View Full Version : Help with Smitfraud and ??
kenbeuken
2007-07-29, 20:23
Been having alot of trouble with this. Spent abou 24 hours now working on it and have not got anywhere. Here is a HJT log. I also am having trouble accessing some websites on the computer in question (such as Combofix) Dont know what that has to do with this.
Logfile of HijackThis v1.99.1
Scan saved at 12:48:37 PM, on 7/29/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\WINNT\Profiles\Ken\Desktop\HelpMe\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [PROMon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [hkmheepA] C:\WINNT\hkmheepA.exe
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINNT\g4356cbvy63
O4 - HKLM\..\Run: [avp] C:\WINNT\avp.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINNT\System32\drvsag.dll,startup
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINNT\System32\ylcsrdpn.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Adab] "C:\WINNT\Profiles\Ken\MYDOCU~1\TSKS~1\smss.exe" -vt ndrv
O4 - HKCU\..\Run: [Oniswr] C:\WINNT\system32\??curity\?explore.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\TISKY009.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O13 - WWW. Prefix: http://
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162783581169
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\Software\..\Telephony: DomainName = cox.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cox.net
O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: DomainService - - C:\WINNT\System32\qwerty12.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
steamwiz
2007-07-29, 20:34
HI
Please rename the hijackthis.exe file to problems.exe then run it again & post a new log...
steam
kenbeuken
2007-07-29, 20:56
Was just doing that when you posted. I am having to try to email logs to a different computer because the problem one cant seem to find this url for some reason, and it is taking some time. Also, I have been trying to run an online virus scan, but am not getting anywhere. Here is the new log.
Logfile of HijackThis v1.99.1
Scan saved at 1:52:36 PM, on 7/29/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Profiles\Ken\Desktop\HelpMe\problem.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D154ED9-A44E-8595-1A64-888DB126879F} - C:\WINNT\System32\ecko.dll
O2 - BHO: (no name) - {1FE1E84C-157C-4752-AFFE-9649A0B34B6C} - C:\WINNT\System32\vtsqr.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINNT\System32\yayvstt.dll
O2 - BHO: (no name) - {467003B0-84EB-49B2-A984-1EE783548311} - C:\Program Files\Toshiba\mesowifym83122.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A21ACCE7-9D5D-434A-A69F-42FF1F44216B} - C:\Program Files\Toshiba\mesowifym4.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINNT\System32\mnuoqcta.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINNT\System32\dnsersnd.dll
- Show quoted text -
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [PROMon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [hkmheepA] C:\WINNT\hkmheepA.exe
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINNT\g4356cbvy63
O4 - HKLM\..\Run: [avp] C:\WINNT\avp.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINNT\System32\drvsag.dll,startup
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINNT\System32\ylcsrdpn.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Adab] "C:\WINNT\Profiles\Ken\MYDOCU~1\TSKS~1\smss.exe" -vt ndrv
O4 - HKCU\..\Run: [Oniswr] C:\WINNT\system32\??curity\?explore.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\TISKY009.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O13 - WWW. Prefix: http://
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162783581169
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\Software\..\Telephony: DomainName = cox.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cox.net
O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O20 - Winlogon Notify: vtsqr - C:\WINNT\System32\vtsqr.dll
O20 - Winlogon Notify: winilc32 - C:\WINNT\SYSTEM32\winilc32.dll
O20 - Winlogon Notify: yayvstt - C:\WINNT\SYSTEM32\yayvstt.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: DomainService - - C:\WINNT\System32\qwerty12.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
kenbeuken
2007-07-30, 17:22
Just wanted to add that it apperars that I have virtumonde as well.
kenbeuken
2007-07-30, 19:41
I have run Spybot 4 or 5 times, and deleted some files that seemed malicious and am getting much better results. The only problem spybot found this last time was Virtumonde and it said it was able to fix it. HOwever, I did just get one pop up. I have not restarted the cmoputer because I read that that may reignite the whole problem. Also, I have not tried RUnning IE because that seemed to casue issues also. I will wait for someone to respond before doing anything else.
Am I doint everything correct here? Don't want to sound unhappy or like Im impatient. I just see other people getting answers, while some are not. Just not sure how this works.
I will post a new HJT log since I hae changed some stuff.
steamwiz
2007-07-30, 20:59
Hi
Am I doint everything correct here? Don't want to sound unhappy or like Im impatient. I just see other people getting answers, while some are not. Just not sure how this works.
I'm afraid I can only answer when I am on-line ... I'm probably in a different timezone to you...
your Running processes: are very slim .. are you running hijackthis from safemode ? .. if you are, then we need to see it run from normal made, so that we can see what is actually running...
You have several different infections ...
Spent abou 24 hours now working on it and have not got anywhere
What programs have you run, apart from spybot ?
---
Download: SmitfraudFix.zip from :-
http://siri.urz.free.fr/Fix/SmitfraudFix.zip (the file contains both English and French versions)
1. Download to your desktop
2. unzip the zip file to your desktop (they will be extracted to a folder called SmitfraudFix
3. Double-click smitfraudfix.cmd
4. Select 1 and hit Enter to create a report of the infected files
5. find the C:\rapport.txt file and post the contents in your next post here...
THEN...
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
1. Double-click VundoFix.exe to run it.
2. When VundoFix re-opens, click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click "YES".
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will reboot your computer, click "OK".
7. Please post the contents of C:\vundofix.txt and a new HiJackThis log.
If vundofix cannot delete a file, it will try to delete it during a reboot, after the reboot vundofix will open again, you must run vundofix again, from "Click the Scan for Vundo button" ... and you must keep running vundofix until it does delete the file... I've known a stubborn vundo file take 5 or 6 reboots before it is deleted...
Keep running vundofix until it gives you the message "no infected files were found"
steam
Please remember to post :-
1. C:\rapport.txt file
2. C:\vundofix.txt
3. a new HiJackThis log (taken after running vundofix)
steam
kenbeuken
2007-07-30, 21:23
Thank you for the reply. The problem I seem to be having is that the bug I have seems to know all of the URL's for fixing my problem and have thme blocked. I try to go to the smitfraud fix site, and it just says it is unable to connect to that site. Same is true of some other sites I tried to connect to yesterday (Combofix). ANy suggestions?
kenbeuken
2007-07-30, 22:00
I was able to get the smitfraud tool working the old fashioned way. (Floppy Disk) Here is the Rapport log:
SmitFraudFix v2.207
Scan done at 14:41:41.78, Mon 07/30/2007
Run from C:\WINNT\Profiles\Ken\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINNT\System32\qwerty12.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\BRMFRSMG.EXE
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINNT\System32\lsltfyvd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\WINNT\System32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32
C:\WINNT\system32\ld???.tmp FOUND !
C:\WINNT\system32\ld????.tmp FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Profiles\Ken
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Profiles\Ken\Application Data
C:\WINNT\Profiles\Ken\Application Data\Install.dat FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Profiles\Ken\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Windows NT\\rtenefs.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="file:///C:/WINNT/Profiles/Ken/LOCALS~1/Temp/msohtml1/03/clip_image001.gif"
"SubscribedURL"="file:///C:/WINNT/Profiles/Ken/LOCALS~1/Temp/msohtml1/03/clip_image001.gif"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" c:\\winnt\\system32\\ldcore.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Your computer may be victim of a DNS Hijack: 194.54.x.x detected !
Description: Intel(R) PRO/100 VM Network Connection
DNS Server Search Order: 194.54.90.226
HKLM\SYSTEM\CCS\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
HKLM\SYSTEM\CCS\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer=194.54.90.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer=194.54.90.226
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer=194.54.90.226
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
steamwiz
2007-07-30, 22:07
Hi
Combofix is another program I will be getting you to run...
Please post the contents of your HOSTS file...
C:\WINDOWS\system32\drivers\etc\HOSTS
Open the file in notepad and copy & paste the contents in your next thread...
Also try to run this ( it will at least remove 2 of the active vundo trojans)
1. Please download VirtumundoBegone, and save it to your desktop.
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
2. Double-click on VirtumundoBeGone.exe and follow the instructions.
Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.
3. When the process finishes, reboot.
4. Post the contents of the VBG.TXT file, which you will find on your desktop
steam
kenbeuken
2007-07-30, 22:07
VundoFix Log:
VundoFix V6.5.6
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 2:57:10 PM 7/30/2007
Listing files found while scanning....
C:\WINNT\System32\rqstv.bak1
C:\WINNT\System32\rqstv.bak2
C:\WINNT\System32\rqstv.ini
C:\WINNT\System32\vtsqr.dll
Beginning removal...
Attempting to delete C:\WINNT\System32\rqstv.bak1
C:\WINNT\System32\rqstv.bak1 Has been deleted!
Attempting to delete C:\WINNT\System32\rqstv.bak2
C:\WINNT\System32\rqstv.bak2 Has been deleted!
Attempting to delete C:\WINNT\System32\rqstv.ini
C:\WINNT\System32\rqstv.ini Has been deleted!
Attempting to delete C:\WINNT\System32\vtsqr.dll
C:\WINNT\System32\vtsqr.dll Has been deleted!
Performing Repairs to the registry.
Done!
kenbeuken
2007-07-30, 22:09
New HJT Log: (yeah, the last one was from safemode)
Logfile of HijackThis v1.99.1
Scan saved at 3:05:52 PM, on 7/30/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\Profiles\Ken\MYDOCU~1\TSKS~1\smss.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINNT\System32\qwerty12.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\BRMFRSMG.EXE
C:\WINNT\System32\wbem\wmiapsrv.exe
C:\WINNT\system32\??curity\?explore.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINNT\Profiles\Ken\Desktop\HelpMe\problem.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10491D8B-A117-8C9F-1A64-888DB1268499} - C:\WINNT\System32\vbqmjn.dll
O2 - BHO: (no name) - {332C5C46-0D5B-45B8-B730-6C1032BAF045} - C:\WINNT\System32\vtsqr.dll (file missing)
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINNT\System32\yayvstt.dll
O2 - BHO: (no name) - {467003B0-84EB-49B2-A984-1EE783548311} - C:\Program Files\Toshiba\mesowifym83122.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A21ACCE7-9D5D-434A-A69F-42FF1F44216B} - C:\Program Files\Toshiba\mesowifym4.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINNT\System32\mnuoqcta.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINNT\System32\dnsersnd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [PROMon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [hkmheepA] C:\WINNT\hkmheepA.exe
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINNT\g4356cbvy63
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINNT\System32\wuhrtxmw.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Adab] "C:\WINNT\Profiles\Ken\MYDOCU~1\TSKS~1\smss.exe" -vt ndrv
O4 - HKCU\..\Run: [Oniswr] C:\WINNT\system32\??curity\?explore.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\TISKY009.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O13 - WWW. Prefix: http://
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162783581169
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\Software\..\Telephony: DomainName = cox.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A94FFB9-1A2D-4889-952E-25104A7E7AAF}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A94FFB9-1A2D-4889-952E-25104A7E7AAF}: NameServer = 205.188.146.145
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{1A94FFB9-1A2D-4889-952E-25104A7E7AAF}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O20 - Winlogon Notify: winilc32 - C:\WINNT\SYSTEM32\winilc32.dll
O20 - Winlogon Notify: yayvstt - C:\WINNT\SYSTEM32\yayvstt.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: DomainService - - C:\WINNT\System32\qwerty12.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
steamwiz
2007-07-30, 22:10
HI
I've just seen your last post...
1. Reboot into >>>safe mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
2. Double-click smitfraudfix.cmd
3. Select 2 and hit Enter to delete infected files
4. You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection
5. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file
6. A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt ... Post the contents of the C:\rapport.txt file in your next post here... + a new hijackthis log.
process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm
steam
steamwiz
2007-07-30, 22:20
OK... WE're both posting at the same time...
follow the instructions in post #12 RE: smitfraudfix
& post #9 RE: VirtumundoBegone
kenbeuken
2007-07-30, 22:26
Here is the new Rapport.txt. That is very interesting about the process kil...
