View Full Version : uptodateprotection Homepage!!
hi,
i ran through the Preliminary Steps, and it looks like that the problem was solved but i would just like to make sure.
here is my log files:
Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 7:44:29 PM, on 25/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Vet\isafe.exe
D:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Vet\VetMsg.exe
C:\Vet\VetTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ccleaner] "D:\Program Files\CCleaner\ccleaner.exe" /AUTO
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe
>>>Online scan:
Incident Status Location
Virus:Trj/DisableKey.A Disinfected Operating system
Virus:Trj/DisableKey.A Disinfected Operating system
Adware:adware/pornmagpass Not disinfected c:\windows\system32\ishost.exe
Adware:adware/systemdoctor Not disinfected c:\windows\system32\isnotify.exe
Adware:adware/securityerror Not disinfected c:\windows\system32\ot.ico
Adware:adware/sidesearch Not disinfected Windows Registry
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\u9d9xxdt.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\User\Cookies\user@stats1.reliablestats[2].txt
Adware:Adware/PCodec Not disinfected C:\Documents and Settings\User\Local Settings\Temp\b124.exe[²ÜÇ\nsRandom.dll]
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\Documents and Settings\User\Local Settings\Temp\sa25.exe[Spy-Quake2.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\User\Local Settings\Temp\totauukv.dll
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\User\Local Settings\Temp\win19.tmp.exe
Virus:Trj/DisableKey.A Disinfected C:\Documents and Settings\User\Local Settings\Temp\win1E.tmp.exe
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Common Files\{943B1724-0AFD-3081-0302-04060313003d}\services.dll
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\components\flx7.dll
Virus:Trj/DisableKey.A Disinfected C:\WINDOWS\system32\uhvjsul.dll
Virus:Trj/DisableKey.A Disinfected C:\WINDOWS\system32\unaoakg.dll
Adware:Adware/SpywareQuake Not disinfected C:\WINDOWS\system32\urroxtl.dll
pskelley
2006-09-25, 15:13
Welcome to the forum, the only thing I see is a possibly outdated Java program in the HJT log, but the online scan shows there is or was a Smitfraud infection. I know when the HJT log was run Scan saved at 7:44:29 PM, on 25/09/2006, was the online scan run before you
ran through the Preliminary Steps
Understand I have no way of knowing what those step were. The online scan shows the infection but no time when it was run. Run the online scan again...that stuff should be gone if you are clean. Post those scan results.
Java information: http://forums.spybot.info/showpost.php?p=12880&postcount=2
I also suggest you take CCleaner off of auto, run it manually once a month or so.
Thanks
Ok, i ran the online scan again,
hopefully it is clean now.
Online scan:
Incident Status Location
Adware:Adware/SuperSpider Not disinfected C:\WINDOWS\system32\winrvc32.dll
Adware:adware/systemdoctor Not disinfected c:\windows\system32\issearch.exe
Adware:adware/securityerror Not disinfected c:\windows\system32\ot.ico
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\u9d9xxdt.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\u9d9xxdt.default\cookies.txt[counter16.sextracker.com/]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\u9d9xxdt.default\cookies.txt[.sextracker.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\u9d9xxdt.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\u9d9xxdt.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\User\Cookies\user@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\User\Cookies\user@ads.addynamix[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\User\Cookies\user@adserver.filefront[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\User\Cookies\user@bluestreak[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\User\Cookies\user@drivecleaner[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\User\Cookies\user@questionmarket[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\User\Cookies\user@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\User\Cookies\user@stats1.reliablestats[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\User\Cookies\user@tribalfusion[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\User\Cookies\user@www.drivecleaner[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\User\Cookies\user@zedo[1].txt
Adware:Adware/PCodec Not disinfected C:\Documents and Settings\User\Local Settings\Temp\b124.exe[²ÜÇ\nsRandom.dll]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\User\Local Settings\Temp\ddmrlvax.dll
Adware:Adware/SuperSpider Not disinfected C:\Documents and Settings\User\Local Settings\Temp\mst15.tmp
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\Documents and Settings\User\Local Settings\Temp\sa25.exe[Spy-Quake2.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\User\Local Settings\Temp\totauukv.dll
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\User\Local Settings\Temp\win19.tmp.exe
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Common Files\{943B1724-0AFD-3081-0302-04060313003d}\services.dll
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\components\flx7.dll
Virus:Trj/Lowzones.SV Disinfected C:\WINDOWS\Temp\ja.exe
pskelley
2006-09-26, 11:51
Well, a lot of that is cookies that you can delete yourself, but you are showing stuff that can indicate you are still infected:
Adware:Adware/SuperSpider Not disinfected C:\WINDOWS\system32\winrvc32.dll
Adware:adware/systemdoctor Not disinfected c:\windows\system32\issearch.exe
Adware:adware/securityerror Not disinfected c:\windows\system32\ot.ico
Adware:Adware/PCodec Not disinfected C:\Documents and Settings\User\Local Settings\Temp\b124.exe[²ÜÇ\nsRandom.dll]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\User\Local Settings\Temp\ddmrlvax.dll
Adware:Adware/SuperSpider Not disinfected C:\Documents and Settings\User\Local Settings\Temp\mst15.tmp
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\Documents and Settings\User\Local Settings\Temp\sa25.exe[Spy-Quake2.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\User\Local Settings\Temp\totauukv.dll
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\User\Local Settings\Temp\win19.tmp.exe
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Common Files\{943B1724-0AFD-3081-0302-04060313003d}\services.dll
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\components\flx7.dll
Virus:Trj/Lowzones.SV Disinfected C:\WINDOWS\Temp\ja.exe
Several infections and trojans are showing in there, including a possible Vundo infection. You should know if you have Vundo, it is a prolific popup maker usually directing to rouge Winfixer sites. I also see evidence that indicates Smitfraud has not been removed. If you wish to proceed, then start like this:
Follow the directions in this link: http://forums.spybot.info/showthread.php?t=4015 When you finish the instructions, post the three logs in this same topic using the "Post Reply" button.
