to delete "yes" or "no", I press "yes" & every 2nd one it delays for 2-5 minutes. The Task Manager says that it the Ewido is "not responding", but the "System Idle Process" is doing 95%. It sometimes won't 'respond' for 2 minutes, then starts "running" before "not responding" again for 3 minutes more. This will probably take till tomorrow, as I can't spend 4 hours watching the screen.
Talk to you tomorrow morning.
confusionsays
2006-01-21, 06:33
LONNY,
I have finally completed the Ewido process (scan & clean) - 3.5 days of work that I don't plan to do again if at all possible. I saved the "Ewido scan" to the desktop as you said. The wmplayer file you requested is empty?!
Your take on eacdavide's advice (nothing personal Eacdavide)?
LonnyRJones
2006-01-21, 06:43
Hi
attach or post that report please
If your willing to run Ewido use its backups to put back just the files in that wmplayer folder, we need samples, doing so will not re-infect without also adding back its registry items.
confusionsays
2006-01-22, 06:01
Lonny,
Here is the Ewido file
LonnyRJones
2006-01-22, 19:04
Hi confusionsays
Try to attach it again please, it might need to be split into two files for it to fit .... Post a new Hijackthis log and mention the current problems.
Are you willing to put back that folder with Ewidos backups ? If so Do you need instructions
confusionsays
2006-01-22, 21:29
LONNY,
I divided the file into 2 files of 421 KB and 416 KB, but I am not allowed more than 30 KB. Any other way to get it to your eyes, then sending you 100 files?
Here is the new HJT log:
Logfile of HijackThis v1.99.0
Scan saved at 11:23:14 AM, on 1/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\XGMacroEn\XGProg.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\duane\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: XGMacro.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
I could probably use some help with the Ewido backup files.
The only problem that I have seen is a "Thumbs" file that keeps appearing in my "Shared" folder. It is apparently a systems file, which I have to keep deleting.
confusionsays
2006-01-23, 21:01
LONNY,
As an addition to your question of what current problems do I have, and my answer of the "Thumbs-system file": There are 143 "Thumbs" files on my computer, and when I check their "properties" I get a "modified" date earlier then the "created" date?!?! When I erase it in a file, then close that file, then come back later it is back??!
LonnyRJones
2006-01-24, 06:25
Hi
Run Ewido, click quarantine find and restore ONLY the items that were in that wmplayer folder
C:\Program Files\wmplayer , close ewido zip up the contents of that folder
(rightclick send to > compressed) then go attach that cab (or zip if you use a third party zip program) file here
http://www.thespykiller.co.uk/forum/index.php?board=1.0
Now delete that folder or run ewido and let it remove the items there.
Thanks
More info on those thumbs.db files here
http://www.tweakxp.com/article36702.aspx
Post a report from one or both of these free online scans
Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.
Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Save the report and post it back here please if there are any that it is unable to deal with.
confusionsays
2006-01-24, 15:40
LONNY,
I sent the contents of the wmplayer file to that other forum.