SmitFraudFix v2.207
Scan done at 15:16:19.76, Mon 07/30/2007
Run from C:\WINNT\Profiles\Ken\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINNT\system32\ld???.tmp Deleted
C:\WINNT\Profiles\Ken\Application Data\Install.dat Deleted
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
HKLM\SYSTEM\CCS\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer=194.54.90.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer=194.54.90.226
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1A94FFB9-1A2D-4889-952E-25104A7E7AAF}: NameServer=205.188.146.145
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer=194.54.90.226
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.3.0.2 10.3.0.3 68.13.16.30
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
kenbeuken
2007-07-30, 22:27
Post 14 was in reply to post 12. I will get to work on post 9 now.
kenbeuken
2007-07-30, 22:42
I cannot get the HOsts file to open. It says " C:\WINNT\system32\drivers\etc\HOSTS is not a valid WIN32 application "
Here is the VBG log:
[07/30/2007, 15:31:20] - VirtumundoBeGone v1.5 ( "C:\WINNT\Profiles\Ken\Desktop\VirtumundoBeGone.exe" )
[07/30/2007, 15:31:28] - Detected System Information:
[07/30/2007, 15:31:28] - Windows Version: 5.1.2600,
[07/30/2007, 15:31:28] - Current Username: Ken (Admin)
[07/30/2007, 15:31:28] - Windows is in NORMAL mode.
[07/30/2007, 15:31:28] - Searching for Browser Helper Objects:
[07/30/2007, 15:31:28] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/30/2007, 15:31:28] - BHO 2: {10491D8B-A117-8C9F-1A64-888DB1268499} ()
[07/30/2007, 15:31:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:28] - Checking for HKLM\...\Winlogon\Notify\vbqmjn
[07/30/2007, 15:31:28] - Key not found: HKLM\...\Winlogon\Notify\vbqmjn, continuing.
[07/30/2007, 15:31:28] - BHO 3: {332C5C46-0D5B-45B8-B730-6C1032BAF045} ()
[07/30/2007, 15:31:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:29] - Checking for HKLM\...\Winlogon\Notify\vtsqr
[07/30/2007, 15:31:29] - Key not found: HKLM\...\Winlogon\Notify\vtsqr, continuing.
[07/30/2007, 15:31:29] - BHO 4: {3964D8D6-86D0-493A-B460-A805B5401114} ()
[07/30/2007, 15:31:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:29] - Checking for HKLM\...\Winlogon\Notify\yayvstt
[07/30/2007, 15:31:29] - Found: HKLM\...\Winlogon\Notify\yayvstt - This is probably Virtumundo.
[07/30/2007, 15:31:29] - Assigning {3964D8D6-86D0-493A-B460-A805B5401114} MSEvents Object
[07/30/2007, 15:31:29] - BHO list has been changed! Starting over...
[07/30/2007, 15:31:29] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/30/2007, 15:31:29] - BHO 2: {10491D8B-A117-8C9F-1A64-888DB1268499} ()
[07/30/2007, 15:31:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:29] - Checking for HKLM\...\Winlogon\Notify\vbqmjn
[07/30/2007, 15:31:29] - Key not found: HKLM\...\Winlogon\Notify\vbqmjn, continuing.
[07/30/2007, 15:31:29] - BHO 3: {332C5C46-0D5B-45B8-B730-6C1032BAF045} ()
[07/30/2007, 15:31:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:29] - Checking for HKLM\...\Winlogon\Notify\vtsqr
[07/30/2007, 15:31:29] - Key not found: HKLM\...\Winlogon\Notify\vtsqr, continuing.
[07/30/2007, 15:31:29] - BHO 4: {3964D8D6-86D0-493A-B460-A805B5401114} (MSEvents Object)
[07/30/2007, 15:31:29] - ALERT: Found MSEvents Object!
[07/30/2007, 15:31:29] - BHO 5: {467003B0-84EB-49B2-A984-1EE783548311} ()
[07/30/2007, 15:31:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:29] - Checking for HKLM\...\Winlogon\Notify\mesowifym83122
[07/30/2007, 15:31:29] - Key not found: HKLM\...\Winlogon\Notify\mesowifym83122, continuing.
[07/30/2007, 15:31:29] - BHO 6: {53707962-6F74-2D53-2644-206D7942484F} ()
[07/30/2007, 15:31:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:29] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[07/30/2007, 15:31:29] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[07/30/2007, 15:31:29] - BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/30/2007, 15:31:29] - BHO 8: {A21ACCE7-9D5D-434A-A69F-42FF1F44216B} ()
[07/30/2007, 15:31:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:29] - Checking for HKLM\...\Winlogon\Notify\mesowifym4
[07/30/2007, 15:31:29] - Key not found: HKLM\...\Winlogon\Notify\mesowifym4, continuing.
[07/30/2007, 15:31:29] - BHO 9: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[07/30/2007, 15:31:29] - BHO 10: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[07/30/2007, 15:31:29] - BHO 11: {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} ()
[07/30/2007, 15:31:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:29] - Checking for HKLM\...\Winlogon\Notify\mnuoqcta
[07/30/2007, 15:31:29] - Key not found: HKLM\...\Winlogon\Notify\mnuoqcta, continuing.
[07/30/2007, 15:31:29] - BHO 12: {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} (CPub Object)
[07/30/2007, 15:31:29] - Finished Searching Browser Helper Objects
[07/30/2007, 15:31:29] - *** Detected MSEvents Object
[07/30/2007, 15:31:29] - Trying to remove MSEvents Object...
[07/30/2007, 15:31:30] - Terminating Process: IEXPLORE.EXE
[07/30/2007, 15:31:30] - Terminating Process: RUNDLL32.EXE
[07/30/2007, 15:31:31] - Disabling Automatic Shell Restart
[07/30/2007, 15:31:31] - Terminating Process: EXPLORER.EXE
[07/30/2007, 15:31:31] - Suspending the NT Session Manager System Service
[07/30/2007, 15:31:31] - Terminating Windows NT Logon/Logoff Manager
[07/30/2007, 15:31:35] - Re-enabling Automatic Shell Restart
[07/30/2007, 15:31:35] - File to disable: C:\WINNT\System32\yayvstt.dll
[07/30/2007, 15:31:35] - Renaming C:\WINNT\System32\yayvstt.dll -> C:\WINNT\System32\yayvstt.dll.vir
[07/30/2007, 15:31:36] - File successfully renamed!
[07/30/2007, 15:31:36] - Removing HKLM\...\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}
[07/30/2007, 15:31:36] - Removing HKCR\CLSID\{3964D8D6-86D0-493A-B460-A805B5401114}
[07/30/2007, 15:31:36] - Adding Kill Bit for ActiveX for GUID: {3964D8D6-86D0-493A-B460-A805B5401114}
[07/30/2007, 15:31:36] - Deleting ATLEvents/MSEvents Registry entries
[07/30/2007, 15:31:36] - Removing HKLM\...\Winlogon\Notify\yayvstt
[07/30/2007, 15:31:36] - Searching for Browser Helper Objects:
[07/30/2007, 15:31:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/30/2007, 15:31:36] - BHO 2: {10491D8B-A117-8C9F-1A64-888DB1268499} ()
[07/30/2007, 15:31:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:36] - Checking for HKLM\...\Winlogon\Notify\vbqmjn
[07/30/2007, 15:31:36] - Key not found: HKLM\...\Winlogon\Notify\vbqmjn, continuing.
[07/30/2007, 15:31:36] - BHO 3: {332C5C46-0D5B-45B8-B730-6C1032BAF045} ()
[07/30/2007, 15:31:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:36] - Checking for HKLM\...\Winlogon\Notify\vtsqr
[07/30/2007, 15:31:36] - Key not found: HKLM\...\Winlogon\Notify\vtsqr, continuing.
[07/30/2007, 15:31:36] - BHO 4: {467003B0-84EB-49B2-A984-1EE783548311} ()
[07/30/2007, 15:31:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:36] - Checking for HKLM\...\Winlogon\Notify\mesowifym83122
[07/30/2007, 15:31:36] - Key not found: HKLM\...\Winlogon\Notify\mesowifym83122, continuing.
[07/30/2007, 15:31:36] - BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
[07/30/2007, 15:31:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:36] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[07/30/2007, 15:31:36] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[07/30/2007, 15:31:36] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/30/2007, 15:31:36] - BHO 7: {A21ACCE7-9D5D-434A-A69F-42FF1F44216B} ()
[07/30/2007, 15:31:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:36] - Checking for HKLM\...\Winlogon\Notify\mesowifym4
[07/30/2007, 15:31:36] - Key not found: HKLM\...\Winlogon\Notify\mesowifym4, continuing.
[07/30/2007, 15:31:36] - BHO 8: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[07/30/2007, 15:31:36] - BHO 9: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[07/30/2007, 15:31:36] - BHO 10: {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} ()
[07/30/2007, 15:31:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/30/2007, 15:31:36] - Checking for HKLM\...\Winlogon\Notify\mnuoqcta
[07/30/2007, 15:31:36] - Key not found: HKLM\...\Winlogon\Notify\mnuoqcta, continuing.
[07/30/2007, 15:31:36] - BHO 11: {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} (CPub Object)
[07/30/2007, 15:31:36] - Finished Searching Browser Helper Objects
[07/30/2007, 15:31:36] - Finishing up...
[07/30/2007, 15:31:36] - A restart is needed.
[07/30/2007, 15:31:49] - Attempting to Restart via STOP error (Blue Screen!)
kenbeuken
2007-07-30, 22:44
New HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 3:42:42 PM, on 7/30/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\Profiles\Ken\MYDOCU~1\TSKS~1\smss.exe
C:\WINNT\system32\??curity\?explore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINNT\System32\qwerty12.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\BRMFRSMG.EXE
C:\WINNT\System32\wuauclt.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINNT\Profiles\Ken\Desktop\HelpMe\problem.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10491D8B-A117-8C9F-1A64-888DB1268499} - C:\WINNT\System32\vbqmjn.dll
O2 - BHO: (no name) - {332C5C46-0D5B-45B8-B730-6C1032BAF045} - C:\WINNT\System32\vtsqr.dll (file missing)
O2 - BHO: (no name) - {467003B0-84EB-49B2-A984-1EE783548311} - C:\Program Files\Toshiba\mesowifym83122.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A21ACCE7-9D5D-434A-A69F-42FF1F44216B} - C:\Program Files\Toshiba\mesowifym4.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINNT\System32\mnuoqcta.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINNT\System32\dnsersnd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [PROMon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [hkmheepA] C:\WINNT\hkmheepA.exe
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINNT\g4356cbvy63
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINNT\System32\wuhrtxmw.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Adab] "C:\WINNT\Profiles\Ken\MYDOCU~1\TSKS~1\smss.exe" -vt ndrv
O4 - HKCU\..\Run: [Oniswr] C:\WINNT\system32\??curity\?explore.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\TISKY009.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O13 - WWW. Prefix: http://
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162783581169
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\Software\..\Telephony: DomainName = cox.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A94FFB9-1A2D-4889-952E-25104A7E7AAF}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A94FFB9-1A2D-4889-952E-25104A7E7AAF}: NameServer = 205.188.146.145
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{1A94FFB9-1A2D-4889-952E-25104A7E7AAF}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O20 - Winlogon Notify: winilc32 - C:\WINNT\SYSTEM32\winilc32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: DomainService - - C:\WINNT\System32\qwerty12.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
kenbeuken
2007-07-30, 23:02
One thing I keep noticing is a popup from the tool bar by the clock saying that WIndows has detected spyware and suggests I download software to fix it. It is there with a red circle with white "X" icon. It also keep wanting me to instal somekind of ActiveX controller which I cancel. Also I still cannot get on sites like this one from that computer. The malware is killing the process.
steamwiz
2007-07-30, 23:35
HI
You still have a lot of malware running ... if I'd asked you to run 10 programs at once, it would have been overwhelming & we would have both got lost ... but we are getting rid if it, a bit at a time...
I want you to run 2 more programs please ... get the floppy ready...
1. Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
3. Reboot into Safe Mode`:-
Reboot into >>>safe mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
4. Once in safemode - Start HijackThis, close all open windows leaving only HijackThis running. Place a check against :-
O2 - BHO: (no name) - {10491D8B-A117-8C9F-1A64-888DB1268499} - C:\WINNT\System32\vbqmjn.dll
O2 - BHO: (no name) - {332C5C46-0D5B-45B8-B730-6C1032BAF045} - C:\WINNT\System32\vtsqr.dll (file missing)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINNT\System32\mnuoqcta.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINNT\System32\dnsersnd.dll
O4 - HKLM\..\Run: [hkmheepA] C:\WINNT\hkmheepA.exe
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINNT\g4356cbvy63
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINNT\System32\wuhrtxmw.dll",sitypnow
O4 - HKCU\..\Run: [Adab] "C:\WINNT\Profiles\Ken\MYDOCU~1\TSKS~1\smss.exe" -vt ndrv
O4 - HKCU\..\Run: [Oniswr] C:\WINNT\system32\??curity\?explore.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\TISKY009.exe
O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O20 - Winlogon Notify: winilc32 - C:\WINNT\SYSTEM32\winilc32.dll
O23 - Service: DomainService - - C:\WINNT\System32\qwerty12.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe
5. Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked.
6. Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
-------------------
Then please try to run Combofix :-
Please download Combofix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
and save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
steam
It's getting late & I have to be up early in the morning, so I'll check your new logs tomorrow...
kenbeuken
2007-07-31, 19:06
IM having trouble getting SD installed. It looks like the kill function is working on that program now. Had it on the desktop, but when I double clicked it, it just disappeared.??
kenbeuken
2007-07-31, 21:27
OK, I got SDFIX to install by running it from safe mode. Here is the log for SDFIX:
SDFix: Version 1.94
Run by Ken on Tue 07/31/2007 at 02:04 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
DomainService
ImagePath:
C:\WINNT\System32\qwerty12.exe /service
DomainService - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\D.EXE - Deleted
C:\142553~1 - Deleted
C:\TEMP\stdrun1.exe - Deleted
C:\TEMP\stdrun3.exe - Deleted
C:\TEMP\stdrun4.exe - Deleted
C:\TEMP\stdrun5.exe - Deleted
C:\TEMP\stdrun9.exe - Deleted
C:\TEMP\stdrun6.exe~ - Deleted
C:\TEMP\stdrun8.exe~ - Deleted
C:\WINNT\Profiles\Ken\Application Data\Install.dat - Deleted
C:\WINNT\Profiles\Ken\Application Data\.rdr.ini - Deleted
C:\WINNT\b122.exe - Deleted
C:\WINNT\csrss.exe - Deleted
C:\WINNT\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe - Deleted
C:\WINNT\system32\ldinfo.ldr - Deleted
C:\WINNT\system32\qwerty12.exe - Deleted
C:\WINNT\tcb.pmw - Deleted
C:\WINNT\wr.txt - Deleted
Folder C:\WINNT\system32\b06FdUe - Removed
Removing Temp Files...
ADS Check:
C:\WINNT
No streams found.
C:\WINNT\system32
No streams found.
C:\WINNT\system32\svchost.exe
No streams found.
C:\WINNT\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINNT\\System32\\qwerty12.exe"="C:\\WINNT\\System32\\qwer"
"C:\\TEMP\\win1F9.tmp.exe"="C:\\TEMP\\win1F9.tmp.exe:*:Enabled:win1F9.tmp"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
C:\WINNT\Profiles\Ken\NetHood\download on www.401kduediligence.com\Desktop.ini
C:\Program Files\America Online 9.0\aolphx.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\America Online 9.0\RBM.exe
C:\WINNT\system32\??curity\?explore.exe
C:\WINNT\system32\1E9308E591.sys
C:\WINNT\system32\KGyGaAvL.sys
C:\WINNT\Profiles\Ken\My Documents\~WRL3016.tmp
C:\WINNT\system32\BIT84.tmp
C:\WINNT\system32\config\default.tmp.LOG
C:\WINNT\system32\config\software.tmp.LOG
C:\WINNT\system32\config\system.tmp.LOG
Finished
kenbeuken
2007-07-31, 21:41
ComboFix Log:
ComboFix 07-07-30.2 - "Ken" 2007-07-31 14:24:42.1 [GMT -5:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.True
* Created a new restore point
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINNT\system32\awtqqnn.dll
C:\WINNT\system32\efebx.dll
C:\WINNT\system32\khfef.dll
C:\WINNT\system32\ljjkjii.dll
C:\WINNT\system32\nnnmjij.dll
C:\WINNT\system32\nnnmlii.dll
C:\WINNT\system32\nnnnmkj.dll
C:\WINNT\system32\opnonml.dll
C:\WINNT\system32\vturpmk.dll
C:\WINNT\system32\yaywvvw.dll
C:\WINNT\system32\lsltfyvd.exe
C:\WINNT\system32\xbefe.bak1
C:\WINNT\system32\xbefe.ini
C:\WINNT\system32\fefhk.bak1
C:\WINNT\system32\fefhk.ini
C:\WINNT\system32\urqnkif.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\spamblockerutility
C:\Program Files\spamblockerutility\bin\4.8.4.0\SpamBlockerUtility.exe
C:\Program Files\Toshiba\mesowifym4.dll
C:\Program Files\Toshiba\mesowifym83122.dll
C:\Program Files\ystem~1
C:\WINNT\dls0523pmw.exe
C:\WINNT\hkmheep.exe
C:\WINNT\Profiles\ADMINI~1\APPLIC~1\install.dat
C:\WINNT\Profiles\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\WINNT\Profiles\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\WINNT\Profiles\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\WINNT\Profiles\Ken\APPLIC~1.\winantispyware 2007
C:\WINNT\Profiles\Ken\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\WINNT\Profiles\Ken\MYDOCU~1.\tsks~1
C:\WINNT\rau001978.exe
C:\WINNT\system32\b02FdUe
C:\WINNT\system32\b02FdUe\b02FdUe1065.exe
C:\WINNT\system32\config\systemprofile\application data\.rdr.ini
C:\WINNT\system32\curity~1
C:\WINNT\system32\curity~1\?explore.exe
C:\WINNT\system32\drivers\fopn.sys
C:\WINNT\system32\fllhrxun.exe
C:\WINNT\system32\G1
C:\WINNT\system32\G1\kmhp83122.exe
C:\WINNT\system32\G11
C:\WINNT\system32\G11\z553.exe
C:\WINNT\system32\G3
C:\WINNT\system32\G3\wr725.exe
C:\WINNT\system32\G7
C:\WINNT\system32\rxpqxkpr.exe
C:\WINNT\system32\win
C:\WINNT\system32\winnb58.dll
C:\WINNT\system32\wnsintisv32.exe
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_FOPN
-------\LEGACY_NET_AGENT
-------\Net Agent
((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-31 )))))))))))))))))))))))))))))))
2007-07-31 14:23 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-31 14:19 16,384 --a----t- C:\TEMP\Perflib_Perfdata_62c.dat
2007-07-31 14:01 <DIR> d-------- C:\WINNT\ERUNT
2007-07-30 15:57 93,696 --a------ C:\WINNT\system32\drvjax.dll
2007-07-30 14:57 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2007-07-30 14:57 <DIR> d-------- C:\VundoFix Backups
2007-07-30 14:41 3,596 --a------ C:\WINNT\system32\tmp.reg
2007-07-30 02:47 126,016 --a------ C:\WINNT\system32\wuhrtxmw.dll
2007-07-29 15:08 <DIR> d-------- C:\WINNT\Profiles\ADMINI~1\APPLIC~1\Share-to-Web Upload Folder
2007-07-29 14:59 93,696 --a------ C:\WINNT\system32\drvtop.dll
2007-07-29 12:38 <DIR> d-------- C:\Program Files\HijackThi
2007-07-29 11:48 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-07-29 02:58 126,016 --a------ C:\WINNT\system32\ylcsrdpn.dll
2007-07-28 23:42 70,312 --a------ C:\Program Files\codec_setup.exe
2007-07-28 23:15 93,696 --a------ C:\WINNT\system32\drvsag.dll
2007-07-28 21:38 93,696 --a------ C:\WINNT\system32\drvsun.dll
2007-07-28 17:21 9,769 --a------ C:\WINNT\tfjjp0578.exe
2007-07-28 17:21 19,968 --a------ C:\WINNT\system32\winilc32.dll
2007-07-28 14:50 <DIR> d-------- C:\WINNT\Profiles\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-05 17:33 <DIR> d-------- C:\WINNT\Profiles\Ken\APPLIC~1\WinRAR
2007-06-25 08:54 53,248 --a------ C:\WINNT\uni_eh44.exe
2007-06-25 08:53 53,248 --a------ C:\WINNT\uninst1014.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-31 14:26 --------- d-a------ C:\Program Files\Toshiba
2007-07-29 19:08 --------- d-a------ C:\Program Files\Windows NT
2007-07-28 17:01 --------- d-------- C:\Program Files\MyWay
2007-01-25 18:59 16400 --a------ C:\WINNT\Profiles\Ken\APPLIC~1\GDIPFONTCACHEV1.DAT
2006-12-02 20:05 2522 --a------ C:\Program Files\func.js
2006-11-25 02:57 482 --a------ C:\Program Files\Del.js
2006-06-08 02:02 2048 --a------ C:\Program Files\func.exe
2003-03-21 14:05 271 ---hs---- C:\Program Files\desktop.ini
2003-03-21 14:05 21952 --ah----- C:\Program Files\folder.htt
2006-02-25 03:17:03 75 -csh--w C:\WINNT\Profiles\Ken\NetHood\download on www.401kduediligence.com\Desktop.ini
2004-07-23 16:23:22 56 -csh--r C:\WINNT\system32\1E9308E591.sys
2006-07-29 23:36:17 1,682 -csha-w C:\WINNT\system32\KGyGaAvL.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EM_EXEC"="C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2000-02-04 11:01]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2000-07-10 12:34]
"PROMon.exe"="Promon.exe" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-06 17:35]
"Synchronization Manager"="mobsync.exe" [2001-08-23 10:00 C:\WINNT\system32\mobsync.exe]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-07-23 10:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-23 10:52]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 16:54]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"HostManager"="C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe" [2006-09-25 19:52]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 09:04]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall"=%systemroot%\system32\tscupgrd.exe
C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-07-23 10:49:58]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= FPNWCLNT scecli
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"
R2 ASCTRM;ASCTRM;C:\WINNT\System32\drivers\ASCTRM.sys
R2 Isecdrv;ISECDRV;C:\WINNT\System32\drivers\Isecdrv.sys
R2 SimpTcp;Simple TCP/IP Services;C:\WINNT\System32\tcpsvcs.exe
R3 brfilt;Brother MFC Filter Driver;C:\WINNT\System32\Drivers\Brfilt.sys
R3 brparimg;Brother Multi Function Parallel Image driver;C:\WINNT\System32\DRIVERS\BrParImg.sys
R3 BrParWdm;Brother WDM Parallel Driver;C:\WINNT\System32\Drivers\BrParwdm.sys
R3 BrSerWDM;Brother WDM Serial driver;C:\WINNT\System32\Drivers\BrSerWdm.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINNT\System32\DRIVERS\e100b325.sys
R3 i81x;i81x;C:\WINNT\System32\DRIVERS\i81xnt5.sys
R3 mf;mf;C:\WINNT\System32\DRIVERS\mf.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINNT\System32\drivers\msmpu401.sys
R3 wanatw;WAN Miniport (ATW);C:\WINNT\System32\DRIVERS\wanatw4.sys
S1 TAPM_NT;TAPM_NT;C:\WINNT\System32\drivers\TAPM_NT.sys
S1 vrfyflp;Floppy disk verify driver;C:\WINNT\System32\drivers\vrfyflp.sys
S2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINNT\System32\DRIVERS\CINEMSUP.SYS
S2 Scsiprnt;Scsiprnt;C:\WINNT\System32\drivers\Scsiprnt.sys
S3 iAimFP0;iAimFP0;C:\WINNT\System32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINNT\System32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINNT\System32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINNT\System32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINNT\System32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINNT\System32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINNT\System32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINNT\System32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINNT\System32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINNT\System32\DRIVERS\wCh7xxNT.sys
S3 MPE;BDA MPE Filter;C:\WINNT\System32\DRIVERS\MPE.sys
S3 TBiosDrv;TBiosDrv;\??\C:\WINNT\System32\drivers\TBiosDrv.sys
S4 i81xnt4;i81xnt4;C:\WINNT\System32\DRIVERS\i81xnt4.sys
S4 lkbdfltr;Logitech Keyboard Class Filter Driver;C:\WINNT\System32\DRIVERS\lkbdfltr.sys
S4 lmoufltr;Logitech Mouse Class Filter Driver;C:\WINNT\System32\DRIVERS\lmoufltr.sys
S4 lsermous;Logitech Serial Mouse Driver;C:\WINNT\System32\DRIVERS\lsermous.sys
Contents of the 'Scheduled Tasks' folder
2007-07-31 07:00:00 C:\WINNT\Tasks\Spybot - Search & Destroy - Scheduled Task.job - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-31 14:33:57
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-31 14:35:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-31 14:34
--- E O F ---
kenbeuken
2007-07-31, 21:45
New HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 14:42, on 7/31/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\System32\BRMFRSMG.EXE
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINNT\Profiles\Ken\Desktop\HelpMe\problem.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [PROMon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O13 - WWW. Prefix: http://
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162783581169
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\Software\..\Telephony: DomainName = cox.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cox.net
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
kenbeuken
2007-07-31, 23:13
THings seem to be a lot better for now, but Ill wait for an opinion from you to know whats going on. I did just run spybot again and found the following:
AdRevolver
Advertising.com (4 Entries)
BlueStreak
DoubleClick
GoClick
MedialPlex
WebTrends live
Zedo
No Virtumonde or Smitfraud this time (which is good) but Ive run spybot before and had it not find those, only to have them come back. I did not fix these problems yet and will wait for you to tell me to do so, or to have some other way of attacking what is left.