Spybot-S&D: Be sure to follow the directions to save the scan report but do not post it here unless requested by a helper.
Thanks...pskelley
Safer Networking Forums
If you would like to let your thoughts be known about the lowlifes who put that junk on your computer, you can do that here:
If you have been infected by one of the SpyAxe family
http://forums.tomcoyote.org/index.php?showtopic=58063
http://www.malwarecomplaints.info/
I ran through those steps here are the 3 log. BTW thanks for this it really does help.
ewido anti-spyware>>
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:48:58 PM 26/09/2006
+ Scan result:
C:\WINDOWS\system32\winrvc32.dll -> Trojan.Small : Cleaned with backup (quarantined).
::Report end
HijackThis>>
Logfile of HijackThis v1.99.1
Scan saved at 11:04:36 PM, on 26/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Vet\isafe.exe
D:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Vet\VetMsg.exe
C:\Vet\VetTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe
sorry but the spybot text was out of the file limit here it is though. Well at lest half:
--- Search result list ---
Win23.PE: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386
Win23.PE: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386
SeachToolbarCorp.ToolbarVision: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-823518204-926492609-1801674531-1003\Software\Search Toolbar Corp
SeachToolbarCorp.ToolbarVision: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{821F87FF-8245-4972-9E28-732E92EC2F51}
SeachToolbarCorp.ToolbarVision: Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{821F87FF-8245-4972-9E28-732E92EC2F51}
SeachToolbarCorp.ToolbarVision: IE toolbar (Registry value, fixed)
HKEY_USERS\S-1-5-21-823518204-926492609-1801674531-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{821F87FF-8245-4972-9E28-732E92EC2F51}
SeachToolbarCorp.ToolbarVision: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{821F87FF-8245-4972-9E28-732E92EC2F51}
SeachToolbarCorp.ToolbarVision: Program directory (Directory, fixed)
C:\Documents and Settings\User\Application Data\SearchToolbarCorp\
SeachToolbarCorp.ToolbarVision: Program directory (Directory, fixed)
C:\Documents and Settings\User\Application Data\SearchToolbarCorp\Toolbar Vision\
SeachToolbarCorp.ToolbarVision: Text file (File, fixed)
C:\Documents and Settings\User\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
SeachToolbarCorp.ToolbarVision: Text file (File, fixed)
C:\Documents and Settings\User\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
SeachToolbarCorp.ToolbarVision: Program directory (Directory, fixed)
C:\Program Files\VSToolbar\
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-09-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-09-22 Includes\Cookies.sbi (*)
2006-09-22 Includes\Dialer.sbi (*)
2006-09-22 Includes\Hijackers.sbi (*)
2006-09-22 Includes\Keyloggers.sbi (*)
2006-09-22 Includes\Malware.sbi (*)
2006-09-22 Includes\PUPS.sbi (*)
2006-09-22 Includes\Revision.sbi (*)
2006-09-22 Includes\Security.sbi (*)
2006-09-22 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-09-22 Includes\Trojans.sbi (*)
--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ Windows XP / SP2: Windows XP Service Pack 2
--- Startup entries list ---
Located: HK_LM:Run, ATICCC
command: "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
file: C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
size: 45056
MD5: 64c4c17bf6a40ff1cd21205e6fd415b8
Located: HK_LM:Run, SoundMan
command: SOUNDMAN.EXE
file: C:\WINDOWS\SOUNDMAN.EXE
size: 67072
MD5: e622e1b8598029294312eeee9b02b699
Located: HK_LM:Run, SunJavaUpdateSched
command: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
file: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
size: 36975
MD5: 61a3a9d5d98bf0331df5b716144a8100
Located: HK_LM:Run, VetTray
command: C:\Vet\VetTray.exe
file: C:\Vet\VetTray.exe
size: 128112
MD5: 860a95a7e6bd29540ce9ba6bde122f51
Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
Located: WinLogon, ddabc
command: C:\WINDOWS\system32\ddabc.dll
file: C:\WINDOWS\system32\ddabc.dll
size: 577588
MD5: 5eeefbfa2dbd3669b3a74bca2d798eca
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
Located: WinLogon, winrvc32
command: winrvc32.dll
file: winrvc32.dll
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 3/11/2003 2:17:44 PM
Date (last access): 26/09/2006 9:53:22 PM
Date (last write): 3/11/2003 2:17:44 PM
