look2me Qoologic.bj HacDef.fv problems... [Archive]

View Full Version : look2me Qoologic.bj HacDef.fv problems...

iggalileo

2006-09-02, 01:30

Greetings - Having problems cleaning up my friend's machine. Can't get rid of look2me Qoologic.bj and HacDef.fv. I've used Ad-Aware, Ewido, Spybot S&D and Symantec Anti-Virus. I also can't run Windows Update without it blue-screening on me.

THANK YOU!

Logfile of HijackThis v1.99.1
Scan saved at 6:14:11 PM, on 9/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\jamie\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\pfhmu.exe
F2 - REG:system.ini: UserInit=userinit.exe,aanqfoh.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\conmgr.exe"
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\irn4l55q1.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe
O23 - Service: Print Spooler Service (SpoolSvc222) - Unknown owner - C:\WINDOWS\TEMP\sklrr7y1733523.exe
O23 - Service: Microsoft Performance WMI Adapter AddOn (WMIPervAddOn) - Unknown owner - C:\WINDOWS\wmiapsv.exe (file missing)

Rawe

2006-09-02, 21:17

Hello :)

Please print these instructions out, or write them down, as you can't read them during the fix.

Download Combofix (http://download.bleepingcomputer.com/sUBs/combofix.exe) to your desktop:
Double-click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply. It will be located in C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
5) Login to your usual account.
Once in Safe Mode, right-click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt in your next reply along with the contents of C:\ComboFix.txt log. :bigthumb:

iggalileo

2006-09-05, 05:41

Thank you for your reply. Sorry for the delay as I was gone for the weekend.

I ran Combofix and it bluescreened the firsttime with a winlogon error. I ran it again and it went through fine.

I then booted into Safe Mode and run SDFix without a problem.

Attached are the two logs you requested.

There ended up being two combofix result files (ComboFix.txt and ComboFix2.txt). I'll include both...

jamie - 06-09-04 22:06:51.40
ComboFix 06.09.04BT - Running from: C:\Documents and Settings\jamie\Desktop

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{B258F6D4-F31D-4A71-9E9C-6DC67039C7E2}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{B258F6D4-F31D-4A71-9E9C-6DC67039C7E2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B258F6D4-F31D-4A71-9E9C-6DC67039C7E2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B258F6D4-F31D-4A71-9E9C-6DC67039C7E2}\InprocServer32]
@="C:\\WINDOWS\\system32\\ROAENH.DLL"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{BE66DA38-A688-4785-9206-6F6F0494F445}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{BE66DA38-A688-4785-9206-6F6F0494F445}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BE66DA38-A688-4785-9206-6F6F0494F445}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BE66DA38-A688-4785-9206-6F6F0494F445}\InprocServer32]
@="C:\\WINDOWS\\system32\\sgell32.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{277E6D2D-2B00-4B89-80EE-F0D72598B4AD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{277E6D2D-2B00-4B89-80EE-F0D72598B4AD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{277E6D2D-2B00-4B89-80EE-F0D72598B4AD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{277E6D2D-2B00-4B89-80EE-F0D72598B4AD}\InprocServer32]
@="C:\\WINDOWS\\system32\\MBOERT2.DLL"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{BD7488FC-E37E-42D0-AF46-F35BDD1133CA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BD7488FC-E37E-42D0-AF46-F35BDD1133CA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BD7488FC-E37E-42D0-AF46-F35BDD1133CA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BD7488FC-E37E-42D0-AF46-F35BDD1133CA}\InprocServer32]
@="C:\\WINDOWS\\system32\\DMRGUI.DLL"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{71D5CB54-5255-4CCE-A1ED-85A6643D9723}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{71D5CB54-5255-4CCE-A1ED-85A6643D9723}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{71D5CB54-5255-4CCE-A1ED-85A6643D9723}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{71D5CB54-5255-4CCE-A1ED-85A6643D9723}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

FILES REMOVED:

C:\WINDOWS\SYSTEM32\DMRGUI.DLL
C:\WINDOWS\SYSTEM32\fprs0397e.dll
C:\WINDOWS\SYSTEM32\irrul5991.dll
C:\WINDOWS\SYSTEM32\LEEXPAND.DLL
C:\WINDOWS\SYSTEM32\m8ju0i19e8.dll
C:\WINDOWS\SYSTEM32\MTASTMIB.DLL
C:\WINDOWS\SYSTEM32\guard.tmp

Granting sedebugprivilege to Administrators ... successful

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *

O4 - HKEY_CURRENT_USER\...\Run C:\WINDOWS\SYSTEM32\yvpiuj.exe
O4 - HKEY_LOCAL_MACHINE\...\Run C:\WINDOWS\System32\yvpiuj.exe
F2 -REG:system.ini: Shell C:\WINDOWS\System32\pfhmu.exe
F2 -REG:system.ini: UserInit C:\WINDOWS\SYSTEM32\aanqfoh.exe

* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *

2006-09-01 18:27 127488 C:\WINDOWS\SYSTEM32\yvpiuj.exe
2006-09-01 18:38 51712 C:\WINDOWS\SYSTEM32\fdpimrs.dll
2006-09-01 18:27 23552 C:\WINDOWS\SYSTEM32\aanqfoh.exe
2006-08-04 04:27 127488 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rdcjb.exe
2006-09-01 18:20 329 C:\WINDOWS\xqwpm.dll
2006-09-01 21:51 127488 C:\WINDOWS\SYSTEM32\esflh.dat
2006-09-01 18:38 28672 C:\WINDOWS\SYSTEM32\pfhmu.exe

* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *

06-09-01 21:51 127488 esflh.dat.qoo
06-09-01 18:27 127488 yvpiuj.exe.qoo
06-08-04 04:27 127488 rdcjb.exe.qoo
06-09-01 18:38 51712 fdpimrs.dll.qoo
06-09-01 18:38 28672 pfhmu.exe.qoo
06-09-01 18:27 23552 aanqfoh.exe.qoo
06-09-01 18:20 329 xqwpm.dll.qoo
06-08-10 18:04 52 npbpbe.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\keyboard1.dat
C:\WINDOWS\system32\VSL05.exe
C:\WINDOWS\system32\wapisu.exe
C:\WINDOWS\pf78.exe
C:\WINDOWS\ssqbn.exe
C:\WINDOWS\system32n9nyb.exe
C:\Program Files\Common Files\mc-110-12-0000488.exe
C:\Program Files\DNS
C:\Program Files\windows
C:\Program Files\Common Files\{CC1A99E7-0702-1033-1217-020409200001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\Common Files\FNTS~1
C:\QooBox\Purity\WINDOWS\ECURIT~1
C:\QooBox\Purity\WINDOWS\ECURIT~1\ECURIT~1
C:\QooBox\Purity\WINDOWS\ECURIT~1\wucrtupd.exe
C:\QooBox\Purity\WINDOWS\SYSTEM32\RACLE~1

((((((((((((((((((((((((((((((( Files Created from 2006-08-04 to 2006-09-04 ))))))))))))))))))))))))))))))))))