Thanks for all your help so far!!
kenbeuken
2007-08-01, 18:23
Would all of this affect my Outlook? Seems I can look at incoming mail, but can't get any to go out... Havn't changed anything else.
steamwiz
2007-08-02, 00:01
HI
Looking a lot better
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINNT\system32\drvjax.dll
C:\WINNT\system32\wuhrtxmw.dll
C:\WINNT\system32\drvtop.dll
C:\WINNT\system32\ylcsrdpn.dll
C:\WINNT\system32\drvsag.dll
C:\WINNT\system32\drvsun.dll
C:\WINNT\tfjjp0578.exe
C:\WINNT\system32\winilc32.dll
Folder::
C:\TEMP
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
-
They're just cookies which Spybot found ... you can run spybot again & let it delete them...
-
Then do this :-
Download CCleaner from :-
http://www.filehippo.com/download_ccleaner/ (click the download tab)
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.
doubleclick the ccsetup.exe file and install the program...
After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
Make sure the "windows" tab is selected
Under "internet explorer" tick...
Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history
under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"
Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)
under "System"
Tick ALL these ...
under "Advanced"
no need to tick any of these (but you can if you want, and realise what they do)
Applications tab...
These will mostly clean out old log files for these applications...
Clean:- (if you use them)
Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...
Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.
click "analyse" if you want to see a list of what is going to be removed, before it is removed.
Or
click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up
"This process will permanently delete files from your system. Are you sure you wish to proceed?"
click OK.
cheers
Don't forget to post the combofix log
steam
kenbeuken
2007-08-02, 19:07
NewComboFix log:
ComboFix 07-07-30.2 - "Ken" 2007-08-02 11:47:22.2 [GMT -5:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.True
Command switches used :: C:\WINNT\Profiles\Ken\Desktop\CFScript.txt
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\TEMP
C:\WINNT\system32\drvjax.dll
C:\WINNT\system32\drvsag.dll
C:\WINNT\system32\drvsun.dll
C:\WINNT\system32\drvtop.dll
C:\WINNT\system32\winilc32.dll
C:\WINNT\system32\wuhrtxmw.dll
C:\WINNT\system32\ylcsrdpn.dll
C:\WINNT\tfjjp0578.exe
((((((((((((((((((((((((( Files Created from 2007-07-02 to 2007-08-02 )))))))))))))))))))))))))))))))
2007-07-31 14:23 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-31 14:01 <DIR> d-------- C:\WINNT\ERUNT
2007-07-30 14:57 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2007-07-30 14:57 <DIR> d-------- C:\VundoFix Backups
2007-07-30 14:41 3,596 --a------ C:\WINNT\system32\tmp.reg
2007-07-29 15:08 <DIR> d-------- C:\WINNT\Profiles\ADMINI~1\APPLIC~1\Share-to-Web Upload Folder
2007-07-29 12:38 <DIR> d-------- C:\Program Files\HijackThi
2007-07-29 11:48 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-07-28 23:42 70,312 --a------ C:\Program Files\codec_setup.exe
2007-07-28 14:50 <DIR> d-------- C:\WINNT\Profiles\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-05 17:33 <DIR> d-------- C:\WINNT\Profiles\Ken\APPLIC~1\WinRAR
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-31 14:26 --------- d-a------ C:\Program Files\Toshiba
2007-07-29 19:08 --------- d-a------ C:\Program Files\Windows NT
2007-07-28 17:01 --------- d-------- C:\Program Files\MyWay
2007-06-25 08:54 53248 --a------ C:\WINNT\uni_eh44.exe
2007-06-25 08:53 53248 --a------ C:\WINNT\uninst1014.exe
2007-01-25 18:59 16400 --a------ C:\WINNT\Profiles\Ken\APPLIC~1\GDIPFONTCACHEV1.DAT
2006-12-02 20:05 2522 --a------ C:\Program Files\func.js
2006-11-25 02:57 482 --a------ C:\Program Files\Del.js
2006-06-08 02:02 2048 --a------ C:\Program Files\func.exe
2003-03-21 14:05 271 ---hs---- C:\Program Files\desktop.ini
2003-03-21 14:05 21952 --ah----- C:\Program Files\folder.htt
2006-02-25 03:17:03 75 -csh--w C:\WINNT\Profiles\Ken\NetHood\download on www.401kduediligence.com\Desktop.ini
2004-07-23 16:23:22 56 -csh--r C:\WINNT\system32\1E9308E591.sys
2006-07-29 23:36:17 1,682 -csha-w C:\WINNT\system32\KGyGaAvL.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EM_EXEC"="C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2000-02-04 11:01]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2000-07-10 12:34]
"PROMon.exe"="Promon.exe" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-06 17:35]
"Synchronization Manager"="mobsync.exe" [2001-08-23 10:00 C:\WINNT\system32\mobsync.exe]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-07-23 10:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-23 10:52]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 16:54]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"HostManager"="C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe" [2006-09-25 19:52]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 09:04]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall"=%systemroot%\system32\tscupgrd.exe
C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-07-23 10:49:58]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= FPNWCLNT scecli
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"
R2 ASCTRM;ASCTRM;C:\WINNT\System32\drivers\ASCTRM.sys
R2 Isecdrv;ISECDRV;C:\WINNT\System32\drivers\Isecdrv.sys
R2 SimpTcp;Simple TCP/IP Services;C:\WINNT\System32\tcpsvcs.exe
R3 brfilt;Brother MFC Filter Driver;C:\WINNT\System32\Drivers\Brfilt.sys
R3 brparimg;Brother Multi Function Parallel Image driver;C:\WINNT\System32\DRIVERS\BrParImg.sys
R3 BrParWdm;Brother WDM Parallel Driver;C:\WINNT\System32\Drivers\BrParwdm.sys
R3 BrSerWDM;Brother WDM Serial driver;C:\WINNT\System32\Drivers\BrSerWdm.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINNT\System32\DRIVERS\e100b325.sys
R3 i81x;i81x;C:\WINNT\System32\DRIVERS\i81xnt5.sys
R3 mf;mf;C:\WINNT\System32\DRIVERS\mf.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINNT\System32\drivers\msmpu401.sys
R3 wanatw;WAN Miniport (ATW);C:\WINNT\System32\DRIVERS\wanatw4.sys
S1 TAPM_NT;TAPM_NT;C:\WINNT\System32\drivers\TAPM_NT.sys
S1 vrfyflp;Floppy disk verify driver;C:\WINNT\System32\drivers\vrfyflp.sys
S2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINNT\System32\DRIVERS\CINEMSUP.SYS
S2 Scsiprnt;Scsiprnt;C:\WINNT\System32\drivers\Scsiprnt.sys
S3 iAimFP0;iAimFP0;C:\WINNT\System32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINNT\System32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINNT\System32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINNT\System32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINNT\System32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINNT\System32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINNT\System32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINNT\System32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINNT\System32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINNT\System32\DRIVERS\wCh7xxNT.sys
S3 MPE;BDA MPE Filter;C:\WINNT\System32\DRIVERS\MPE.sys
S3 TBiosDrv;TBiosDrv;\??\C:\WINNT\System32\drivers\TBiosDrv.sys
S4 i81xnt4;i81xnt4;C:\WINNT\System32\DRIVERS\i81xnt4.sys
S4 lkbdfltr;Logitech Keyboard Class Filter Driver;C:\WINNT\System32\DRIVERS\lkbdfltr.sys
S4 lmoufltr;Logitech Mouse Class Filter Driver;C:\WINNT\System32\DRIVERS\lmoufltr.sys
S4 lsermous;Logitech Serial Mouse Driver;C:\WINNT\System32\DRIVERS\lsermous.sys
*Newly Created Service* - CATCHME
Contents of the 'Scheduled Tasks' folder
2007-08-02 07:00:00 C:\WINNT\Tasks\Spybot - Search & Destroy - Scheduled Task.job - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-02 11:49:54
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-02 11:51:30
C:\ComboFix-quarantined-files.txt ... 2007-08-02 11:50
C:\ComboFix2.txt ... 2007-07-31 14:35
--- E O F ---
kenbeuken
2007-08-02, 19:08
New HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 12:04, on 8/2/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\System32\BRMFRSMG.EXE
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINNT\explorer.exe
C:\WINNT\Profiles\Ken\Desktop\HelpMe\problem.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [PROMon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O13 - WWW. Prefix: http://
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162783581169
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\Software\..\Telephony: DomainName = cox.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cox.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cox.net
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
kenbeuken
2007-08-02, 20:08
Seems pretty good. I am having trouble with opening certain files and functions in Windows. It seems that the computer cannot find the file "rundll32.exe" I tried to open the add/remove software to see if any of the added stuff like "free Online Dating", "Go To Casino", and "Find Spyware Remover" could be removed from there. Thats when I received the error message.
I also am still having issues sending email from Outlook.
Thanks for all your help once again!
steamwiz
2007-08-02, 20:40
HI
I have no idea what is giving you the issues concerning sending email from Outlook... I was hoping removing all the malware would resolve this, If not I'll see what i can come up with...
Go to > Start > Run > type appwiz.cpl & click OK ... does Add/remove programs open ?
Go to C:\WINNT\system32 folder ... do you see a "rundll32.exe" file ?
I tried to open the add/remove software to see if any of the added stuff like "free Online Dating", "Go To Casino", and "Find Spyware Remover" could be removed from there.
Where are you seeing this ? this is the first you've mentioned it ... I think ?
Run hijackthis ... click Open the Misc tools section
Click open uninstall manager
Click save list
Copy & paste the list in your next post here.
steam
kenbeuken
2007-08-02, 21:08
WHen I run appwiz.cpl I get an error message. It says appwiz.cpl is not a valid Win32 application.I also do not see it in the system32 folder. In fact, there is a blank spot on the screen where that file should be.
Those 3 programs are showing up on my desktop as shortcuts. They were there before and I deleted them. They stayed away for awhile, but reappeared on one of the last reboots. Should I just delete them? Sorry I did not mention them before. I figured they were just part of the bigger problem.