Filesize: 54248
Attributes: archive
MD5: FC7850324464E4D19A24A03D882B5CC4
CRC32: 452E8571
Version: 6.0.1.1091
{278B661A-14A8-D8B0-6AF4-03088B866149} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: unaoakg.dll
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: D:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 25/09/2006 5:56:46 PM
Date (last access): 26/09/2006 10:57:24 PM
Date (last write): 31/05/2005 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: ssv.dll
Short name:
Date (created): 2/03/2006 1:53:00 PM
Date (last access): 26/09/2006 9:53:34 PM
Date (last write): 10/11/2005 1:22:12 PM
Filesize: 184423
Attributes: archive
MD5: F01726F7CA8538FDD4663C9DB8FEAEDC
CRC32: 0111B892
Version: 5.0.60.5
{9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
BHO name:
CLSID name: Windows Live Sign-in Helper
Path: C:\Program Files\Common Files\Microsoft Shared\Windows Live\
Long name: WindowsLiveLogin.dll
Short name: WINDOW~1.DLL
Date (created): 7/07/2006 12:29:52 PM
Date (last access): 26/09/2006 9:51:16 PM
Date (last write): 7/07/2006 12:29:52 PM
Filesize: 324416
Attributes: archive
MD5: 52A70C80A446FA3BBCDAF59A9AB26AF4
CRC32: B1456034
Version: 4.0.249.1
{a43385f0-7113-496d-96d7-b9b550e3fcca} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: ixt0.dll
{CF61315B-E73B-401C-9CB2-7B01CC8F1B05} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: ddabc.dll
Short name:
Date (created): 24/09/2006 7:16:26 PM
Date (last access): 26/09/2006 10:05:52 PM
Date (last write): 24/09/2006 7:16:40 PM
Filesize: 577588
Attributes: hidden sysfile
MD5: 5EEEFBFA2DBD3669B3A74BCA2D798ECA
CRC32: F396E491
{D4E0C464-30CE-4075-9A10-71FD106C2847} (PrintViewBHO Class)
BHO name:
CLSID name: PrintViewBHO Class
Path: C:\PROGRA~1\PRINTV~1\
Long name: printhook030.dll
Short name: PRINTH~1.DLL
Date (created): 24/09/2006 7:13:58 PM
Date (last access): 26/09/2006 9:51:16 PM
Date (last write): 4/08/2006 11:29:18 AM
Filesize: 229376
Attributes: archive
MD5: 49302EF9D7DD82EFA63356069BBB044E
CRC32: 33A3E5EA
Version: 0.3.0.0
--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
Installer: C:\WINDOWS\Downloaded Program Files\QTPlugin.inf
Codebase: http://www.apple.com/qtactivex/qtplugin.cab
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: D:\Program Files\QuickTime\
Long name: QTPlugin.ocx
Short name:
Date (created): 13/09/2006 8:47:58 PM
Date (last access): 26/09/2006 7:14:46 PM
Date (last write): 13/09/2006 8:47:58 PM
Filesize: 557056
Attributes: archive
MD5: 2DA25D5262D714BFA420D6DE849E67A1
CRC32: 0098926B
Version: 7.1.0.210
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 2/03/2006 1:52:58 PM
Date (last access): 26/09/2006 6:53:28 PM
Date (last write): 10/11/2005 1:22:12 PM
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)
DPF name:
CLSID name: ActiveScan Installer Class
Installer: C:\WINDOWS\Downloaded Program Files\asinst.inf
Codebase: http://acs.pandasoftware.com/activescan/as5free/asinst.cab
description:
classification: Legitimate
known filename: ASINST.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: asinst.dll
Short name:
Date (created): 24/08/2006 8:28:54 AM
Date (last access): 26/09/2006 10:51:52 PM
Date (last write): 24/08/2006 8:28:54 AM
Filesize: 141424
Attributes: archive
MD5: CB0EBD772D7D003BD11A999FF515A89A
CRC32: 3CFE74C1
Version: 58.6.0.0
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 2/03/2006 1:52:58 PM
Date (last access): 26/09/2006 10:59:36 PM
Date (last write): 10/11/2005 1:22:12 PM
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 2/03/2006 1:52:58 PM
Date (last access): 26/09/2006 10:59:36 PM
Date (last write): 10/11/2005 1:22:12 PM
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash9.ocx
Short name:
Date (created): 22/06/2006 1:44:22 PM
Date (last access): 26/09/2006 9:57:42 PM
Date (last write): 22/06/2006 1:44:22 PM
Filesize: 2201224
Attributes: readonly archive
MD5: 99F80CA1EBE95677668F54CAC6F4AD6D
CRC32: B7385E3B
Version: 9.0.16.0
--- Process list ---
PID: 0 ( 0) [System]
PID: 156 ( 4) \SystemRoot\System32\smss.exe
PID: 204 ( 156) \??\C:\WINDOWS\system32\csrss.exe
PID: 228 ( 156) \??\C:\WINDOWS\system32\winlogon.exe
PID: 272 ( 228) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 284 ( 228) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 440 ( 272) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 504 ( 272) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 564 ( 272) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1320 (1716) C:\WINDOWS\explorer.exe