I downloaded kaspersky and it's findings are here:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, January 24, 2006 05:36:10
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 24/01/2006
Kaspersky Anti-Virus database records: 172825
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
E:\
F:\
G:\
H:\
I:\
N:\
Scan Statistics:
Total number of scanned objects: 108042
Number of viruses found: 20
Number of infected objects: 71
Number of suspicious objects: 2
Duration of the scan process: 8207 sec
Infected Object Name - Virus Name
C:\AGEU_SilentSudokuInstaller.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk
C:\AGEU_SilentSudokuInstaller.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk
C:\AGEU_SilentSudokuInstaller.exe Infected: Trojan-Dropper.Win32.VB.kk
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy19.zip/adv.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy19.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\duane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1b69be98-69ae124d.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\duane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1b69be98-69ae124d.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\duane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1b69be98-69ae124d.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\duane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1b69be98-69ae124d.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\duane\Local Settings\Temp\AGEU_SudokuInstaller.exe/data0006 Infected: Trojan-Dropper.Win32.VB.kk
C:\Documents and Settings\duane\Local Settings\Temp\AGEU_SudokuInstaller.exe Infected: Trojan-Dropper.Win32.VB.kk
C:\Program Files\wmplayer\wmplayer.exe Infected: Trojan-Dropper.Win32.VB.kw
C:\SS1001.exe/data0010 Infected: Trojan-Dropper.Win32.Small.qn
C:\SS1001.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP609\A0022502.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP610\A0022521.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP610\A0022565.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP612\A0022591.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP612\A0022592.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP612\A0022593.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP612\A0022593.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP612\A0022593.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP613\A0022613.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP615\A0022649.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP615\A0022654.exe Infected: Trojan-Downloader.Win32.VB.uy
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP615\A0022673.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP615\A0022678.exe Infected: Trojan-Dropper.Win32.VB.kw
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP617\A0022703.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP619\A0022729.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP619\A0022734.exe Infected: Trojan-Downloader.Win32.PurityScan.ax
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP619\A0022752.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP619\A0022775.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP621\A0022811.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP621\A0022827.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP621\A0022849.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP621\A0022862.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP621\A0022864.exe Infected: Trojan-Downloader.Win32.PurityScan.be
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP621\A0022865.exe Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP621\A0022872.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ai
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP621\A0022873.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP621\A0022874.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ai
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP621\A0022875.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ai
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP621\A0022875.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP621\A0022875.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ai
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP621\A0022875.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP621\A0022875.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP621\A0022875.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP621\A0022876.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ai
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP621\A0022880.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP621\A0022892.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP621\A0022907.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP621\A0022917.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP622\A0022935.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP622\A0022978.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP622\A0022993.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP624\A0023027.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP624\A0023045.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP624\A0023057.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP625\A0023096.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP626\A0023177.exe Infected: Trojan-Downloader.Win32.Adload.l
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP626\A0023209.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP628\A0023258.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP629\A0023300.exe Infected: Trojan-Dropper.Win32.VB.kw
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP629\A0023301.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP629\A0023302.exe Infected: Backdoor.Win32.Rbot.gen
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP629\A0023303.exe Infected: not-a-virus:Monitor.Win32.NetMon.a
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP629\A0023304.exe Infected: Trojan-Dropper.Win32.VB.kw
C:\System Volume Information\_restore{1A8CD2D3-1597-4EFF-9955-B6CDD9CEE1C9}\RP632\A0023355.exe Infected: Backdoor.Win32.Rbot.gen
C:\WINDOWS\system32\DH9013.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf
C:\WINDOWS\system32\DH9013.exe Infected: Trojan-Clicker.Win32.Small.jf
C:\WINDOWS\system32\p2pnetworking.exe Infected: Backdoor.Win32.Rbot.gen
C:\WINDOWS\WinDy.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf
C:\WINDOWS\WinDy.exe Infected: Trojan-Clicker.Win32.Small.jf
Scan process completed.
I had problems downloading panda.
LonnyRJones
2006-01-24, 18:25
Thanks :)
Delete these files and folder
C:\AGEU_SilentSudokuInstaller.exe
C:\SS1001.exe
C:\WINDOWS\system32\DH9013.exe
C:\WINDOWS\WinDy.exe
C:\Program Files\wmplayer < folder
This is a differant BFU script than we used before
You already have the bfu program and the bfu folder created so skip that part
Make a new folder at this location,
C:\ called "BFU"
Download Brute Force Uninstaller. By Merijn author of Hijackthis.
http://www.merijn.org/files/bfu.zip
Unzip it to it’s own folder (c:\BFU)
Doubleclick on BFU.exe, Click the round green icon (open script URL)
copy then paste in
http://metallica.geekstogo.com/p2pnetwork.bfu
Press execute and let it do it’s job.
Wait for the complete script execution box to popup and press OK.
If the script is really executed you should have seen a progress bar.
Press exit to exit the BFU program.
If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html
Keep us informed
confusionsays
2006-01-24, 22:08
LONNY,
Managed to delete all the files.
I downloaded Brute, and ran it properly this time. It did all the things it was supposed to do.
LonnyRJones
2006-01-25, 05:47
Great ;)
Are there any problems now ?
Hello, this topic will now be archived to prevent others with similar issues posting in it. :)
If you need it re-opened please pm me or Lonny.
Cheers.