PDA

View Full Version : UCmore, BattyRun2, and a whole host of other junk



Nannette
2006-09-24, 06:04
At around 1pm this afternoon, I clicked on the first result of a Google search and ended up being bombarded by a ton of crap.

Shortcuts popped up on my desktop, several programs were installed which I have since uninstalled from Add/Remove, and about 15 new processes came up in my Task Manager. Some came back after being terminated while new ones were still popping up. Files were copied both to my root drive and my system32 folder. Among them were:

topaff.exe
deskbar.exe
installerwnusnewer.exe
803.104.exe
deskbar_e12.exe
kybrdff_e12.exe - called Project 1
dfndrff_e12.exe
nwnmff_e12.exe
bkd.exe
wnsinttr.exe
aaa00000.dll
aaa00000.ini
aaa00000.sys
and some others that I don't recognize

AVG picked up several WINATS during the infection.

I was re-directed to a mirarsearch site when trying to uninstall the programs, and while it did uninstall the mirar toolbar, it just seemed to make things worse.


Most of this stuff was just jumbled letters and numbers with no coherency. The ones I can remember that I haven't deleted are UCmore and Batty2.exe(which still shows in processes at boot).

Most of the severe stuff I've managed to get rid of, but I still have pop-ups that appear randomly when not browsing or appear when opening a new browser window. The 2 most popular ones are Party Poker and Registry Cleaner Recommended. Others are random advertisements with videos and music and p0rn.

Here is what I've done so far:

- Trend Micro scan via Dell website
- Updated and ran Spybot, which detected a lot of stuff but had problems with 2 files that couldn't be deleted. Also had to terminate a cmd process before scanning.
- Stinger
- MRT by Microsoft
- CWShredder
- Autoruns
- smitfaudfix
- Updated and ran Ad-Aware
- CCleaner
- HijackThis 1.99. Got rid of a few things with this, but the remaining are things I'm not familiar with and therefore not sure about. Mirar is still there, as is Batty2(which won't show in processes now since I've terminated it). Those I've left alone are:

C:\WINDOWS\system32\g4400ehmeh4a0.dll (file missing)
C:\WINDOWS\SYSTEM32\igfxsrvc.dll
C:\WINDOWS\system32\dnr4019qe.dll
http://click.getmirar.com (HKLM)
http://click.mirarsearch.com (HKLM)
http://redirect.mirarsearch.com (HKLM)
http://awbeta.net-nucleus.com (HKLM)
C:\WINDOWS\system32\userinit.exe,qdrfjdq.exe

I've run a few other programs that I now can't remember, but they didn't do much anyway, or I would remember them.

Here is the whole HJ log:

Logfile of HijackThis v1.99.1
Scan saved at 10:09:51 PM, on 9/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\whatever\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,qdrfjdq.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - https://livewc02.custhelp.com/7520-b289h-turbotax/rnl/java/RntX.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8D4F501B-F723-49AF-AF71-50ED6059C3D3}: NameServer = 207.69.188.185,207.69.188.186

O20 - AppInit_DLLs: BattyRun2.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\g4400ehmeh4a0.dll (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\dnr4019qe.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe" -service (file missing)


Any help would be appreciated. Thanks.

pskelley
2006-09-24, 14:00
Welcome to the forum, You should review the sticky information Pinned to the top for your benefit, especially this link:
http://forums.spybot.info/showthread.php?t=288

Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.

This log also appears to have been run in Safe Mode. I need to see all logs in Normal Mode unless I request otherwise.

You have some real nasties, including a Look2me infection which is where we will start.

Thanks to Atribune and any others who helped with this fix.

Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

More info:

If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it

start>run sc start schedule press enter.

Make sure to restart the computer and post the two logs bolded above, we will have more to do. I will suggest you would be wise to keep this computer offline as much as possible until it is clean, this junk will attract more.

Thanks

Nannette
2006-09-24, 17:37
Before I do all that, you should know that is not a safe mode log.

A safe mode log will not show certain information since only the most basic of components and executables are enabled.