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 340 (1320) D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 384 (1320) C:\Program Files\Mozilla Firefox\firefox.exe
size: 7190637
MD5: 43658E87F7B183F2245491FBCC695E05
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 26/09/2006 10:59:38 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: CA ISafe LSP over [MSAFD Tcpip [TCP/IP]]
GUID: {2193C642-25BF-44E9-A745-F7C03C907452}
Filename: C:\WINDOWS\System32\VetRedir.dll
Protocol 1: CA ISafe LSP over [MSAFD Tcpip [UDP/IP]]
GUID: {2193C642-25BF-44E9-A745-F7C03C907452}
Filename: C:\WINDOWS\System32\VetRedir.dll
Protocol 2: CA ISafe LSP over [MSAFD Tcpip [RAW/IP]]
GUID: {2193C642-25BF-44E9-A745-F7C03C907452}
Filename: C:\WINDOWS\System32\VetRedir.dll
Protocol 3: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 4: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 5: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 6: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 7: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 8: CA ISafe LSP
GUID: {AE2578B4-F478-4313-9A3E-1B83F7A643DF}
Filename: C:\WINDOWS\System32\VetRedir.dll
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B53A1653-9A16-4AE2-ABF8-1F8DA4A52683}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B53A1653-9A16-4AE2-ABF8-1F8DA4A52683}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{29003DA6-424B-42AE-A32C-3BC552D3461D}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{29003DA6-424B-42AE-A32C-3BC552D3461D}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C785BF7C-5F1C-4F2F-8E3D-B604C3355040}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C785BF7C-5F1C-4F2F-8E3D-B604C3355040}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CF646F6B-5D19-49F9-B065-7F58CA107F9B}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CF646F6B-5D19-49F9-B065-7F58CA107F9B}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
--- Uninstall list ---
Ad-Aware SE Personal 1.06 (Ad-Aware SE Personal)
uninstall cmd: D:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE D:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
publisher: Lavasoft
help link: http://www.lavasoft.com
(AddressBook)
ATI - Software Uninstall Utility 6.14.10.1013 (All ATI Software)
install location: C:\Program Files\ATI Technologies\UninstallAll
uninstall cmd: C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver 8.221-060124a1-030153C-ATI (ATI Display Driver)
uninstall cmd: rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
(Branding)
CCleaner (remove only) (CCleaner)
uninstall cmd: "D:\Program Files\CCleaner\uninst.exe"
(Connection Manager)
(DirectAnimation)
(DirectDrawEx)
(DXM_Runtime)
Enable S3 for USB Device (Enable S3 for USB Device)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Gigabyte\Enable S3 for USB Device\Uninst.isu"
ewido anti-spyware 4.0 (ewidoantispyware4)
install location: D:\Program Files\ewido anti-spyware 4.0
uninstall cmd: D:\Program Files\ewido anti-spyware 4.0\Uninstall.exe
publisher: ewido networks
help link: http://www.ewido.net
(Fontcore)
HijackThis 1.99.1 1.99.1 (HijackThis)
uninstall cmd: C:\DOCUME~1\User\LOCALS~1\Temp\Rar$EX00.750\HijackThis.exe /uninstall
publisher: Soeperman Enterprises Ltd.
Hijackthis 1.99.1 (Hijackthis_is1)
install location: C:\Program Files\Hijackthis\
uninstall cmd: "C:\Program Files\Hijackthis\unins000.exe"
publisher: Soeperman Enterprises Ltd
help link: http://www.merijn.org
(ICW)
(IE40)
(IE4Data)
(IE5BAKEX)
(IEData)
(InstallShield Uninstall Information)
QuickTime 7.1 (InstallShield_{C21D5524-A970-42FA-AC8A-59B8C7CDCA31})
version: 117506048
version (major): 7
version (minor): 1
estimated size: 71343
install date: 20060913
install location: D:\Program Files\QuickTime\
install source: C:\DOCUME~1\User\LOCALS~1\Temp\_is1FD\
uninstall cmd: C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273
(Microsoft NetShow Player 2.0)
(MobileOptionPack)
Mozilla Firefox (1.5.0.7) 1.5.0.7 (en-US) (Mozilla Firefox (1.5.0.7))
install location: C:\Program Files\Mozilla Firefox
uninstall cmd: C:\Program Files\Mozilla Firefox\uninstall\uninstall.exe /ua "1.5.0.7 (en-US)"
publisher: Mozilla
(MPlayer2)
(MsJavaVM)
(NetMeeting)
(OutlookExpress)
Panda ActiveScan (Panda ActiveScan)
uninstall cmd: C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
publisher: Panda Software S.L.