HEre is the uninstall list:
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.9
AOL Uninstaller (Choose which Products to Remove)
ATI Control Panel
ATI Display Driver
ATI DVD Decoder
ATI Multimedia Center 7.8.0.0
Backgrounds
CCleaner (remove only)
DAO
File System Utilities
Google Toolbar for Internet Explorer
HijackThis 1.99.1
hp instant support
HP Photo and Imaging 2.2 - Scanjet 3970 Series
HydraVision
Intel Security Driver
Intel(R) PRO Network Adapters and Drivers
Internet Explorer Q832894
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_08
Learn2 Player (Uninstall Only)
Microsoft Office XP Standard
MouseWare 9.01
Mozilla Firefox (2.0.0.6)
Outlook Express Update Q330994
Paltalk
PC Show and Tell Player
Pure Networks Port Magic
QuickTime
RealPlayer Basic
ScanSoft PaperPort Viewer 7.0
Spybot - Search & Destroy 1.4
Tera Term Pro
Toshiba Software Upgrades v2.1
Toshiba TAPM Setup
Toshiba Tbiosdrv Driver
Toshiba VirtualTech
Toshiba VirtualTech Agent
Turbo Lister
TurboTax Deluxe 2004
TurboTax Deluxe 2005
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2006
Viewpoint Media Player
WebEx Client
WexTech AnswerWorks
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Application Compatibility Update[Q319580]
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Hotfix (SP1) [See Q311889 for more information]
Windows XP Hotfix (SP1) [See Q311967 for more information]
Windows XP Hotfix (SP1) [See Q313450 for more information]
Windows XP Hotfix (SP1) [See Q314862 for more information]
Windows XP Hotfix (SP1) [See Q315000 for more information]
Windows XP Hotfix (SP1) [See Q315403 for more information]
Windows XP Hotfix (SP1) [See Q317277 for more information]
Windows XP Hotfix (SP1) [See Q318138 for more information]
Windows XP Hotfix (SP1) [See Q323172 for more information]
Windows XP Hotfix (SP1) [See Q324096 for more information]
Windows XP Hotfix (SP1) [See Q324380 for more information]
Windows XP Hotfix (SP1) [See Q326830 for more information]
Windows XP Hotfix (SP1) [See Q328940 for more information]
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q811493
Windows XP Hotfix (SP1) Q815021
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP1) Q819696
Windows XP Hotfix (SP2) [See Q329115 for more information]
WinRAR archiver
WinZip
steamwiz
2007-08-02, 22:18
Hi
that uninstall list is what you would see in add/remove programs ... & there's no malware there ...
I want you to run 2 more programs please :-
1. Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
3. Reboot into Safe Mode`:-
Reboot into >>>safe mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum...
THEN...
Download Superantispyware.
http://www.superantispyware.com/
Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!
* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
http://www.superantispyware.com/definitions.html
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
steam
kenbeuken
2007-08-02, 23:29
Here is the new SDFix log:
SDFix: Version 1.94
Run by Ken on Thu 08/02/2007 at 15:59
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found
Removing Temp Files...
ADS Check:
C:\WINNT
No streams found.
C:\WINNT\system32
No streams found.
C:\WINNT\system32\svchost.exe
No streams found.
C:\WINNT\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
---------------
Files with Hidden Attributes:
C:\WINNT\Profiles\Ken\NetHood\download on www.401kduediligence.com\Desktop.ini
C:\Program Files\America Online 9.0\aolphx.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\America Online 9.0\RBM.exe
C:\WINNT\system32\1E9308E591.sys
C:\WINNT\system32\KGyGaAvL.sys
C:\WINNT\Profiles\Ken\My Documents\~WRL3016.tmp
C:\WINNT\system32\BIT84.tmp
C:\WINNT\system32\config\default.tmp.LOG
C:\WINNT\system32\config\SAM.tmp.LOG
C:\WINNT\system32\config\SECURITY.tmp.LOG
C:\WINNT\system32\config\software.tmp.LOG
C:\WINNT\system32\config\system.tmp.LOG
Finished
I am running the SUPERAntiSpyware as we speak.
I still cannot go to some website, such as forums.spybot.info. It is still killing that particualr website. Although it did allow me to down load from the SUPERAntiSpyware site. Since I cannot access this site, I am having to still get the logs to a different computer to post them here.
Just giving you symptoms to help with your diagnosis. I will post the next log when it is finished...
kenbeuken
2007-08-03, 03:37
Well that was rather humbling. 155 threats, many of which were trojans....YIKES!!!
Here is the SUPERAntiSpyware log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/02/2007 at 08:17 PM
Application Version : 3.9.1008
Core Rules Database Version : 3277
Trace Rules Database Version: 1288
Scan type : Complete Scan
Total Scan Time : 03:58:01
Memory items scanned : 458
Memory threats detected : 0
Registry items scanned : 5166
Registry threats detected : 1
File items scanned : 46453
File threats detected : 155
Adware.Tracking Cookie
C:\WINNT\Profiles\Ken\Cookies\ken@atdmt[2].txt
C:\WINNT\Profiles\Ken\Cookies\ken@atwola[1].txt
C:\WINNT\Profiles\Ken\Cookies\ken@doubleclick[1].txt
C:\WINNT\Profiles\Ken\Cookies\ken@ads.web.aol[2].txt
C:\WINNT\Profiles\Ken\Cookies\ken@zedo[1].txt
C:\WINNT\Profiles\Ken\Cookies\ken@mediaplex[1].txt
C:\WINNT\Profiles\Ken\Cookies\ken@html[1].txt
C:\WINNT\Profiles\Ken\Cookies\ken@revsci[2].txt
C:\WINNT\Profiles\Ken\Cookies\ken@questionmarket[1].txt
C:\WINNT\Profiles\Ken\Cookies\ken@advertising[2].txt
C:\WINNT\Profiles\Ken\Cookies\ken@2o7[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@2o7[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@ads.adworldnetwork[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@ads.as4x.tmcs.ticketmaster[2].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@ads.as4x.tmcs[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@ads.businessweek[2].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@ads.specificpop[2].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@adserving.autotrader[2].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@atdmt[2].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@cpvfeed[2].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@edge.ru4[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@ordertracking[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@pointroll[2].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@questionmarket[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@stats.klsoft[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@tracking[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@trafficmp[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@www.macromedia[1].txt
C:\WINNT\Profiles\Administrator\Cookies\administrator@www.qksrv[2].txt
C:\WINNT\Profiles\Ken\Cookies\ken@2o7[2].txt
C:\WINNT\Profiles\Ken\Cookies\ken@ads.web.aol[1].txt
C:\WINNT\system32\config\systemprofile\Cookies\system@67.15.239[1].txt
C:\WINNT\system32\config\systemprofile\Cookies\system@67.15.239[2].txt
C:\WINNT\system32\config\systemprofile\Cookies\system@67.15.239[3].txt
C:\WINNT\system32\config\systemprofile\Cookies\system@67.15.239[4].txt
C:\WINNT\system32\config\systemprofile\Cookies\system@67.15.239[5].txt
Adware.HotBar/SpamBlockerUtility (Low Risk)
C:\WINNT\Downloaded Program Files\SpamBlockerUtility.inf
Trojan.WinBo32/Enhance
HKU\S-1-5-21-1333796941-572090573-1985484534-1003\Software\System\sysuid
Adware.MyWay
C:\Program Files\MyWay
Adware.ClickSpring/Outer Info Network
C:\WINNT\Profiles\Ken\Start Menu\Programs\Outerinfo\Terms.lnk
C:\WINNT\Profiles\Ken\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\WINNT\Profiles\Ken\Start Menu\Programs\Outerinfo
Adware.k8l
C:\PROGRAM FILES\WINDOWS NT\RTENEFS.HTML
Unclassified.Unknown Origin
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\TOSHIBA\MESOWIFYM4.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\TOSHIBA\MESOWIFYM83122.DLL.VIR
Trojan.Downloader-Gen/BasicMath
C:\QOOBOX\QUARANTINE\C\WINNT\DLS0523PMW.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078957.EXE
Adware.ClickSpring
C:\QooBox\Quarantine\C\WINNT\system32\CURITY~1\EXPLOR~1.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076626.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078950.EXE
Trojan.Downloader-DRVSAM
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\DRVJAX.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\DRVSAG.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\DRVSUN.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\DRVTOP.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076608.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1068\A0079180.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1068\A0079182.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1068\A0079184.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1068\A0079185.DLL
Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\G1\KMHP83122.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\WNSINTISV32.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0077788.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078940.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078951.EXE
C:\WINNT\PROFILES\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\H7NF66X8\XC60[1].EXE
C:\WINNT\PROFILES\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\XRVVW3QR\XC42[1].EXE
C:\WINNT\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\GX8EH84D\XC60[1].EXE
Adware.SysMon
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\G11\Z553.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078954.EXE
Adware.Vundo/Traff-2
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\LSLTFYVD.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078970.EXE
Adware.Vundo Variant
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\NNNMLII.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\OPNONML.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0077843.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078965.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078967.DLL
Adware.Mirar/NetNucleus
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\WINNB58.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078956.DLL
Trojan.Downloader-LDCore
C:\QOOBOX\QUARANTINE\C\WINNT\TFJJP0578.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1068\A0079186.EXE
C:\WINNT\PROFILES\LOCALSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\N07NOGTO\USER9[1].EXE
Adware.RAC
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1063\A0076518.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076641.EXE
C:\WINNT\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\RSKUD5FP\83122[1].EXE
Adware.ZenoSearch
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1063\A0076528.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076640.EXE
Adware.Search2Find
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1063\A0076567.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1063\A0076568.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1063\A0076569.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076598.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076600.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076602.LNK
C:\WINNT\PROFILES\KEN\DESKTOP\FIND SPYWARE REMOVER.LNK
C:\WINNT\PROFILES\KEN\DESKTOP\FREE ONLINE DATING.LNK
C:\WINNT\PROFILES\KEN\DESKTOP\GO TO CASINO.LNK
C:\WINNT\SYSTEM32\CONFIG\SYSTEMPROFILE\DESKTOP\FIND SPYWARE REMOVER.LNK
C:\WINNT\SYSTEM32\CONFIG\SYSTEMPROFILE\DESKTOP\FREE ONLINE DATING.LNK
C:\WINNT\SYSTEM32\CONFIG\SYSTEMPROFILE\DESKTOP\GO TO CASINO.LNK
Adware.ClickSpring/Resident
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076590.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076597.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076623.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076625.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0077785.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1065\A0078845.DLL
C:\WINNT\PROFILES\KEN\DESKTOP\HELPME\BACKUPS\BACKUP-20070731-135806-264.DLL
Trojan.Downloader-Gen/TStamp
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076596.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076624.EXE
Trojan.Downloader-NoName
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076605.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0077733.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1065\A0077878.EXE
Trojan.Downloader-Gen/AVP
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0076609.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0077736.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1064\A0077752.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1065\A0077881.EXE
C:\WINNT\PROFILES\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\XRVVW3QR\XC23[1].EXE
C:\WINNT\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\GX8EH84D\XC23[1].EXE
Trojan.IERedirector
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1065\A0078847.DLL
C:\WINNT\PROFILES\KEN\DESKTOP\HELPME\BACKUPS\BACKUP-20070731-135806-917.DLL
Trojan.WinAntiSpyware/WinAntiVirus 2006
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1065\A0078871.EXE
Trojan.ZQuest
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078944.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078945.DLL
Trojan.Downloader-Gen/HitItQuitIt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078960.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078963.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078964.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078966.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078968.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078969.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D419C586-76D8-4AB7-AF30-353920A9411A}\RP1066\A0078982.DLL
Adware.ClickSpring/Yazzle
C:\WINNT\PREFETCH\YAZZLE1162OINADMIN.EXE-04B49B8B.PF
Trojan.Downloader-Gen/Mandingo
C:\WINNT\PROFILES\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\H7NF66X8\XC29[1].EXE
Trojan.TagASaurus
C:\WINNT\PROFILES\LOCALSERVICE\DESKTOP\SEARCHUS.EXE
C:\WINNT\SYSTEM32\CONFIG\SYSTEMPROFILE\DESKTOP\SEARCHUS.EXE
Trace.Known Threat Sources
C:\WINNT\Profiles\Administrator\Local Settings\Temporary Internet Files\Content.IE5\5M464CKY\anti4[1].exe
C:\WINNT\Profiles\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6RP4XMIO\antzom[1].exe
C:\WINNT\Profiles\Administrator\Local Settings\Temporary Internet Files\Content.IE5\5M464CKY\x5s34[1].exe
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RSKUD5FP\nf404[4].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GX8EH84D\nf404[4].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RSKUD5FP\nf404[5].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OCGFLFG7\nf404[1].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GX8EH84D\nf404[3].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OCGFLFG7\nf404[4].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q0A2UVEF\nf404[3].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OCGFLFG7\CATWGRHX.htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q0A2UVEF\nf404[6].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GX8EH84D\nf404[1].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OCGFLFG7\nf404[5].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GX8EH84D\nf404[2].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q0A2UVEF\nf404[4].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OCGFLFG7\nf404[3].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q0A2UVEF\nf404[2].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q0A2UVEF\nf404[1].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RSKUD5FP\nf404[6].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OCGFLFG7\anti4[1].exe
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OCGFLFG7\nf404[2].htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q0A2UVEF\CAXS6XDF.htm
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RSKUD5FP\nf404[7].htm
steamwiz
2007-08-03, 21:36
Hi
I still cannot go to some website, such as forums.spybot.info. It is still killing that particualr website. Although it did allow me to down load from the SUPERAntiSpyware site. Since I cannot access this site, I am having to still get the logs to a different computer to post them here.