Typically, most program services and startup software will not be present.

I can give you another log, but the only differences are items that I haven't yet terminated since I just booted the machine.



Logfile of HijackThis v1.99.1
Scan saved at 10:04:51 AM, on 9/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Batty2\Batty2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\whatever\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,qdrfjdq.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - https://livewc02.custhelp.com/7520-b289h-turbotax/rnl/java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D4F501B-F723-49AF-AF71-50ED6059C3D3}: NameServer = 207.69.188.185,207.69.188.186
O20 - AppInit_DLLs: BattyRun2.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\g4400ehmeh4a0.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\f0l02a3mgd.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe" -service (file missing)

pskelley
2006-09-24, 17:43
That's fine, you have one stange looking log. Just make sure you are showing me everything, if I can't see it, I can't help you remove it if it is bad. The first set of instructions is only going to remove one infection, Look2me.

Thanks

Nannette
2006-09-24, 17:54
Strange as in good, or strange as in bad? That's typical anyway - I always end up with the weirdest circumstances.

Ok, here are the 2 new logs.



Logfile of HijackThis v1.99.1
Scan saved at 10:48:33 AM, on 9/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Batty2\Batty2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\whatever\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,qdrfjdq.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - https://livewc02.custhelp.com/7520-b289h-turbotax/rnl/java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D4F501B-F723-49AF-AF71-50ED6059C3D3}: NameServer = 207.69.188.185,207.69.188.186
O20 - AppInit_DLLs: BattyRun2.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\mcvcp71.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe" -service (file missing)




Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 9/24/2006 10:42:04 AM

Infected! C:\WINDOWS\system32\hrp2057oe.dll
Infected! C:\WINDOWS\system32\dnjo0113e.dll
Infected! C:\WINDOWS\system32\f8j20i1oe8.dll
Infected! C:\WINDOWS\system32\hyzids01.dll
Infected! C:\WINDOWS\system32\inaapi.dll
Infected! C:\WINDOWS\system32\irjql5151.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\hrp2057oe.dll
C:\WINDOWS\system32\hrp2057oe.dll could not be deleted!

Attempting to delete: C:\WINDOWS\system32\dnjo0113e.dll
C:\WINDOWS\system32\dnjo0113e.dll could not be deleted!

Attempting to delete: C:\WINDOWS\system32\f8j20i1oe8.dll
C:\WINDOWS\system32\f8j20i1oe8.dll could not be deleted!

Attempting to delete: C:\WINDOWS\system32\hyzids01.dll
C:\WINDOWS\system32\hyzids01.dll could not be deleted!

Attempting to delete: C:\WINDOWS\system32\inaapi.dll
C:\WINDOWS\system32\inaapi.dll could not be deleted!

Attempting to delete: C:\WINDOWS\system32\irjql5151.dll
C:\WINDOWS\system32\irjql5151.dll could not be deleted!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ModuleUsage

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2CD4704C-0D3E-4FBE-890E-EF73F24DC08C}"
HKCR\Clsid\{2CD4704C-0D3E-4FBE-890E-EF73F24DC08C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{DFDEF76E-83CE-4D95-A8B6-CEB63A9B247C}"
HKCR\Clsid\{DFDEF76E-83CE-4D95-A8B6-CEB63A9B247C}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


Thanks.

pskelley
2006-09-24, 18:12
Would you please review the instructions to make sure they are being followed exactly. I rarely have any problems with this fix, and all I see is
"could not be deleted!". The reason we remove Look2me first is because it does not remove well after other removal programs have been run, and it appears you have run many. Take your time, post any messages you get for me. This repair is likely going to take some time:sad: Post the Look2me log again after it is run.