(PCHealth)
uninstall cmd: rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Intel(R) PRO Network Adapters and Drivers (PROSet)
uninstall cmd: Prounstl.exe
SAMSUNG CDMA Modem Driver Set (SAMSUNG CDMA Modem)
uninstall cmd: C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
Samsung Mobile USB Modem Software (Samsung Mobile USB Modem)
uninstall cmd: C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software (SAMSUNG Mobile USB Modem 1.0)
uninstall cmd: C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
(SchedulingAgent)
Shareaza version 2.2.1.0 2.2.1.0 (Shareaza_is1)
install location: D:\Program Files\Shareaza\
uninstall cmd: "D:\Program Files\Shareaza\Uninstall\unins000.exe"
publisher: Shareaza Development Team
comments: Shareaza Ultimate File Sharing
help link: http://www.shareaza.com/?id=support
Adobe Flash Player 9 ActiveX 9 (ShockwaveFlash)
uninstall cmd: C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
publisher: Adobe Systems
help link: http://www.adobe.com/go/flashplayer_support/
Spybot - Search & Destroy 1.4 1.4 (Spybot - Search & Destroy_is1)
install location: d:\Program Files\Spybot - Search & Destroy\
uninstall cmd: "d:\Program Files\Spybot - Search & Destroy\unins000.exe"
publisher: Safer Networking Limited
Vet Anti-Virus (VETWIN32Vp5)
uninstall cmd: C:\WINDOWS\UnVet32.exe
VideoLAN VLC media player 0.8.5 0.8.5 (VLC media player)
uninstall cmd: d:\Program Files\VideoLAN\VLC\uninstall.exe
publisher: VideoLAN Team
Winamp (remove only) (Winamp)
uninstall cmd: "C:\Program Files\Winamp\UninstWA.exe"
WinAVI VideoConverter (WinAVI VideoConverter_is1)
uninstall cmd: "D:\Program Files\WinAVI VideoConverter\unins000.exe"
publisher: ZJ Computing, Inc.
help link: http://www.Winavi.com
Windows Media Format Runtime (Windows Media Format Runtime)
uninstall cmd: "C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10 (Windows Media Player)
uninstall cmd: "C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Service Pack 2 20040803.231319 (Windows XP Service Pack)
uninstall cmd: C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=811113
WinRAR archiver (WinRAR archiver)
uninstall cmd: d:\Program Files\WinRAR\uninstall.exe
WinZip 9.0 (6028) (WinZip)
version (major): 9
install location: C:\PROGRA~1\WINZIP\
uninstall cmd: "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
publisher: WinZip Computing, Inc.
help link: http://www.winzip.com/xsupport.htm
World of Warcraft (World of Warcraft)
uninstall cmd: C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
ATI HYDRAVISION 3.25.9006 ({083F79E4-6FE9-46FB-A6C6-4F8862742947})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{083F79E4-6FE9-46FB-A6C6-4F8862742947}\setup.exe"
AutoUpdate 1.1 ({18D10072035C4515918F7E37EAFAACFC})
install location: D:\Program Files\DivX
Windows Live Sign-in Assistant 4.000.249.1 ({22B3CC30-77B8-419C-AA4B-F571FDF5D66D})
version: 67109113
version (major): 4
estimated size: 1112
install date: 20060820
install source: C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\
uninstall cmd: MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
publisher: Microsoft Corporation
FEAR 1.00.0000 ({2B653229-9854-4989-B780-D978F5F13EAB})
version: 16777216
install date: 20060820
install location: d:\Program Files\Sierra\FEAR
install source: E:\
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2B653229-9854-4989-B780-D978F5F13EAB}\setup.exe" -l0x9 -removeonly
publisher: Vivendi Universal Games, Inc.
readme: d:\Program Files\Sierra\FEAR\readme.txt
J2SE Runtime Environment 5.0 Update 6 1.5.0.60 ({3248F0A8-6813-11D6-A77B-00B0D0150060})
version: 17104896
version (major): 1
version (minor): 5
estimated size: 122273
install date: 20060829
install source: http://jdl.sun.com/webapps/download/GetFile/1.5.0_06plus-b05/windows-i586//
uninstall cmd: MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
publisher: Sun Microsystems, Inc.