2006-08-31 19:16 83,208 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2006-08-17 20:38 19,456 --a------ C:\WINDOWS\sys061897-870672006.exe
2006-08-04 22:09 394 --a------ C:\stvp.exe
2006-08-04 04:29 903 --a------ C:\WINDOWS\SYSTEM32\winpfg32.sys
2006-08-04 04:28 235,134 --a------ C:\WINDOWS\srvjqnvpgv.exe
2006-08-04 04:28 184,829 --a------ C:\WINDOWS\srvmspihgo.exe
2006-08-04 04:28 1,167 --a------ C:\WINDOWS\SYSTEM32\wjs8e8b6.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-04 22:12 -------- d-a------ C:\Program Files\Common Files
2006-09-04 22:07 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-04 21:49 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-01 17:00 -------- d-------- C:\Program Files\Windows Media Player
2006-09-01 17:00 -------- d-------- C:\Program Files\MSN
2006-09-01 17:00 -------- d-------- C:\Program Files\microsoft frontpage
2006-09-01 17:00 -------- d-------- C:\Program Files\Common Files\koii
2006-08-31 19:26 -------- d-------- C:\Program Files\symantec_antivirus_client_v8_1_0_825
2006-08-31 19:16 -------- d-------- C:\Program Files\Symantec
2006-08-31 19:16 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-31 19:13 73496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2006-08-17 22:22 -------- d-------- C:\Documents and Settings\jamie\Application Data\Talkback
2006-08-17 22:21 -------- d-------- C:\Documents and Settings\jamie\Application Data\Mozilla
2006-08-17 21:45 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-17 20:27 -------- d-------- C:\Program Files\NetMeeting
2006-08-02 21:44 170 --a------ C:\WINDOWS\autoupdate.bat
2006-08-01 11:05 -------- d-------- C:\Program Files\QUICKENW
2006-07-30 10:14 -------- d-------- C:\Program Files\Internet Explorer
2006-07-30 09:54 -------- d-------- C:\Documents and Settings\jamie\Application Data\Sun
2006-07-30 09:51 -------- d-------- C:\Program Files\Java
2006-07-30 09:50 -------- d-------- C:\Program Files\Common Files\Java
2006-07-30 09:44 -------- d-------- C:\Program Files\Lavasoft
2006-07-30 09:44 -------- d-------- C:\Documents and Settings\jamie\Application Data\Lavasoft
2006-07-15 16:35 12288 --a------ C:\pcdr32.exe
2006-07-10 14:58 -------- d-------- C:\Program Files\Windows NT
2006-07-10 10:50 11776 --a------ C:\driveB.com
2006-06-20 16:27 170 --a------ C:\WINDOWS\comexec.bat
2006-06-14 22:18 154 --a------ C:\WINDOWS\comfix.bat
2006-06-13 05:28 183845 --a------ C:\WINDOWS\comhost.exe
2006-06-11 00:13 93633 --ahs---- C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"ConMgr.exe"="\"C:\\Program Files\\EarthLink 5.0\\conmgr.exe\""
"Lexmark X84-X85 Button Monitor"="C:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X84-X85.exe"
"Lexmark X84-X85 Button Manager"="C:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X84-X85.exe"
"PrinTray"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\vptray.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonceex]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\MSN\\kyjegit.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\microsoft frontpage\\hogydaran.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,5d,00,00,00,00,00,00,00,a3,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,5d,00,00,00,00,00,00,00,a3,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"koii"="C:\\PROGRA~1\\COMMON~1\\koii\\koiim.exe"
"Aida"="\"C:\\WINDOWS\\ECURIT~1\\wucrtupd.exe\" -vt tzt"
"Twgzwwu"="C:\\Program Files\\Common Files\\F?nts\\?poolsv.exe"
"ujbcv"="C:\\WINDOWS\\System32\\yvpiuj.exe reg_run"
"PSLister"="\"C:\\Program Files\\PSLister\\PSLister.exe\""

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{CC1A99E7-0702-1033-1217-020409200001}"="\"C:\\Program Files\\Common Files\\{CC1A99E7-0702-1033-1217-020409200001}\\Update.exe\" mc-110-12-0000488"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"koii"="C:\\PROGRA~1\\COMMON~1\\koii\\koiim.exe"
"Aida"="\"C:\\WINDOWS\\ECURIT~1\\wucrtupd.exe\" -vt tzt"
"Twgzwwu"="C:\\Program Files\\Common Files\\F?nts\\?poolsv.exe"
"ujbcv"="C:\\WINDOWS\\System32\\yvpiuj.exe reg_run"
"PSLister"="\"C:\\Program Files\\PSLister\\PSLister.exe\""

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{CC1A99E7-0702-1033-1217-020409200001}"="\"C:\\Program Files\\Common Files\\{CC1A99E7-0702-1033-1217-020409200001}\\Update.exe\" mc-110-12-0000488"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 1.job

Completion time: Mon 09/04/2006 22:22:46.01
ComboFix.txt
ComboFix2.txt

Here's the output from ComboFix2:
jamie - 06-09-04 21:56:13.22
ComboFix 06.09.04BT - Running from: C:\Documents and Settings\jamie\Desktop

Microsoft Windows XP [Version 5.1.2600]

SDFix: Version 1.20
-------------------------

Scan Time/Date:

10:29 PM
Mon 09/04/2006

Microsoft Windows XP [Version 5.1.2600]

Running from:
C:\Documents and Settings\jamie\Desktop\SDFix\SDFix

Stage One...

