PDA

View Full Version : AdwareRemoval 2007



phuwalt
2007-11-15, 16:00
Greetings,

I have a PC that will not remove this Malware. Here is the HJT info. Also I saw another forum that requested the information from a program called ComboFix... Although the subsiquent information within that forum didnt seem to help me.. although I might be doing it wrong.

ComboFix 07-11-08.1 - nurse 2007-11-15 8:50:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.216 [GMT -5:00]
Running from: C:\Documents and Settings\nurse\Local Settings\Temporary Internet Files\Content.IE5\HG0FH5GL\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\nurse\Desktop\Error Cleaner.url
C:\Documents and Settings\nurse\Desktop\Privacy Protector.url
C:\Documents and Settings\nurse\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\nurse\Favorites\Error Cleaner.url
C:\Documents and Settings\nurse\Favorites\Privacy Protector.url
C:\Documents and Settings\nurse\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\dat.txt
C:\WINDOWS\search_res.txt
C:\windows\xpupdate.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-15 08:52 53,248 --a------ C:\Temp\clfdearnONT.dll
2007-11-15 08:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-15 08:26 <DIR> d-------- C:\Program Files\AdwareRemover2007
2007-11-14 15:50 289,280 --a------ C:\WINDOWS\nopctrl.dll
2007-11-14 15:50 277,504 --a------ C:\WINDOWS\ddkret.dll
2007-11-14 15:50 253,952 --a------ C:\WINDOWS\oprevpfm.dll
2007-11-14 15:50 188,416 --a------ C:\WINDOWS\bonsws.dll
2007-11-14 15:50 114,688 --a------ C:\WINDOWS\sawkip.exe
2007-11-14 15:10 <DIR> d-------- C:\Program Files\RichVideoCodec
2007-10-16 13:00 <DIR> d-------- C:\Temp\WERee8a.dir00
2007-10-16 12:59 <DIR> d-------- C:\Temp\WebReportsCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CE12841-9438-48A0-9DA9-D3D2D3D562CC}]
2007-11-14 11:52 253952 --a------ C:\WINDOWS\oprevpfm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{422CA3AF-86F1-4607-88E2-BBBD4E9371EB}"= C:\WINDOWS\bonsws.dll [2007-11-14 11:52 188416]

[HKEY_CLASSES_ROOT\CLSID\{422CA3AF-86F1-4607-88E2-BBBD4E9371EB}]
[HKEY_CLASSES_ROOT\bonsws.ToolBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{2261B65D-0A17-4194-B2F6-E191E6D6618D}]
[HKEY_CLASSES_ROOT\bonsws.ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinVNC"="C:\PROGRAM FILES\ORL\VNC\WINVNC.exe" [2004-06-20 19:45]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 17:02]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-30 13:19]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 13:42]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 20:22]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 20:19]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 20:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-17 08:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"AdwareRemover2007"="C:\Program Files\AdwareRemover2007\AdwareRemover2007.exe" [2007-11-15 08:26]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"nopctrl"= {A08E4C19-F01C-4E65-B30F-47A5D07D4D48} - C:\WINDOWS\nopctrl.dll [2007-11-14 11:51 289280]
"ddkret"= {1C132C08-986A-4723-A15C-4AE508A027C9} - C:\WINDOWS\ddkret.dll [2007-11-14 11:51 277504]

R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe
R2 SnaBase;SnaBase;C:\Program Files\SNA\system\SNABASE.EXE
R2 Wuser32;SMS Remote Control Agent;C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
R3 idisw2km;idisw2km;C:\WINDOWS\system32\DRIVERS\idisw2km.sys
R3 kbstuff;SMS Virtual Keyboard;C:\WINDOWS\system32\DRIVERS\kbstuff5.sys
S3 prepdrvr;SMS Process Event Driver;\??\C:\WINDOWS\system32\CCM\prepdrv.sys