contact: http://java.com
help link: http://java.com
readme: C:\Program Files\Java\jre1.5.0_06\README.txt
WebFldrs XP 9.50.6513 ({350C97B0-3D7C-4EE8-BAA9-00BCB3D54227})
version: 154278257
version (major): 9
version (minor): 50
estimated size: 2492
install date: 20060818
install source: C:\WINDOWS\System32\
publisher: Microsoft Corporation
help link: http://www.microsoft.com/windows
Oblivion 1.00.0000 ({35CB6715-41F8-4F99-8881-6FC75BF054B0})
version: 16777216
install date: 20060819
install location: D:\Program Files\Bethesda Softworks\Oblivion
install source: E:\
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x9 -removeonly
publisher: Bethesda Softworks
comments: The Elder Scrolls IV: Oblivion
help link: http://support.bethsoft.com
readme: D:\Program Files\Bethesda Softworks\Oblivion\readme.txt
SpaceCowboy 0.3.3.33 ({52A690A0-DC0A-4B80-B4D2-4E6D5C1C9B9C})
version: 196611
install location: d:\Program Files\GPotato\SpaceCowboy
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{52A690A0-DC0A-4B80-B4D2-4E6D5C1C9B9C}\Setup.exe" -l0x9
ATI Problem Report Wizard 8.10 ({5DA6F06A-B389-407B-BF8C-1548767914D8})
version: 134873088
version (major): 8
version (minor): 10
estimated size: 1313
install date: 20060818
install location: C:\Program Files\ATI Technologies\PRW\
install source: E:\install\PRW\
uninstall cmd: MsiExec.exe /X{5DA6F06A-B389-407B-BF8C-1548767914D8}
publisher: ATI Technologies
comments: ATI offers a wide variety of product support including driver downloads, technical and warranty information.
contact: ATI Customer Support Department
help link: http://support.ati.com
help telephone: 1-905-882-2626
ATI Catalyst Control Center 1.2.2114.467 ({6011B279-B96A-43E7-9FA7-BC2EC1D2076A})
version: 16910402
version (major): 1
version (minor): 2
estimated size: 229674
install date: 20060818
install source: E:\install\ACE\
uninstall cmd: MsiExec.exe /I{6011B279-B96A-43E7-9FA7-BC2EC1D2076A}
comments: Free technical support for ATI products, available 24 hours a day through our customer care webform.
contact: Customer Support Department
help link: http://www.ati.com/support/
help telephone: 1-877-284-1564
({62369F2F77534556AEF4C58152E3BDE5})
Samsung PC Studio 3.0.0.60105 ({672856C0-A328-49AD-9AB0-FB62B4FD0BB7})
version: 50331648
version (major): 3
estimated size: 2589
install date: 20060830
install location: D:\Program Files\Samsung\Samsung PC Studio 3\
install source: D:\Program Files\Samsung\Samsung PC Studio 3\{672856C0-A328-49AD-9AB0-FB62B4FD0BB7}\
publisher: Samsung Electronics Co., Ltd.
contact: Customer Support Department
help link: http://www.samsungmobile.co.kr
help telephone: 1-555-555-4505
PowerDVD ({6811CAA0-BF12-11D4-9EA1-0050BAE317E1})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
6.2 ({7585478E9D9B42108671C12F8714CEFE})
install location: D:\Program Files\DivX
uninstall cmd: D:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
publisher: DivX, Inc.
DivX 6.2.5 ({7B63B2922B174135AFC0E1377DD81EC2})
install location: D:\Program Files\DivX
uninstall cmd: D:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
publisher: DivX, Inc.
DivX Player 6.3 ({8ADFC4160D694100B5B8A22DE9DCABD9})
install location: D:\Program Files\DivX
uninstall cmd: D:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
publisher: DivXNetworks, Inc.
Microsoft Office XP Professional with FrontPage 10.0.2627.0 ({90280409-6000-11D3-8CFE-0050048383C9})
version: 167774787
version (major): 10
estimated size: 290008
install date: 20060818
install location: INSTALLLOCATION
install source: E:\
uninstall cmd: MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
publisher: Microsoft Corporation
help link: http://www.microsoft.com/support
readme: C:\Program Files\Microsoft Office\Office10\1033\OFREAD10.HTM
Nero - Burning Rom 5.5.9 ({A4D7B764-4140-11D4-88EB-0050DA3579C0})
version: 84213769
version (major): 5
version (minor): 5
estimated size: 50947
install date: 20060821
install source: E:\Nero\NeroExpress55\
uninstall cmd: MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
publisher: ahead software gmbh
contact: Hotline
help link: http://www.nero.com
help telephone:
readme: 0
Intel(R) PROSet 6.05.2001 ({A790BEB1-BCCF-4EC6-807B-5708B36E8A79})
version: 100992977
version (major): 6
version (minor): 5
estimated size: 14712
install date: 20060818
install source: f:\network\intel\apps\proset\xp_net32\
uninstall cmd: MsiExec.exe /I{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}
publisher: Intel
comments: Intel(R) PROSet installation package
contact: Intel Customer Support
help link: http://support.intel.com
Hitman Blood Money 1.00.0000 ({A804B134-F03D-4EFD-9BC0-DCD257AA1B22})
version: 16777216
install date: 20060820
install location: D:\Program Files\Eidos\Hitman Blood Money
install source: E:\
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A804B134-F03D-4EFD-9BC0-DCD257AA1B22}\setup.exe" -l0x9 -removeonly
publisher: Eidos
comments: don't panic
help link: ***IS_STRING_NOT_DEFINED***
Adobe Reader 6.0.1 006.000.001 ({AC76BA86-7AD7-1033-7B44-A00000000001})
version: 100663297
version (major): 6
estimated size: 45049
install date: 20060818
install location: C:\Program Files\Adobe\Acrobat 6.0\Reader\
install source: C:\WINDOWS\Cache\Adobe Reader 6.0.1\ENUBIG\
uninstall cmd: MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
publisher: Adobe Systems Incorporated
comments:
contact: Customer Support Department
help link: http://www.adobe.com/support/main.html
help telephone:
readme: C:\Program Files\Adobe\Acrobat 6.0\Reader\Readme.htm
DivX Converter 6.2 ({B13A7C41581B411290FBC0395694E2A9})
install location: D:\Program Files\DivX
uninstall cmd: D:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
publisher: DivX, Inc.