Thanks

Nannette
2006-09-24, 18:32
Well, I dunno. Both times it ran per the instructions with no messages at all, but it worked this time. Here's the log:




Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 9/24/2006 11:20:01 AM

Infected! C:\WINDOWS\system32\mcvcp71.dll
Infected! C:\WINDOWS\system32\dztrans.dll
Infected! C:\WINDOWS\system32\hrp2057oe.dll
Infected! C:\WINDOWS\system32\j8p0li7m18.dll
Infected! C:\WINDOWS\system32\mcvcp71.dll
Infected! C:\WINDOWS\system32\mgnetobj.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\mcvcp71.dll
C:\WINDOWS\system32\mcvcp71.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dztrans.dll
C:\WINDOWS\system32\dztrans.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hrp2057oe.dll
C:\WINDOWS\system32\hrp2057oe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\j8p0li7m18.dll
C:\WINDOWS\system32\j8p0li7m18.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mcvcp71.dll
C:\WINDOWS\system32\mcvcp71.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mgnetobj.dll
C:\WINDOWS\system32\mgnetobj.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

Nannette
2006-09-24, 18:34
Oh, yeah:



Logfile of HijackThis v1.99.1
Scan saved at 11:34:23 AM, on 9/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Batty2\Batty2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\whatever\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,qdrfjdq.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - https://livewc02.custhelp.com/7520-b289h-turbotax/rnl/java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D4F501B-F723-49AF-AF71-50ED6059C3D3}: NameServer = 207.69.188.185,207.69.188.186
O20 - AppInit_DLLs: BattyRun2.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe" -service (file missing)

pskelley
2006-09-24, 18:49
Thanks, I was just posting to ask for a HJT log. That is a very good thing that it worked, other fixes for Look2me are more difficult to use.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Start > Control Panel > Add Remove programs and uninstall Batty2 if there and any other program you know does not belong there.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,qdrfjdq.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - AppInit_DLLs: BattyRun2.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Program Files\Batty2\ <<< delete that folder

C:\WINDOWS\System32\qdrfjdq.exe <<< delete that file if there (don't miss it!)

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a new HJT log, let us know how the computer is running now.

Thanks

Nannette
2006-09-24, 19:27
Alrighty.

Deleted HJ items.
Deleted Batty2 folder
No qdrfjdq.exe present.
Ran ATF cleaner.

Here is the new log:



Logfile of HijackThis v1.99.1
Scan saved at 12:16:19 PM, on 9/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\whatever\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - https://livewc02.custhelp.com/7520-b289h-turbotax/rnl/java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D4F501B-F723-49AF-AF71-50ED6059C3D3}: NameServer = 207.69.188.185,207.69.188.186
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe" -service (file missing)


However, there are still some folders in C:\Program Files that don't belong there.

CMFibula
Deskbar
popupwithcast
PSDream
PSLister
DeluxeCommunication

All added yesterday at around or after time of infection. Delete them manually?

No more popups as of yet, but there is a bit of hanging at boot and load that wasn't there before infection.

Definately an improvement tho from what I had going on yesterday. Thanks a lot!

pskelley
2006-09-24, 19:48
If they are programs on your computer that you don't know, I would delete them:
CMFibula
Deskbar
popupwithcast
PSDream
PSLister
DeluxeCommunication
First look in Add Remove programs and uninstall anything you know does not belong there. This is what I was saying, I could not see these progams in the HJT log? Do you have them whitelisted? Turned off in MSConfig?
Then delete the folders. If you want to check them first, here are three free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

This HJT log is clean, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

but there is a bit of hanging at boot and load that wasn't there before infection.
Your computer has had some fairly rough handling, by the hackers as they installed the junk, and by us as we removed it. Once you have removed the bad programs files, I suggest a complete maintenance, defrag, scan disk, etc. Here are links that may help.
http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx
http://vlaurie.com/computers2/Articles/runbetter.htm
http://www.linkgrinder.com/tutorials/10_Easy_Steps_to_Speed_Up_Your_Comp_24946_Computers_article.html
http://www.techbuilder.org/recipes/59201471

Safe surfing...tashi:) will close the topic in a day or so.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Nannette
2006-09-24, 20:40
Thanks for all your help and those links. I'll definately check them out.

Have a good one.

LonnyRJones
2006-10-01, 01:37
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let one of us know via a PM (personal message).