Checking Services...

Service Name:
------------------

wtime
time
spoolsvc222
wmipervaddon

File Path:
------------

\??\C:\WINDOWS\System32\timedrv26.sys
C:\WINDOWS\System32\nlkfev7tydfhjloq.exe
C:\WINDOWS\TEMP\sklrr7y1733523.exe /service
C:\WINDOWS\wmiapsv.exe

Removing Services:
------------------------

SUCCESS
SUCCESS
SUCCESS
SUCCESS

Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting!

Stage Two...

Registry Cleaning Finished...

Checking For Malware Files:
----------------------------------

C:\WINDOWS\SYSTEM32\cjnr4r4aknquydi.exe
C:\WINDOWS\SYSTEM32\cjnr4r4cfjmquzd.exe
C:\WINDOWS\SYSTEM32\cjnr4r4dgjnr.exe
C:\WINDOWS\SYSTEM32\cjnr4r4fosvzdim.exe
C:\WINDOWS\SYSTEM32\cjnr4r4jprsuw.exe
C:\WINDOWS\SYSTEM32\cjnr4r4lqvxzbdgil.exe
C:\WINDOWS\SYSTEM32\cjnr4r4oybeimr.exe
C:\WINDOWS\SYSTEM32\cjnr4r4tvxyacfhkm.exe
C:\WINDOWS\SYSTEM32\cjnr4r4zdjl.exe
C:\WINDOWS\SYSTEM32\cjnr4r4zgjm.exe
C:\WINDOWS\Temp\cjnr4r45F94A744.tmp
C:\WINDOWS\SYSTEM32\sklrr7yacdfhjloqt.exe
C:\WINDOWS\SYSTEM32\sklrr7ybehlptx.exe
C:\WINDOWS\SYSTEM32\sklrr7ybflmoqt.exe
C:\WINDOWS\SYSTEM32\sklrr7yeorvzdhmrw.exe
C:\WINDOWS\SYSTEM32\sklrr7yfgikmoqs.exe
C:\WINDOWS\SYSTEM32\sklrr7yfkprtvx.exe
C:\WINDOWS\SYSTEM32\sklrr7yfpsvzd.exe
C:\WINDOWS\SYSTEM32\sklrr7yhqtxbfjot.exe
C:\WINDOWS\SYSTEM32\sklrr7yhruycgkpuz.exe
C:\WINDOWS\SYSTEM32\sklrr7yjmsuwyacfi.exe
C:\WINDOWS\SYSTEM32\sklrr7yjtwa.exe
C:\WINDOWS\SYSTEM32\sklrr7youvxzbdgil.exe
C:\WINDOWS\SYSTEM32\sklrr7ypswzdh.exe
C:\WINDOWS\SYSTEM32\sklrr7ypvwy.exe
C:\WINDOWS\SYSTEM32\sklrr7yquac.exe
C:\WINDOWS\SYSTEM32\sklrr7ysxcegik.exe
C:\WINDOWS\SYSTEM32\sklrr7ytdgk.exe
C:\WINDOWS\SYSTEM32\sklrr7yuxaeimqv.exe
C:\WINDOWS\SYSTEM32\sklrr7yvycf.exe
C:\WINDOWS\SYSTEM32\sklrr7ywfjmquzdj.exe
C:\WINDOWS\SYSTEM32\sklrr7yxzbceg.exe