DivX Web Player 1.0.0 ({B7050CBDB2504B34BC2A9CA0A692CC29})
install location: D:\Program Files\DivX
uninstall cmd: D:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
publisher: DivX,Inc.
PC Booster 5.0 ({BA0601E1-B65C-11D5-80A9-0000B494D9A6})
version: 83886080
install location: d:\Program Files\inKline Global\PC Booster
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BA0601E1-B65C-11D5-80A9-0000B494D9A6}\Setup.exe" -l0x9
QuickTime 7.1 ({C21D5524-A970-42FA-AC8A-59B8C7CDCA31})
version: 117506048
version (major): 7
version (minor): 1
estimated size: 71343
install date: 20060913
install location: D:\Program Files\QuickTime\
install source: C:\DOCUME~1\User\LOCALS~1\Temp\_is1FD\
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273
Samsung PC Studio 3.0.0.60105 ({C4A4722E-79F9-417C-BD72-8D359A090C97})
version: 50331648
install date: 20060830
install location: D:\Program Files\Samsung\Samsung PC Studio 3
install source: C:\DOCUME~1\User\LOCALS~1\Temp\bye8.tmp\Disk1\
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -l0x9 -removeonly
publisher: Samsung Electronics Co., Ltd.
comments: Samsung PC Studio 3 Maintenance
contact: Samsung Electronics Co., Ltd.
help link: http://www.samsungmobile.co.kr
help telephone: +82 2051 4151
Microsoft .NET Framework 1.1 1.1.4322 ({CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1})
version: 16847074
version (major): 1
version (minor): 1
estimated size: 37015
install date: 20060818
install source: C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\
uninstall cmd: MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
publisher: Microsoft
readme: file://C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\1033\RepairRedist.htm
Heroes of Might and Magic V Collector Edition ({DDB68A90-340C-42B9-B42B-D2CBED1B91DC})
install location: D:\Program Files\Ubisoft\Heroes of Might and Magic V Collector Edition
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DDB68A90-340C-42B9-B42B-D2CBED1B91DC}\setup.exe" -l0x9
Realtek AC'97 Audio ({FB08F381-6533-4108-B7DD-039E11FBC27E})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Windows Live Messenger 8.0.0812.00 ({FCE50DB8-C610-4C42-BE5C-193F46C6F812})
version: 134218540
version (major): 8
estimated size: 28205
install date: 20060820
install source: C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\
uninstall cmd: MsiExec.exe /I{FCE50DB8-C610-4C42-BE5C-193F46C6F812}
publisher: Microsoft Corporation
pskelley
2006-09-26, 15:28
Please read the instructions carefully:
Spybot-S&D: Be sure to follow the directions to save the scan report but do not post it here unless requested by a helper.
Was ewido run in safe mode as per the instructions?
I need to see the: c:\rapport.txt which was one of the three logs listed.
Copy/paste into your own new topic.
c:\rapport.txt
Ewido log
The HJT log
I am concerned about Vundo, are you receiving any popups redirecting you to Winfixer? Please rename HijackThis.exe to something like Mytoy.exe or something like that. If Vundo is hiding from HJT that should cause it to show itself.
Please stop posting information I have not requested, this is making the topic more difficult to work with. If I need something other than what I requested, I will ask for it.
Thanks
yeh i do get popups now and then for that site., yes the ewido app was ran in safemode. sorry about the log here they are again. :oops:
SmitFraudFix v2.100
Scan done at 22:08:18.76, Tue 26/09/2006
Run from C:\Documents and Settings\User\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\ismini.exe Deleted
C:\WINDOWS\system32\issearch.exe Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\DOCUME~1\User\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:48:58 PM 26/09/2006
+ Scan result:
C:\WINDOWS\system32\winrvc32.dll -> Trojan.Small : Cleaned with backup (quarantined).