Just giving you symptoms to help with your diagnosis. I will post the next log when it is finished...
Of course ... keep reminding me what the problems are (& tell me when any are resolved) & anything else you you think I should know, or think I may have forgot ... I know we've got rid of a lot of bad stuff, but you still have several what appear to be unconnected problems ...
RE:Superantispyware
When you take out the cookies, system restore, & C:\QOOBOX\QUARANTINE (combofix backups)...
It didn't find that much, but still it got rid if a bit more ...
-
are you able to run any on-line virus scans on the sick computer ?
PandaActive scan ?
TrendMicro houscall ?
If you need info on running these .. let me know ?
-
When you ran Ccleaner ... did you run it on the C:\WINNT\PROFILES\KEN ... profile ?
If so, then can you run it again please on the C:\WINNT\PROFILES\ADMINISTRATOR profile...
-
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINNT\uni_eh44.exe
C:\WINNT\uninst1014.exe
C:\Program Files\func.js
C:\Program Files\Del.js
C:\Program Files\func.exe
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply ...
steam
kenbeuken
2007-08-05, 18:53
RE:Superantispyware
When you take out the cookies, system restore, & C:\QOOBOX\QUARANTINE (combofix backups)...
It didn't find that much, but still it got rid if a bit more ...
I dont quite follow what you are saying in this statement. Can you clarify?
I have not started any of the work since your last post. I decided to take a day of dealing with it. The PC seems to be working quite well though besides those minor problems. Still cannot access things like Add/Remove Software because of the rundll32.exe file missing. Still cannot access some website because something is killing them. Finally, I can not get email sent out in Outlook, and it now is not able to retrieve it from one of my sources. That is a change and I have done nothing to it.
All 3 of these problems are new since the malware got on the PC. Prior to that, the PC was working great eventhough it is 7 years old and about 5th hand. :eek:
I will get to work on the new list and get back to you. Is is possible to just get a copy of rundll.32.exe of another computer and put it in the correct file?
kenbeuken
2007-08-05, 19:45
ONe more thing, something is definatly hijacking google in IE. In Firefox it seemsto be ok,but in IE google only finds certian sites that seem like junk and also delivers results in some foreign language.
Panda Active Scan is not supprted in Firefox so I had to try finding it on IE and I got nowhere near the same results.
Actually, now that I am going through them, this seems to happen in a bunch of different search engines.
I was able to get Pandaactive Scan running by Pasting the link found using Firefox and google.
More to come,...
steamwiz
2007-08-05, 21:04
Hi
Originally Posted by steamwiz
RE:Superantispyware
When you take out the cookies, system restore, & C:\QOOBOX\QUARANTINE (combofix backups)...
It didn't find that much, but still it got rid if a bit more ...
I dont quite follow what you are saying in this statement. Can you clarify?
What I meant is if you ignore all the entries under :-
cookies
Adware.Tracking Cookie
C:\WINNT\Profiles\Ken\Cookies\ken@atdmt[2].txt
C:\WINNT\Profiles\Ken\Cookies\ken@atwola[1].txt
C:\WINNT\Profiles\Ken\Cookies\ken@doubleclick[1].txt
etc,
these are no biggie...
system restore
C:\SYSTEM VOLUME INFORMATION\_RESTORE
these don't come into play unless you perform a system restore, so are no problem...
& C:\QOOBOX\QUARANTINE
these are already quarantined & no problem...
Then it didn't find a lot more ...
I didn't want you to do anything with these, I was just making a statement... sorry if I confused you..
-
In post #30 I asked you this :-
Go to > Start > Run > type appwiz.cpl & click OK ... does Add/remove programs open ?
Go to C:\WINNT\system32 folder ... do you see a "rundll32.exe" file ?
your reply...
WHen I run appwiz.cpl I get an error message. It says appwiz.cpl is not a valid Win32 application.I also do not see it in the system32 folder. In fact, there is a blank spot on the screen where that file should be.
This sounds like you are referring to the appwiz.cpl file ?
So do you see a "rundll32.exe" file ?
The appwiz.cpl & the rundll32.exe should BOTH be in the C:\WINNT\system32 folder
Are they BOTH missing or just one of them ?
Continue with the latest Combofix CFScript.txt instructions and delete those files, then let me know if there is any improvement ?
steam
kenbeuken
2007-08-05, 23:04
So do you see a "rundll32.exe" file ?
The appwiz.cpl & the rundll32.exe should BOTH be in the C:\WINNT\system32 folder
Are they BOTH missing or just one of them ?
I do see the appwiz.cpl file in C:\WINNT\system32. I do not see rundll32.exe Like I said, there is a blank space in that file where the icon for rundll32.exe should be.
Further, on the control panel, when I click user accounts, I get the same error message about windows not being able to find rundll32.exe.
I do not how to get into the ADmin profile. It does not give me the choice on boot up and the User accounts link is not working. It does give me the option to boot into admin if I boot in safe mode. can I boot in Safe mode and run the new ComboFix instructions from there? If not, how else can I log in as Admin?
kenbeuken
2007-08-05, 23:06
Here is the Panda Active scan log. It did not let me get rid of everything withoutpaying. I also ran Trend MicroHousecall, and got rid of whatit found, but it did not really give me a log.
Adware:Adware/ImageActiveXObject Not disinfected C:\Program Files\codec_setup.exe
Virus:Trj/Clicker.XQ Disinfected C:\Program Files\func.exe
Virus:Trj/Clicker.XQ Disinfected C:\Program Files\func.js
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe.vir
Adware:Adware/IST Not disinfected C:\QooBox\Quarantine\C\Program Files\SpamBlockerUtility\bin\4.8.4.0\SpamBlockerUtility.exe.vir[SBTVSetup.exe][SBTVHelper.dll]
Adware:Adware/Popper Not disinfected C:\QooBox\Quarantine\C\WINNT\hkmheep.exe.vir
Adware:Adware/DigInk Not disinfected C:\QooBox\Quarantine\C\WINNT\rau001978.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\awtqqnn.dll.vir
Virus:Trj/Downloader.OZB Disinfected C:\QooBox\Quarantine\C\WINNT\system32\fllhrxun.exe.vir
Virus:Trj/Downloader.PNC Disinfected C:\QooBox\Quarantine\C\WINNT\system32\G3\wr725.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\ljjkjii.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\nnnmjij.dll.vir
Virus:Trj/Passtealer.ED Disinfected C:\QooBox\Quarantine\C\WINNT\system32\nnnnmkj.dll.vir
Virus:Trj/Downloader.OZB Disinfected C:\QooBox\Quarantine\C\WINNT\system32\rxpqxkpr.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\vturpmk.dll.vir
Adware:Adware/SuperSpider Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\winilc32.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\yaywvvw.dll.vir
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Adware:Adware/Winpopup Not disinfected C:\SDFix\backups_old1\backups.zip[backups/b122.exe]
Virus:Trj/Downloader.NUS Disinfected C:\SDFix\backups_old1\backups.zip[backups/d.exe]
Virus:Trj/Downloader.OZB Disinfected C:\SDFix\backups_old1\backups.zip[backups/qwerty12.exe]
Virus:Trj/Downloader.OXI Disinfected C:\SDFix\backups_old1\backups.zip[backups/stdrun1.exe]
Adware:Adware/DigInk Not disinfected C:\SDFix\backups_old1\backups.zip[backups/stdrun3.exe][g4356cbvy63.exe]
Adware:Adware/DigInk Not disinfected C:\SDFix\backups_old1\backups.zip[backups/stdrun3.exe][uni_eh44.exe]
Adware:Adware/DigInk Not disinfected C:\SDFix\backups_old1\backups.zip[backups/stdrun3.exe][uninst1014.exe]
Adware:Adware/TTC Not disinfected C:\SDFix\backups_old1\backups.zip[backups/stdrun4.exe][TTC.dll]
Adware:Adware/SuperSpider Not disinfected C:\SDFix\backups_old1\backups.zip[backups/stdrun5.exe]
Virus:Generic Trojan Disinfected C:\SDFix\backups_old1\backups.zip[backups/stdrun6.exe~]
Adware:Adware/SuperSpider Not disinfected C:\SDFix\backups_old1\backups.zip[backups/stdrun8.exe~]
Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\SDFix\backups_old1\backups.zip[backups/UWA7P_0001_N91M0809NetInstaller.exe]
Adware:Adware/KeenValue Not disinfected C:\WINNT\browserxtras\pn\remove.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINNT\nircmd.exe
Spyware:Cookie/2o7 Not disinfected C:\WINNT\Profiles\Administrator\Application Data\Mozilla\Firefox\Profiles\lal84xys.default\cookies.txt[.2o7.net/]
Spyware:Cookie/CentrPort Not disinfected C:\WINNT\Profiles\Administrator\Cookies\administrator@centrport[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\WINNT\Profiles\Ken\Application Data\Mozilla\Firefox\Profiles\7otm7rt6.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\WINNT\Profiles\Ken\Application Data\Mozilla\Firefox\Profiles\7otm7rt6.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\WINNT\Profiles\Ken\Application Data\Mozilla\Firefox\Profiles\7otm7rt6.default\cookies.txt[.2o7.net/]
Spyware:Cookie/FastClick Not disinfected C:\WINNT\Profiles\Ken\Application Data\Mozilla\Firefox\Profiles\7otm7rt6.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\WINNT\Profiles\Ken\Application Data\Mozilla\Firefox\Profiles\7otm7rt6.default\cookies.txt[.advertising.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\WINNT\Profiles\Ken\Application Data\Mozilla\Firefox\Profiles\7otm7rt6.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\WINNT\Profiles\Ken\Application Data\Mozilla\Firefox\Profiles\7otm7rt6.default\cookies.txt[.tribalfusion.com/]
kenbeuken
2007-08-05, 23:07
continued....
