hey folks

this is probably going to sound just like all the other posts on here, but, here goes

i woke up yesterday morning to find my computer infected with this lovely little bug, it caused all sort of pop ups, including the spyware wuake business, the constant pop ups from security sites, and the little yellow warning badges down near my clock and what have you

tried to remove it, but as you can imagine, so far unsuccessful, ad aware seemed to do some good, spy bot however just seems to do the same thing everytime, i.e, find it again even though i removed it almost 10 seconds ago


i unticked the command service box in services on start up, and this sitn any more bad thing in my start up list, and i have now installed zonealarm firewall, but alas, im still being plagued by opo ups of all varieties

this is my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 23:32:28, on 13/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Program Files\Common Files\Stardock\SDMCP.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\system32\ishost.exe
F:\Program Files\Microsoft IntelliType Pro\type32.exe
F:\Program Files\Microsoft IntelliPoint\ipoint.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\Common Files\{FC6B39EF-07DA-2057-0715-05072705002c}\Update.exe
F:\WINDOWS\system32\ismon.exe
F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
F:\WINDOWS\system32\isnotify.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\CCleaner\ccleaner.exe
C:\Program Files\HijackThis.exe

R3 - Default URLSearchHook is missing
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - F:\Program Files\Xi\NetXfer\NXToolBar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - F:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [type32] "F:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "F:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [MSConfig] F:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: Stardock ObjectDock.lnk = F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: Download All by FlashGet - F:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download All Files by HiDownload - F:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - F:\Program Files\HiDownload\HDGet.htm
O8 - Extra context menu item: Download using FlashGet - F:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - F:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - F:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2CBFFA11-53D0-000B-9D54-34E13C99C1C1} - http://85.255.113.214/1/gdnFR2339.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O17 - HKLM\System\CCS\Services\Tcpip\..\{8740165E-B3C6-4204-BAF4-59D5E4BF34D0}: NameServer = 62.241.163.200 62.241.162.201
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: F:\WINDOWS\system32\spool32.dll
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe


i hope ive done everything right there, if you need anything else please just holler

thanks to anyone than can help me out of this one

cheers for you help fellas

macready

Welcome to the forum, follow the directions in this link: http://forums.spybot.info/showthread.php?t=4015 When you finish the instructions, post the three logs in this same topic using the "Post Reply" button.

Spybot-S&D: Be sure to follow the directions to save the scan report but do not post it here unless requested by a helper.

Thanks...pskelley
Safer Networking Forums

If you would like to let your thoughts be know about the lowlifes who put that junk on your computer, you can do that here:
If you have been infected by one of the SpyAxe family
http://forums.tomcoyote.org/index.php?showtopic=58063
http://www.malwarecomplaints.info/

hey chief

thanks for the speedy reply

well, i run those things you suggested and theres been some interesting developments

first off, everything went fine, and know command service seems to have gone, its no longer in my list of services when i run msconfig.exe, and spybot doesnt find anything anymore

good news, last night, i also removed some dodgy stuff i found lurking in add/remove programs, cowabange, and some yazzle ad thing

the only thing thats re-occuring now is this little bastard

xxywxyy.dll

ewido keeps picking it up as a dodgy file, so ive told ewido to just stop it when ever it trys something, you know, that use same action thing

it cant be deleted in normal or safe mode

anywho, heres the logs you requested

hijack this

Logfile of HijackThis v1.99.1
Scan saved at 08:41:07, on 14/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Program Files\Common Files\Stardock\SDMCP.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\ewido anti-spyware 4.0\guard.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Microsoft IntelliType Pro\type32.exe
F:\Program Files\Microsoft IntelliPoint\ipoint.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\ewido anti-spyware 4.0\ewido.exe
F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 81.178.230.140:6502
R3 - Default URLSearchHook is missing
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - F:\Program Files\Xi\NetXfer\NXToolBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [type32] "F:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "F:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!ewido] "F:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Startup: Stardock ObjectDock.lnk = F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: Download All by FlashGet - F:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download All Files by HiDownload - F:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - F:\Program Files\HiDownload\HDGet.htm
O8 - Extra context menu item: Download using FlashGet - F:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - F:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - F:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2CBFFA11-53D0-000B-9D54-34E13C99C1C1} - http://85.255.113.214/1/gdnFR2339.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: F:\WINDOWS\system32\spool32.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe

ewido

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 08:23:37 14/08/2006

+ Scan result:



F:\WINDOWS\system32\navshext1.dll -> Adware.Chiem : No action taken.
F:\WINDOWS\VGFuayBTb2xv\asappsrv.dll -> Adware.CommAd : No action taken.
F:\WINDOWS\VGFuayBTb2xv\command.exe -> Adware.CommAd : No action taken.
HKU\S-1-5-21-1004336348-1336601894-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{052B12F7-86FA-4921-8482-26C42316B522} -> Adware.Generic : No action taken.
HKU\S-1-5-21-1004336348-1336601894-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{873EB32D-AE1A-4183-89BD-45A77F761BE4} -> Adware.Generic : No action taken.
HKU\S-1-5-21-1004336348-1336601894-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C2EEB4FA-B6D6-41B9-9CFA-ABA87F862BCB} -> Adware.Generic : No action taken.
F:\WINDOWS\Downloaded Program Files\CONFLICT.1\YazzleActiveX.ocx -> Adware.MediaTickets : No action taken.
F:\Documents and Settings\Tank\Start Menu\Programs\WhenU -> Adware.SaveNow : No action taken.
F:\Documents and Settings\Tank\Start Menu\Programs\WhenU\Learn More About WhenU Save.url -> Adware.SaveNow : No action taken.
F:\Documents and Settings\Tank\Start Menu\Programs\WhenU\Learn More About WhenU SaveNow.url -> Adware.SaveNow : No action taken.
F:\Documents and Settings\Tank\Start Menu\Programs\WhenU\Uninstall.lnk -> Adware.SaveNow : No action taken.
F:\Documents and Settings\Tank\Start Menu\Programs\WhenU\WhenU Help Desk.lnk -> Adware.SaveNow : No action taken.
F:\Documents and Settings\Tank\Start Menu\Programs\WhenU\WhenU.com Website.url -> Adware.SaveNow : No action taken.
F:\Program Files\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : No action taken.
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSave -> Adware.SaveNow : No action taken.
F:\WINDOWS\system32\hggddbb.dll -> Adware.Virtumonde : No action taken.
F:\WINDOWS\system32\xxywxyy.dll -> Adware.Virtumonde : No action taken.
F:\Documents and Settings\Tank\Local Settings\Application Data\b56ec8eb.exe -> Downloader.Obfuscated.a : No action taken.
F:\WINDOWS\system32\b56ec8eb.exe -> Downloader.Obfuscated.a : No action taken.


::Report end

and finally, the rapport thing, which incidentally, didnt find the wininet.dll thing, that good or bad??

SmitFraudFix v2.81

Scan done at 7:54:30.14, 14/08/2006
Run from F:\Documents and Settings\Tank\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

F:\WINDOWS\system32\ishost.exe Deleted
F:\WINDOWS\system32\ismon.exe Deleted
F:\WINDOWS\system32\isnotify.exe Deleted
F:\WINDOWS\system32\ot.ico Deleted
F:\WINDOWS\system32\ts.ico Deleted
F:\WINDOWS\system32\components\flx?.dll Deleted
F:\DOCUME~1\Tank\FAVORI~1\Antivirus Test Online.url Deleted
F:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
F:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



there it is, cheers so far fellas

and cheers for any help you can give

stay groovy

Alas, I am not the chief, only one of the indians, let's have a look to see how you did.

C:\Program Files\HijackThis.exe <<< this is not safe, please return there and right click a blank spot. Create a NEW > Folder, name it HJT. Move any logs there into that folder along with HJT. We have a Vundo trojan that hackers are hiding from HJT showing in the ewido scan. Once you have that folder call HJT, I want you to rename it to:
C:\Program Files\HJT\analyze.exe The next HJT log you post should show the hidden trojan.

ewido: For some reason you have picked "no action taken" when ewido found the bad stuff for you. Please run ewido again and unless you know an item is not bad, delete everything it locates. ewido will do a much better job for you if you run it in safe mode:
http://www.bleepingcomputer.com/tutorials/tutorial61.html
Please post the scan report as soon as you have it.

and finally, the rapport thing, which incidentally, didnt find the wininet.dll thing, that good or bad??
That is good, means the file was not infected, you did have a good infection that SmitfraudFix was able to remove for you.

Are you aware of this about FlashGet? I would not have it on any of my computers.
http://www.castlecops.com/clsid-927.html

I believe this is a trojan that must be removed: F:\WINDOWS\system32\spool32.dll but we need to be positive. Use one or more of these free online scans to find out and post the information for me to view:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O16 - DPF: {2CBFFA11-53D0-000B-9D54-34E13C99C1C1} - http://85.255.113.214/1/gdnFR2339.exe G
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer, it may run a bit slower until Windows repopulates the Prefetch folder, post the ewido scan results, a new HJT log, and the information I requested about that possible trojan.

Because this junk attracts more, I suggest you stay offline except when absolutely necessary until you are clean.

Thanks

hi there

thanks for the reply

ill be honest with you, since i did all that scanning and removing this morning that you helped with, everything seems to be fine, as i said the command service has now gone and touch wood, i havent had a single pop up yet

ill steer the course and see who things go

if it plays up again ill do those things you suggested and drop back in

thanks for your help buddy

Do what you wish, but I am going to advise you to complete the above instructions, at least one of those links is to Yazzle and the other DPF is to, well take a look: http://whois.domaintools.com/85.255.113.214
Those are the Ukrainians involved with the Wareout infection and at the very least they had placed a ActiveX control on your computer.

F:\WINDOWS\system32\hggddbb.dll -> Adware.Virtumonde : No action taken.
F:\WINDOWS\system32\xxywxyy.dll -> Adware.Virtumonde : No action taken

Those two lines indicate, unless you recently removed a Vundo infection and they were left by the removal, that you probably have a Vundo infection also. You had also not removed all of the junk ewido found.

Don't get me wrong, I have many, many times more logs than I can find the time to help at, I just hate to see you go away half clean and regret it. Your call.

Safe surfing...Tashi:) will close this topic in a day or so.

Thanks

This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.

Applies only to the original topic starter.

Cheers.