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 08:52:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-15 8:53:01
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 9:00:05 AM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\PROGRAM FILES\ORL\VNC\WINVNC.EXE
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
\wphnt2\apps$\Ad-aware & other pop-up remover stuff\HijackThis Tool\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wphiis/gui32live/affinitygui32.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {3CE12841-9438-48A0-9DA9-D3D2D3D562CC} - C:\WINDOWS\oprevpfm.dll
O3 - Toolbar: The bbrsep - {422CA3AF-86F1-4607-88E2-BBBD4E9371EB} - C:\WINDOWS\bonsws.dll
O4 - HKLM\..\Run: [WinVNC] "C:\PROGRAM FILES\ORL\VNC\WINVNC.EXE" -servicehelper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdwareRemover2007] C:\Program Files\AdwareRemover2007\AdwareRemover2007.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124730237078
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2) - http://10.250.3.25/plugin/MS_j2re-1_4_2_05-win-i.exe
O16 - DPF: {E87D50A5-7256-4CDB-BC77-7334EDB81DF3} (AffinityGui.Application) - http://wphiis/gui32live/AffinityGUI.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pgh.wpahs.org
O17 - HKLM\Software\..\Telephony: DomainName = pgh.wpahs.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCA0C2E6-BC69-4DEC-82F4-34020725C778}: Domain = wpahs.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pgh.wpahs.org
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: nopctrl - {A08E4C19-F01C-4E65-B30F-47A5D07D4D48} - C:\WINDOWS\nopctrl.dll
O21 - SSODL: ddkret - {1C132C08-986A-4723-A15C-4AE508A027C9} - C:\WINDOWS\ddkret.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\PROGRAM FILES\ORL\VNC\WINVNC.EXE" -service (file missing)



THANK YOU FOR HELPING ME! :)

phuwalt
2007-11-15, 17:43
Sorry for the double post - I could not find where to edit my old post so I didnt update the time....

I ran Spybot - removed about 18 different infections. Then ran the Kaspersky which found 5 more virus's and 8 more infected files.

Ran FixVundo - found nothing
Ran SmitFraud.cmd - got this in return:

SmitFraudFix v2.253

Scan done at 10:40:02.66, Thu 11/15/2007
Run from C:\unzipped\SmitfraudFix[1]\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\PROGRAM FILES\ORL\VNC\WINVNC.EXE
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 legal-at-spybot.info
127.0.0.1 www.legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\nurse


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\nurse\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\nurse\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\RichVideoCodec\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
DNS Server Search Order: 10.8.5.35
DNS Server Search Order: 10.8.5.3
DNS Server Search Order: 205.146.96.10
DNS Server Search Order: 172.17.16.13

HKLM\SYSTEM\CCS\Services\Tcpip\..\{FCA0C2E6-BC69-4DEC-82F4-34020725C778}: DhcpNameServer=10.8.5.35 10.8.5.3 205.146.96.10 172.17.16.13
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FCA0C2E6-BC69-4DEC-82F4-34020725C778}: DhcpNameServer=10.8.5.35 10.8.5.3 205.146.96.10 172.17.16.13
HKLM\SYSTEM\CS3\Services\Tcpip\..\{FCA0C2E6-BC69-4DEC-82F4-34020725C778}: DhcpNameServer=10.8.5.35 10.8.5.3 205.146.96.10 172.17.16.13
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.8.5.35 10.8.5.3 205.146.96.10 172.17.16.13
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.8.5.35 10.8.5.3 205.146.96.10 172.17.16.13
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.8.5.35 10.8.5.3 205.146.96.10 172.17.16.13


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Just trying everything all you amazing analysts have provided other's with in the past. Hope I'm not screwing things up :)

pskelley
2007-11-28, 01:52
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I apologize that you have not been helped, but it seems you have caused this because you did not read the directions. Posted above and pinned to the top of the forum are the directions. If you have not resolved your issues and still want help, please read those directions and then post a new HJT log describing any symptoms and I will be glad to take a look.

Thanks