Spyware:Cookie/PointRoll Not disinfected C:\WINNT\Profiles\Ken\Application Data\Mozilla\Firefox\Profiles\7otm7rt6.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\WINNT\Profiles\Ken\Application Data\Mozilla\Firefox\Profiles\7otm7rt6.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/2o7 Not disinfected C:\WINNT\Profiles\Ken\Cookies\ken@2o7[1].txt
Spyware:Cookie/Advertising Not disinfected C:\WINNT\Profiles\Ken\Cookies\ken@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\WINNT\Profiles\Ken\Cookies\ken@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\WINNT\Profiles\Ken\Cookies\ken@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\WINNT\Profiles\Ken\Cookies\ken@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\WINNT\Profiles\Ken\Cookies\ken@mediaplex[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINNT\Profiles\Ken\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINNT\Profiles\Ken\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINNT\Profiles\Ken\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\WINNT\Profiles\Ken\Desktop\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINNT\Profiles\Ken\Desktop\VirtumundoBeGone.exe
Virus:Generic Trojan Disinfected C:\WINNT\Profiles\LocalService\Local Settings\Temp\~tmp143
Virus:Trj/Downloader.LAF Disinfected C:\WINNT\system32\ldcoreno
Virus:Trj/Downloader.LAF Disinfected C:\WINNT\system32\ldcoreno2
Adware:Adware/DigInk Not disinfected C:\WINNT\uninst1014.exe
Adware:Adware/DigInk Not disinfected C:\WINNT\uni_eh44.exe
kenbeuken
2007-08-06, 00:45
I went ahead and ran combofix again per your instructions. I had to do it from the Ken Profile becuase I still have not figured out how to get in as ADMIN unless Im in Safe mode. I figured I can run it again as ADMIN once I figure out how to get in. Here is the log:
ComboFix 07-07-30.2 - "Ken" 2007-08-05 17:33:20.3 [GMT -5:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.True
Command switches used :: C:\WINNT\Profiles\Ken\Desktop\CFScript.txt
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Del.js
C:\WINNT\uni_eh44.exe
C:\WINNT\uninst1014.exe
((((((((((((((((((((((((( Files Created from 2007-07-05 to 2007-08-05 )))))))))))))))))))))))))))))))
2007-08-05 14:33 <DIR> d-------- C:\WINNT\Profiles\Ken\.housecall6.6
2007-08-05 12:36 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-08-02 16:15 <DIR> d-------- C:\WINNT\Profiles\Ken\APPLIC~1\SUPERAntiSpyware.com
2007-08-02 16:15 <DIR> d-------- C:\WINNT\Profiles\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-02 16:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-02 16:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-02 11:56 <DIR> d-------- C:\Program Files\CCleaner
2007-07-31 14:23 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-31 14:01 <DIR> d-------- C:\WINNT\ERUNT
2007-07-30 14:57 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2007-07-30 14:57 <DIR> d-------- C:\VundoFix Backups
2007-07-30 14:41 3,596 --a------ C:\WINNT\system32\tmp.reg
2007-07-29 15:08 <DIR> d-------- C:\WINNT\Profiles\ADMINI~1\APPLIC~1\Share-to-Web Upload Folder
2007-07-29 12:38 <DIR> d-------- C:\Program Files\HijackThi
2007-07-29 11:48 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-07-28 23:42 70,312 --a------ C:\Program Files\codec_setup.exe
2007-07-28 14:50 <DIR> d-------- C:\WINNT\Profiles\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-05 17:33 <DIR> d-------- C:\WINNT\Profiles\Ken\APPLIC~1\WinRAR
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-05 13:53 --------- d-------- C:\Program Files\QuickTime
2007-08-05 13:51 --------- d-------- C:\Program Files\Messenger
2007-08-05 13:46 --------- d-------- C:\Program Files\Google
2007-08-02 20:24 --------- d-a------ C:\Program Files\Windows NT
2007-07-31 14:26 --------- d-a------ C:\Program Files\Toshiba
2007-01-25 18:59 16400 --a------ C:\WINNT\Profiles\Ken\APPLIC~1\GDIPFONTCACHEV1.DAT
2003-03-21 14:05 271 ---hs---- C:\Program Files\desktop.ini
2003-03-21 14:05 21952 --ah----- C:\Program Files\folder.htt
2006-02-25 03:17:03 75 -csh--w C:\WINNT\Profiles\Ken\NetHood\download on www.401kduediligence.com\Desktop.ini
2004-07-23 16:23:22 56 -csh--r C:\WINNT\system32\1E9308E591.sys
2006-07-29 23:36:17 1,682 -csha-w C:\WINNT\system32\KGyGaAvL.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EM_EXEC"="C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2000-02-04 11:01]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2000-07-10 12:34]
"PROMon.exe"="Promon.exe" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-06 17:35]
"Synchronization Manager"="mobsync.exe" [2001-08-23 10:00 C:\WINNT\system32\mobsync.exe]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-07-23 10:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-23 10:52]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 16:54]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"HostManager"="C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe" [2006-09-25 19:52]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 09:04]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall"=%systemroot%\system32\tscupgrd.exe
C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-07-23 10:49:58]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= FPNWCLNT scecli
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R2 ASCTRM;ASCTRM;C:\WINNT\System32\drivers\ASCTRM.sys
R2 Isecdrv;ISECDRV;C:\WINNT\System32\drivers\Isecdrv.sys
R2 SimpTcp;Simple TCP/IP Services;C:\WINNT\System32\tcpsvcs.exe
R3 brfilt;Brother MFC Filter Driver;C:\WINNT\System32\Drivers\Brfilt.sys
R3 brparimg;Brother Multi Function Parallel Image driver;C:\WINNT\System32\DRIVERS\BrParImg.sys
R3 BrParWdm;Brother WDM Parallel Driver;C:\WINNT\System32\Drivers\BrParwdm.sys
R3 BrSerWDM;Brother WDM Serial driver;C:\WINNT\System32\Drivers\BrSerWdm.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINNT\System32\DRIVERS\e100b325.sys
R3 i81x;i81x;C:\WINNT\System32\DRIVERS\i81xnt5.sys
R3 mf;mf;C:\WINNT\System32\DRIVERS\mf.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINNT\System32\drivers\msmpu401.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
R3 wanatw;WAN Miniport (ATW);C:\WINNT\System32\DRIVERS\wanatw4.sys
S1 TAPM_NT;TAPM_NT;C:\WINNT\System32\drivers\TAPM_NT.sys
S1 vrfyflp;Floppy disk verify driver;C:\WINNT\System32\drivers\vrfyflp.sys
S2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINNT\System32\DRIVERS\CINEMSUP.SYS
S2 Scsiprnt;Scsiprnt;C:\WINNT\System32\drivers\Scsiprnt.sys
S3 iAimFP0;iAimFP0;C:\WINNT\System32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINNT\System32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINNT\System32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINNT\System32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINNT\System32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINNT\System32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINNT\System32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINNT\System32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINNT\System32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINNT\System32\DRIVERS\wCh7xxNT.sys
S3 MPE;BDA MPE Filter;C:\WINNT\System32\DRIVERS\MPE.sys
S3 TBiosDrv;TBiosDrv;\??\C:\WINNT\System32\drivers\TBiosDrv.sys
S4 i81xnt4;i81xnt4;C:\WINNT\System32\DRIVERS\i81xnt4.sys
S4 lkbdfltr;Logitech Keyboard Class Filter Driver;C:\WINNT\System32\DRIVERS\lkbdfltr.sys
S4 lmoufltr;Logitech Mouse Class Filter Driver;C:\WINNT\System32\DRIVERS\lmoufltr.sys
S4 lsermous;Logitech Serial Mouse Driver;C:\WINNT\System32\DRIVERS\lsermous.sys
*Newly Created Service* - TMCOMM
Contents of the 'Scheduled Tasks' folder
2007-08-05 07:00:00 C:\WINNT\Tasks\Spybot - Search & Destroy - Scheduled Task.job - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-05 17:35:57
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-05 17:37:32
C:\ComboFix-quarantined-files.txt ... 2007-08-05 17:36
C:\ComboFix2.txt ... 2007-08-02 11:51
C:\ComboFix3.txt ... 2007-07-31 14:35
--- E O F ---
steamwiz
2007-08-06, 20:49
Hi Ken
I do see the appwiz.cpl file in C:\WINNT\system32. I do not see rundll32.exe Like I said, there is a blank space in that file where the icon for rundll32.exe should be.
Further, on the control panel, when I click user accounts, I get the same error message about windows not being able to find rundll32.exe.
rundll32.exe is required to run all dll files & cpl files ...
As yours is missing, lets see if we can resolve this first by replacing it...
you need to paste a copy of the rundll32.exe file into the C:\WINNT\system32 folder..
see if you have an i386 folder (these contain your backup files)
in either of these locations :-
C:\Winnt\I386
C:\I386
If you have, then look for the file rundll32.exe & if you find it, right click on it & copy ... then go to your system32 folder ... right click & paste
if the file looks like this rundll32.ex_ then you can't copy & paste it, it will have to be expanded ... let me know.
I do not how to get into the ADmin profile. It does not give me the choice on boot up and the User accounts link is not working. It does give me the option to boot into admin if I boot in safe mode. can I boot in Safe mode and run the new ComboFix instructions from there? If not, how else can I log in as Admin?
It's only Ccleaner I wanted you to run on the ADMINISTRATOR profile... so forget that for now...
Here is the Panda Active scan log. It did not let me get rid of everything without paying. I also ran Trend MicroHousecall, and got rid of whatit found, but it did not really give me a log.
That's OK ... I just wanted to see the log, we can get rid of anything from the log without you having to pay...
-
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\Program Files\codec_setup.exe
Folder::
C:\QooBox
C:\SDFix
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply ...
steam
kenbeuken
2007-08-06, 21:41
Hi Ken
if the file looks like this rundll32.ex_ then you can't copy & paste it, it will have to be expanded ... let me know.
This is what I have, so we will have to expand it.