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 11:04:36 PM, on 26/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Vet\isafe.exe
D:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Vet\VetMsg.exe
C:\Vet\VetTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe
pskelley
2006-09-27, 14:21
Thanks for your cooperation, that will help us get the job done. Your logs look clean of malware, I believe you have a Java program that needs an update, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Start > Control Panel > Java (little coffee cup) and then click on the Updates tab and update the program. Now open Add Remove programs and remove any old versions of Java. While there, uninstall any programs you know do not belong there. If you have any doubts, let me know and I will look.
The hackers that put Vundo on your computer know we use HJT so they hide the trojan from it. Return to C:\Program Files\Hijackthis\HijackThis.exe and rename HijackThis.exe to anything you wish, like Danuka.exe Then reboot so the change can go into effect and post a fresh HJT log, if Vundo is there, we should be able to see it now in the BHO and 020 Winlogon areas.
Thanks
ok i changed the name of hijackthis.exe to mytoy.exe i also updated my java. So here is the new hjt log file. BTW the popups came also to a site called driverclean.
Logfile of HijackThis v1.99.1
Scan saved at 11:18:04 PM, on 27/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Vet\isafe.exe
D:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Vet\VetTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Hijackthis\MyToy.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {278B661A-14A8-D8B0-6AF4-03088B866149} - C:\WINDOWS\system32\unaoakg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {75828143-1269-4C3F-93BE-3CD898870E6F} - C:\WINDOWS\system32\ddabc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O20 - Winlogon Notify: ddabc - C:\WINDOWS\system32\ddabc.dll
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe
pskelley
2006-09-27, 16:17
OK, thanks. Not only were the hackers hiding their junk, but other stuff as well. So you will know how this works. If the tool we use recognizes the name, it will delete it. If not it will run again and learn the stuff that it needs to remove. At that point it would be very helpful if you would upload any files it could not remove, this will help others. You may need to allow it to run several times, until it says it has deleted all of the files. Then post the Vundofix log and a new HJT log.
This is the active vundo infection: C:\WINDOWS\system32\ddabc.dll
Thanks to Atribune and any others who helped with this fix.
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
Hold those logs until the end of the instructions.
How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {278B661A-14A8-D8B0-6AF4-03088B866149} - C:\WINDOWS\system32\unaoakg.dll (file missing)
O2 - BHO: (no name) - {75828143-1269-4C3F-93BE-3CD898870E6F} - C:\WINDOWS\system32\ddabc.dll
(vundo...may say file missing)
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O20 - Winlogon Notify: ddabc - C:\WINDOWS\system32\ddabc.dll
(vundo...may be gone)
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
RIGHT Click on Start then click on Explore. Locate and delete these items:
(look for these, may be gone, just don't miss them)
C:\WINDOWS\system32\unaoakg.dll <<< file
C:\WINDOWS\system32\ddabc.dll <<< file
C:\WINDOWS\system32\ixt0.dll <<< file
C:\PROGRAM FILES~1\PRINTV~1\ <<< folder
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Make sure you restart the computer, post the C:\vundofix.txt and a new HiJackThis log. Let me know how the computer is running.
Thanks
ok i ran through the steps here is the log files
VundoFix V6.1.6
Checking Java version...
Java version is 1.5.0.6
Java version is 1.5.0.8
Scan started at 5:24:48 PM 28/09/2006
Listing files found while scanning....
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\cbadd.bak1
C:\WINDOWS\system32\cbadd.bak2
C:\Program Files\Common Files\{943B1724-0AFD-3081-0302-04060313003d}\services.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\ddabc.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\cbadd.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbadd.bak1
C:\WINDOWS\system32\cbadd.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbadd.bak2
C:\WINDOWS\system32\cbadd.bak2 Has been deleted!
Attempting to delete C:\Program Files\Common Files\{943B1724-0AFD-3081-0302-04060313003d}\services.dll
C:\Program Files\Common Files\{943B1724-0AFD-3081-0302-04060313003d}\services.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.1.6
Checking Java version...
Java version is 1.5.0.6
Java version is 1.5.0.8
Scan started at 5:51:53 PM 28/09/2006
Listing files found while scanning....
C:\WINDOWS\system32\ddabc.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\ddabc.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.1.6
Checking Java version...
Java version is 1.5.0.6
Java version is 1.5.0.8
Scan started at 6:13:02 PM 28/09/2006
Listing files found while scanning....
No infected files were found.
Logfile of HijackThis v1.99.1
Scan saved at 6:40:48 PM, on 28/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Vet\isafe.exe
D:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Vet\VetTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Vet\VetMsg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\MyToy.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe
pskelley
2006-09-28, 12:01
Logfile of HijackThis v1.99.1 Scan saved at 6:40:48 PM, on 28/09/2006
This is a clean HJT log, good job:bigthumb: You can rename HJT back to what it was if you wish.
Let me know how the computer is running.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
If all is running well, no need to post again unless you wish to. tashi:) will close the topic in a few days.
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Glad we could help, thank you pskelley