C:\WINDOWS\Temp\sklrr7y1733523.exe
C:\WINDOWS\SYSTEM32\mlsdf8hbloswae.exe
C:\WINDOWS\SYSTEM32\mlsdf8hdnru.exe
C:\WINDOWS\SYSTEM32\mlsdf8hfhik.exe
C:\WINDOWS\SYSTEM32\mlsdf8hfhikmoqt.exe
C:\WINDOWS\SYSTEM32\mlsdf8hilos.exe
C:\WINDOWS\SYSTEM32\mlsdf8hknruychlqw.exe
C:\WINDOWS\SYSTEM32\mlsdf8hpsvzd.exe
C:\WINDOWS\SYSTEM32\mlsdf8hqrtuwybd.exe
C:\WINDOWS\SYSTEM32\mlsdf8htwzdhlpuze.exe
C:\WINDOWS\SYSTEM32\mlsdf8hvzfgi.exe
C:\WINDOWS\SYSTEM32\mlsdf8hxadhlpt.exe
C:\WINDOWS\SYSTEM32\mlsdf8hxaehl.exe
C:\WINDOWS\SYSTEM32\mlsdf8hxyace.exe
C:\WINDOWS\SYSTEM32\mlsdf8hyacdfhkm.exe
C:\WINDOWS\SYSTEM32\mlsdf8hzdgj.exe
C:\WINDOWS\SYSTEM32\mlsdf8hzdkmoqsvx.exe
C:\WINDOWS\SYSTEM32\nlkfev7aknquydins.exe
C:\WINDOWS\SYSTEM32\nlkfev7dnquyc.exe
C:\WINDOWS\SYSTEM32\nlkfev7gjnq.exe
C:\WINDOWS\SYSTEM32\nlkfev7hikmoqs.exe
C:\WINDOWS\SYSTEM32\nlkfev7iloswaejou.exe
C:\WINDOWS\SYSTEM32\nlkfev7jntvxzbdg.exe
C:\WINDOWS\SYSTEM32\nlkfev7lpvxz.exe
C:\WINDOWS\SYSTEM32\nlkfev7mqwyace.exe
C:\WINDOWS\SYSTEM32\nlkfev7qadgkot.exe
C:\WINDOWS\SYSTEM32\nlkfev7rvbdfhjloq.exe
C:\WINDOWS\SYSTEM32\nlkfev7twzdgl.exe
C:\WINDOWS\SYSTEM32\nlkfev7tydfhjloq.exe
C:\WINDOWS\SYSTEM32\nlkfev7xhknr.exe
C:\WINDOWS\SYSTEM32\nlkfev7ybeim.exe
C:\WINDOWS\SYSTEM32\nlkfev7zcfjnr.exe
C:\WINDOWS\SYSTEM32\dior4f4bknrv.exe
C:\WINDOWS\SYSTEM32\dior4f4blosw.exe
C:\WINDOWS\SYSTEM32\dior4f4hjkm.exe
C:\WINDOWS\SYSTEM32\dior4f4hjkmo.exe
C:\WINDOWS\SYSTEM32\dior4f4jmptxbfkp.exe
C:\WINDOWS\SYSTEM32\dior4f4jnvxzb.exe
C:\WINDOWS\SYSTEM32\dior4f4kuxb.exe
C:\WINDOWS\SYSTEM32\dior4f4lswzd.exe
C:\WINDOWS\SYSTEM32\dior4f4pwzdhlpuz.exe
C:\WINDOWS\SYSTEM32\dior4f4pzcgjosxch.exe
C:\WINDOWS\SYSTEM32\dior4f4ruybfjos.exe
C:\WINDOWS\SYSTEM32\dior4f4xhknrvafk.exe
C:\WINDOWS\SYSTEM32\timedrv26.sys