Here is the new COmboFix log:
ComboFix 07-07-30.2 - "Ken" 2007-08-06 14:29:37.4 [GMT -5:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.True
Command switches used :: C:\WINNT\Profiles\Ken\Desktop\CFScript.txt
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\codec_setup.exe
C:\QooBox
C:\SDFix
C:\SDFix\apps\assosfix.reg
C:\SDFix\apps\cliptext.exe
C:\SDFix\apps\download.exe
C:\SDFix\apps\dummy.sys
C:\SDFix\apps\Enable_Command_Prompt.reg
C:\SDFix\apps\ERDNT.E_E
C:\SDFix\apps\ERDNTDOS.LOC
C:\SDFix\apps\ERDNTWIN.LOC
C:\SDFix\apps\ERUNT.EXE
C:\SDFix\apps\ERUNT.LOC
C:\SDFix\apps\fix.reg
C:\SDFix\apps\FixBH.reg
C:\SDFix\apps\FIXCU.reg
C:\SDFix\apps\FIXLM.reg
C:\SDFix\apps\FixPath.exe
C:\SDFix\apps\FixRedir.reg
C:\SDFix\apps\FixWebCheck.reg
C:\SDFix\apps\fixXP.reg
C:\SDFix\apps\FixXPsp2.reg
C:\SDFix\apps\HPFix.reg
C:\SDFix\apps\leg2.txt
C:\SDFix\apps\legacy.txt
C:\SDFix\apps\legacybk.txt
C:\SDFix\apps\locate.com
C:\SDFix\apps\LS.exe
C:\SDFix\apps\MD5File.exe
C:\SDFix\apps\moveex.exe
C:\SDFix\apps\MyGcpvFix.reg
C:\SDFix\apps\MyGkFix2.reg
C:\SDFix\apps\Process.exe
C:\SDFix\apps\RegDACL.exe
C:\SDFix\apps\Rem.txt
C:\SDFix\apps\Rem2.txt
C:\SDFix\apps\Replace\W2K.exe
C:\SDFix\apps\Replace\XP.exe
C:\SDFix\apps\Reset_AppInit_DLLs.reg
C:\SDFix\apps\RestartIt!.exe
C:\SDFix\apps\Restore_SecurityCenter.reg
C:\SDFix\apps\Restore_SharedAccess.reg
C:\SDFix\apps\sc.exe
C:\SDFix\apps\SF.exe
C:\SDFix\apps\shutdown.exe
C:\SDFix\apps\srv2.txt
C:\SDFix\apps\svc.txt
C:\SDFix\apps\svcbk.txt
C:\SDFix\apps\swreg.exe
C:\SDFix\apps\swsc.exe
C:\SDFix\apps\unzip.exe
C:\SDFix\apps\zip.exe
C:\SDFix\backups\attrib.exe
C:\SDFix\backups\backupreg.zip
C:\SDFix\backups\find.exe
C:\SDFix\backups\findstr.exe
C:\SDFix\backups\HOSTS
C:\SDFix\backups\regedit.exe
C:\SDFix\backups_old1\attrib.exe
C:\SDFix\backups_old1\backupreg.zip
C:\SDFix\backups_old1\backups.zip
C:\SDFix\backups_old1\find.exe
C:\SDFix\backups_old1\findstr.exe
C:\SDFix\backups_old1\HOSTS
C:\SDFix\backups_old1\regedit.exe
C:\SDFix\catchme.exe
C:\SDFix\dummy.sys
C:\SDFix\Report.txt
C:\SDFix\Report_old_1.txt
C:\SDFix\RunThis.bat
C:\SDFix\SDFIX_ReadMe_Online.url
((((((((((((((((((((((((( Files Created from 2007-07-06 to 2007-08-06 )))))))))))))))))))))))))))))))
2007-08-05 14:33 <DIR> d-------- C:\WINNT\Profiles\Ken\.housecall6.6
2007-08-05 12:36 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-08-02 16:15 <DIR> d-------- C:\WINNT\Profiles\Ken\APPLIC~1\SUPERAntiSpyware.com
2007-08-02 16:15 <DIR> d-------- C:\WINNT\Profiles\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-02 16:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-02 16:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-02 11:56 <DIR> d-------- C:\Program Files\CCleaner
2007-07-31 14:23 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-31 14:01 <DIR> d-------- C:\WINNT\ERUNT
2007-07-30 14:57 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2007-07-30 14:57 <DIR> d-------- C:\VundoFix Backups
2007-07-30 14:41 3,596 --a------ C:\WINNT\system32\tmp.reg
2007-07-29 15:08 <DIR> d-------- C:\WINNT\Profiles\ADMINI~1\APPLIC~1\Share-to-Web Upload Folder
2007-07-29 12:38 <DIR> d-------- C:\Program Files\HijackThi
2007-07-29 11:48 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-07-28 14:50 <DIR> d-------- C:\WINNT\Profiles\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-05 13:53 --------- d-------- C:\Program Files\QuickTime
2007-08-05 13:51 --------- d-------- C:\Program Files\Messenger
2007-08-05 13:46 --------- d-------- C:\Program Files\Google
2007-08-02 20:24 --------- d-a------ C:\Program Files\Windows NT
2007-07-31 14:26 --------- d-a------ C:\Program Files\Toshiba
2007-07-05 17:33 --------- d-------- C:\WINNT\Profiles\Ken\APPLIC~1\WinRAR
2007-01-25 18:59 16400 --a------ C:\WINNT\Profiles\Ken\APPLIC~1\GDIPFONTCACHEV1.DAT
2003-03-21 14:05 271 ---hs---- C:\Program Files\desktop.ini
2003-03-21 14:05 21952 --ah----- C:\Program Files\folder.htt
2006-02-25 03:17:03 75 -csh--w C:\WINNT\Profiles\Ken\NetHood\download on www.401kduediligence.com\Desktop.ini
2004-07-23 16:23:22 56 -csh--r C:\WINNT\system32\1E9308E591.sys
2006-07-29 23:36:17 1,682 -csha-w C:\WINNT\system32\KGyGaAvL.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EM_EXEC"="C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2000-02-04 11:01]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2000-07-10 12:34]
"PROMon.exe"="Promon.exe" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-06 17:35]
"Synchronization Manager"="mobsync.exe" [2001-08-23 10:00 C:\WINNT\system32\mobsync.exe]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-07-23 10:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-23 10:52]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 16:54]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"HostManager"="C:\Program Files\Common Files\AOL\1135354199\ee\AOLSoftware.exe" [2006-09-25 19:52]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 09:04]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall"=%systemroot%\system32\tscupgrd.exe
C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-07-23 10:49:58]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= FPNWCLNT scecli
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R2 ASCTRM;ASCTRM;C:\WINNT\System32\drivers\ASCTRM.sys
R2 Isecdrv;ISECDRV;C:\WINNT\System32\drivers\Isecdrv.sys
R2 SimpTcp;Simple TCP/IP Services;C:\WINNT\System32\tcpsvcs.exe
R3 brfilt;Brother MFC Filter Driver;C:\WINNT\System32\Drivers\Brfilt.sys
R3 brparimg;Brother Multi Function Parallel Image driver;C:\WINNT\System32\DRIVERS\BrParImg.sys
R3 BrParWdm;Brother WDM Parallel Driver;C:\WINNT\System32\Drivers\BrParwdm.sys
R3 BrSerWDM;Brother WDM Serial driver;C:\WINNT\System32\Drivers\BrSerWdm.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINNT\System32\DRIVERS\e100b325.sys
R3 i81x;i81x;C:\WINNT\System32\DRIVERS\i81xnt5.sys
R3 mf;mf;C:\WINNT\System32\DRIVERS\mf.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINNT\System32\drivers\msmpu401.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
R3 wanatw;WAN Miniport (ATW);C:\WINNT\System32\DRIVERS\wanatw4.sys
S1 TAPM_NT;TAPM_NT;C:\WINNT\System32\drivers\TAPM_NT.sys
S1 vrfyflp;Floppy disk verify driver;C:\WINNT\System32\drivers\vrfyflp.sys
S2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINNT\System32\DRIVERS\CINEMSUP.SYS
S2 Scsiprnt;Scsiprnt;C:\WINNT\System32\drivers\Scsiprnt.sys
S3 iAimFP0;iAimFP0;C:\WINNT\System32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINNT\System32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINNT\System32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINNT\System32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINNT\System32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINNT\System32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINNT\System32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINNT\System32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINNT\System32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINNT\System32\DRIVERS\wCh7xxNT.sys
S3 MPE;BDA MPE Filter;C:\WINNT\System32\DRIVERS\MPE.sys
S3 TBiosDrv;TBiosDrv;\??\C:\WINNT\System32\drivers\TBiosDrv.sys
S4 i81xnt4;i81xnt4;C:\WINNT\System32\DRIVERS\i81xnt4.sys
S4 lkbdfltr;Logitech Keyboard Class Filter Driver;C:\WINNT\System32\DRIVERS\lkbdfltr.sys
S4 lmoufltr;Logitech Mouse Class Filter Driver;C:\WINNT\System32\DRIVERS\lmoufltr.sys
S4 lsermous;Logitech Serial Mouse Driver;C:\WINNT\System32\DRIVERS\lsermous.sys
*Newly Created Service* - TMCOMM
Contents of the 'Scheduled Tasks' folder
2007-08-06 07:00:00 C:\WINNT\Tasks\Spybot - Search & Destroy - Scheduled Task.job - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 14:34:54
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-06 14:36:27
C:\ComboFix-quarantined-files.txt ... 2007-08-05 17:36
C:\ComboFix2.txt ... 2007-08-05 17:37
C:\ComboFix3.txt ... 2007-08-02 11:51
--- E O F ---
steamwiz
2007-08-07, 01:33
I need to know the exact location of the i386 folder ?
Assuming it's here :- C:\i386
1. Click Start, and then click Run.
2. In the Open box, type cmd
3. Then click OK.
When the cmd prompt opens type Expand C:\i386\rundll32.ex_ c:\WINNT\system32\rundll32.exe
Note that there is a space between "Expand" and "C:\i386" & between "ex_" and "c:\WINNT\"
If the file is in C:\WINNT\i386
then it would be :-
Expand C:\WINNT\i386\rundll32.ex_ c:\WINNT\system32\rundll32.exe
If it's on a disk, let me know...
steam
kenbeuken
2007-08-07, 02:36
WEll thanks! That fixed it!
So how are we looking on malware?
I still am having searches in Search engines hijacked. Also, still cannot get to certain websites like this one. PC seams to be running well except for that. Problem is, that must mean we still have issues? Wouldn't ever want to enter any personal information into that computer if I know webpages are being redirected.
Anything else in mind?
kenbeuken
2007-08-07, 02:37
HOLD ON!! Just tried to get on forums.spybot.info and it LET ME IT!!! WOO HOO!!
Still having the search engine issue though.
steamwiz
2007-08-07, 20:18
Hi
The malware appears to be pretty much gone, I still want you to run Ccleaner on the C:\WINNT\Profiles\Administrator\ account... you should be able to get to that account from the control panel now...
Lets see if your dns settings are being hijacked ...
Print out these instructions for reference, since you will have to restart your computer during the fix.
1. Please download FixWareout from here:-
http://downloads.subratam.org/Fixwareout.exe
2. Save it to your desktop and run it.
3. Click Next > then Install > then make sure "Run fixit" is checked and click Finish.
4. The fix will begin, follow the prompts.
5. You will be asked to reboot your computer, please do so. Your system may take longer than usual to load this is normal.
6. When your system reboots (BE patient), follow the prompts. Afterwards, HijackThis may launch. Please Close HijackThis, and click OK to proceed.
At the end of the fix, you may need to restart your computer again, restart if prompted.
Finally, please post the contents of :-
C:\fixwareout\report.txt
steam
kenbeuken
2007-08-07, 20:57
Steam,
The Admin account simply is not there. All that are listed are Ken and Guest. This is strange because when I boot in safe mode, the admin account is one of my choices. Any ideas why this is? Does it have something to do with how the software was originally set up?
I will continue with the Fixware Out instruction from here and wait for your response.
kenbeuken
2007-08-07, 21:00
Bad news,
We are also back to the PC killing websites. Can no longer get onto this website, and the new one you gave me is not being allowed eaither. I will try to do it with a floppy.
kenbeuken
2007-08-07, 21:14
Here is the report from Fixwareout:
Username "Ken" - 2007-08-07 14:05:11 [Fixwareout edited 2007/07/05]
»»»»»Prerun check
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{2FD7F9D9-73F4-4838-92BA-7B4EF69B3F07}
"nameserver"="194.54.90.226" <Value cleared.
Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EM_EXEC"="C:\\PROGRA~1\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"Pinger"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe"
"PROMon.exe"="Promon.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Synchronization Manager"="mobsync.exe /logon"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1135354199\\ee\\AOLSoftware.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
kenbeuken
2007-08-07, 21:23
OK, for the mean time, this seems to have fixed 2 issues. I can now do normal searches on both IE and Firefox using google and the like. Also, my outlook email seems to be working right again.
The remaining problem still seems to be the killing of certain websites. For example, at the moment I am on forums.spybot.info and writing you. HOwever, I just tried to access http://downloads.subratam.org/Fixwareout.exe and a few others that you have given me in the past, and they are still saying that they cannot be found. Seems we are doing some good, but the bug is hiding out somewhere.
Ill try and figure out why I cannot log in as ADmin while I wait to hear from you.
Thanks again for all of your help.
Ken
steamwiz
2007-08-08, 00:56
HI Ken
Which other links can't you reach ? can you name a few please ?
If you click refresh after getting "the page cannot be displayed" does it connect ?
steam
kenbeuken
2007-08-08, 01:22
Steam,
FOr the time being at least, it seems that I can now get to any website that I want. I dont know why that changed since my last post, but it has. It seems that all the problems have been fixed. I would really like to give you a sincere thank you for all the help you provided here to me, and everyone else. I dont know how they talk people into doing this for no charge. If there is anyway I can repay you of the community, please let me know.
I dont know if I have dont everything you want me to do for sure yet, but I did want to bring one more thing to your attention. Every time that I have run Spybot recently, it finds the following...
Advertising.com 6 entries
DoubleClick 1
FastClick 3 entries
HitBox 6 entries
MediaPlex 1
WebTrends Live 1
Zedo 6 entries
These are for the most part, the same as I posted in post #24. I have spybot Fix them each time, but they keep re-appearing. I have not been to any websites that would down load this kind of stuff since we have been working together. Should I be concerned, or is something still going on?
Thanks again for all of your help!
steamwiz
2007-08-08, 20:59
Hi Ken
The DNS hijack was the most likely cause of your last problem, it probably only required a reboot to clear it totaly...
Advertising.com 6 entries
DoubleClick 1
FastClick 3 entries
HitBox 6 entries
MediaPlex 1
WebTrends Live 1
Zedo 6 entries
These are tracking cookies which everyone picks up all the time, it's all part of surfing...
Installing the MVPS HOSTS file & IE-Spyad will greatly reduce the number that you pick up...
1. IE/Spyad: http://www.spywarewarrior.com/uiuc/resource.htm
2. http://www.mvps.org/winhelp2002/hosts.htm
#1 IE/Spyad will place over 5,000 known bad sites in your "restricted sites" list
#2 the hosts file, will similarly block known bad sites from loading on to your computer by using the hosts file.
Also take a look here :-
So how did I get infected in the first place? by TonyKlein :-
http://forums.spybot.info/showthread.php?t=279
cheers
steam