Backing Up and Removing any Files Found....

Final Check:

Remaining Services:
------------------------

Remaining Files:
-------------------

FINISHED

Rawe

2006-09-05, 10:29

Much better already :)

Go ahead and delete SDFix along with ComboFix....

---

Please print these instructions out, or write them down, as you can't read them during the fix.

1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop.
Click on Avenger.zip to open the file
Extract Avenger.exe to your desktop.

2. Copy all the text in bold contained in the quotebox below to a blank notepad file:

Files to delete:
C:\WINDOWS\sys061897-870672006.exe
C:\stvp.exe
C:\WINDOWS\SYSTEM32\winpfg32.sys
C:\WINDOWS\srvjqnvpgv.exe
C:\WINDOWS\srvmspihgo.exe
C:\WINDOWS\SYSTEM32\wjs8e8b6.sys
C:\pcdr32.exe
C:\driveB.com
C:\WINDOWS\comexec.bat
C:\WINDOWS\comfix.bat
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe

Folders to delete:
C:\Program Files\Common Files\koii

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to the notepad file into this window
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
Restarts your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it briefly opens a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste all the contents of avenger.txt into your reply along with a fresh HJT log. :bigthumb:

iggalileo

2006-09-05, 16:23

It is looking better! Thanks!

Here's avenger output after running it:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\imvadwbc

*******************

Script file located at: \??\C:\WINDOWS\lthaoilj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\sys061897-870672006.exe deleted successfully.
File C:\stvp.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\winpfg32.sys deleted successfully.
File C:\WINDOWS\srvjqnvpgv.exe deleted successfully.
File C:\WINDOWS\srvmspihgo.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\wjs8e8b6.sys deleted successfully.
File C:\pcdr32.exe deleted successfully.
File C:\driveB.com deleted successfully.
File C:\WINDOWS\comexec.bat deleted successfully.
File C:\WINDOWS\comfix.bat deleted successfully.
File C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe deleted successfully.
Folder C:\Program Files\Common Files\koii deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Here's HiJackThis output after rebooting...

Logfile of HijackThis v1.99.1
Scan saved at 9:23:28 AM, on 9/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\jamie\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\conmgr.exe"
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - (no file)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe

Rawe

2006-09-05, 17:03

MUCH better :)

Go ahead and delete Avenger if you wish.

Please run a scan with HijackThis and check the following object for removal if present:

O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - (no file)

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

----

Updating Java and Clearing Cache
Go to Start > Control Panel double-click on the Software icon > Add/Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
It should have next icon next to it: http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.

Now please install Java Runtime Environment (JRE) 5.0 Update 8 manually..
Note to reboot the computer after updating:

http://java.sun.com/javase/downloads/index.jsp (http://java.sun.com/javase/downloads/index.jsp)

After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked

Downloaded Applets
Downloaded Applications
Other Files

Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

----

Finally, lets check this just incase...

Download GMER (http://www.gmer.net/gmer.zip):
Unzip it and double-click GMER.exe
Click the rootkit-tab and click scan.
Once done, click Copy.
This will copy the results to clipboard.
Paste the results in your next reply and let me know hows the system running now. :bigthumb:

iggalileo

2006-09-06, 02:45

Removed then updated JRE. Removed temporary content and ran GMER.

The system is running very well. No pop-ups at all. Thank you! Looking forward to patching this thing when you've signed-off.

Here's GMER's output:

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-09-05 19:42:30
Windows 5.1.2600 Service Pack 1

---- System - GMER 1.0.10 ----

SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess

---- Devices - GMER 1.0.10 ----

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE EF632143

---- EOF - GMER 1.0.10 ----

Rawe

2006-09-06, 09:14

Looking good! :bigthumb:

One more HijackThis log please :)

iggalileo

2006-09-06, 14:59

Logfile of HijackThis v1.99.1
Scan saved at 7:57:51 AM, on 9/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\DefWatch.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\jamie\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\conmgr.exe"
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe

THANK YOU!!!!

Rawe

2006-09-06, 15:57

Looking good :)

Please read here how to clear old restore points and create a new one (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx).

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
How to use Ad-Aware to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=48) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=43) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html) <= SpywareBlaster will prevent spyware from being installed. (My favourite)
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG (http://www.grisoft.com/) or Anti-Vir (http://www.free-av.com/), or a shareware version like Norton or Kaspersky, this is a must have. (Note to only use 1 at-the-time)
Firewall <= A firewall (http://www.google.com/search?hl=en&lr=&q=define%3Afirewall&btnG=Search) is definatley a must have. Two good free versions are Kerio Personal Firewall (http://www.kerio.com/us/kpf_download.html) and ZoneLabs (http://www.zonelabs.com/store/content/home.jsp). (Note to only use 1 at-the-time)
More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox (http://www.mozilla.com/).And also see TonyKlein's good advice;
So how did I get infected in the first place? (http://castlecops.com/postlite7736-.html)

tashi

2006-09-13, 06:58

As the problem appears to be resolved this topic has been archived. :)

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.