Computer virus [Archive] - Safer-Networking Forums

Wolverines

2006-10-24, 02:55

Hi,

I think my computer is infected -- I get a lot of random pop-ups, computer will randomly restart, explorer starts up automatically, etc.

I would appreciate any help you can provide! Results from HijackThis and on-line virus scan below:

1) HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 7:49:43 PM, on 23/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\dfndrff_e5.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Mchan\APPLIC~1\SSTEM~1\attrib.exe
C:\WINDOWS\system32\??curity\r?gedit.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HOTSYNC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {413D9D45-58A6-0105-D6AE-02B5E3B6DDEE} - C:\WINDOWS\system32\vjbstsng.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{C0-06-6D-DE-ZN}] C:\windows\system32\ojdsregn.exe GEN001
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e5.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Esat] "C:\DOCUME~1\Mchan\APPLIC~1\SSTEM~1\attrib.exe" -vt tzt
O4 - HKCU\..\Run: [Kfgcqw] C:\WINDOWS\system32\??curity\r?gedit.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

2) On-line anti virus scan results:

Scan Results: 36692 files scanned. 13 viruses were detected.

File Infection Status Path

dfndrff_e5.exe Win32/Thoog.HZ
cannot cure C:\

0336128C-527C-441F-9DEA-195E7D Win32/SillyDl.AZZ
cannot cure C:\Documents and Settings\Mchan\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\4954D79C-869A-4E77-834E-7EA51F\

925BAA9B-9ADD-4381-97C7-04E860 Win32/Thoog.HA
cannot cure C:\Documents and Settings\Mchan\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\CBE39758-C5E2-49D4-8095-410300\

E4144987-F36F-4B70-BE68-506CA3 Win32/Thoog.HA
cannot cure C:\Documents and Settings\Mchan\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\CBE39758-C5E2-49D4-8095-410300\

!update.exe Win32/Clspring.FQ
cannot cure C:\Documents and Settings\Mchan\Local Settings\Temp\

slide657[1].htm JS/CVE-2006-3730!exploit
cannot cure C:\Documents and Settings\Mchan\Local Settings\Temporary Internet Files\Content.IE5\0G8TFIND\

xpladv657[1].wmf Win32/Worfo
cannot cure C:\Documents and Settings\Mchan\Local Settings\Temporary Internet Files\Content.IE5\GHYNO5MZ\

kybrdff_e[1].exe Win32/Thoog.IS
cannot cure C:\Documents and Settings\Mchan\Local Settings\Temporary Internet Files\Content.IE5\GT6ZOTYZ\

kybrdff_16.exe Win32/Thoog.GT
cannot cure C:\

kybrdff_e5.exe Win32/Thoog.IS
cannot cure C:\

Dc9.exe Win32/Thoog.GW
cannot cure C:\RECYCLER\S-1-5-21-1757981266-1580436667-1060284298-1003\

srvvkekdpl.exe Win32/SillyDl.AZG
cannot cure C:\WINDOWS\

ciphsbwu.dll Win32/Clspring!generic
cannot cure C:\WINDOWS\system32\

Shaba

2006-10-25, 20:01

Hi Wolverines

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Send:

- a fresh HijackThis log
- combofix report

Wolverines

2006-10-25, 20:43

Hi Shaba, thank you!

1) ComboFix report

Mchan - 06-10-25 13:37:30.78 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Mchan\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\dfndrff_e5.exe
C:\kybrdff_16.exe
C:\kybrdff_e5.exe
C:\Documents and Settings\Mchan\Local Settings\Temporary Internet Files\Content.IE5\GT6ZOTYZ\kybrdff_e[1].exe

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Mchan\Application Data\SSTEM~1
C:\QooBox\Purity\Documents and Settings\Mchan\Application Data\SSTEM~1\attrib.exe
C:\QooBox\Purity\Documents and Settings\Mchan\Application Data\SSTEM~1\W?nSxS
C:\QooBox\Purity\Documents and Settings\Mchan\My Documents\ICROSO~1
C:\QooBox\Purity\Documents and Settings\Mchan\My Documents\ICROSO~1\w?aclt.exe
C:\QooBox\Purity\Program Files\STEM32~1
C:\QooBox\Purity\WINDOWS\DOBE~1
C:\QooBox\Purity\WINDOWS\system32\CURITY~1
C:\QooBox\Purity\WINDOWS\system32\SSEMBL~1
C:\QooBox\Purity\WINDOWS\system32\CURITY~1\r?gedit.exe

((((((((((((((((((((((((((((((( Files Created from 2006-09-25 to 2006-10-25 ))))))))))))))))))))))))))))))))))

2006-10-23 14:43 131,072 --a------ C:\WINDOWS\system32\vjbstsng.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-23 14:44 2 --a------ C:\WINDOWS\system32\wnsapisv.exe
2006-10-20 21:54 -------- d-------- C:\Program Files\Google
2006-10-12 11:42 -------- d-------- C:\Program Files\XoftSpy
2006-10-01 17:11 -------- d-------- C:\Program Files\Messenger
2006-10-01 17:10 -------- d-------- C:\Program Files\Internet Explorer
2006-10-01 17:09 -------- d-------- C:\Program Files\Windows Media Player
2006-10-01 17:04 -------- d-------- C:\Program Files\Outlook Express
2006-10-01 17:04 -------- d-------- C:\Program Files\Common Files\System
2006-10-01 16:59 839 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-10 17:49 -------- d-------- C:\Program Files\ComPlus Applications
2006-09-10 17:49 -------- d-------- C:\Program Files\Common Files
2006-09-10 17:21 -------- d-------- C:\Program Files\Sunbelt Software
2006-09-10 17:15 -------- d-------- C:\Program Files\Lavasoft
2006-09-10 17:15 -------- d-------- C:\Documents and Settings\Mchan\Application Data\Lavasoft
2006-09-10 17:10 -------- d-------- C:\Documents and Settings\Mchan\Application Data\Google
2006-09-10 16:28 811584 --a------ C:\GoogleToolbarInstaller.exe
2006-09-06 19:27 -------- d-------- C:\Program Files\Common Files\uooq
2006-09-06 18:17 1233 --a------ C:\WINDOWS\system32\fgg1ead9.sys
2006-09-06 18:16 852136 --a------ C:\WINDOWS\system32\WinNB65.dll
2006-09-06 18:15 215308 --a------ C:\WINDOWS\srvvkekdpl.exe
2006-09-06 18:15 -------- d---s---- C:\Documents and Settings\Mchan\Application Data\Microsoft
2006-08-31 10:39 126976 --a------ C:\WINDOWS\system32\ciphsbwu.dll
2006-08-28 21:53 -------- d-------- C:\Documents and Settings\Mchan\Application Data\AdobeUM
2006-08-28 21:52 -------- d-------- C:\Documents and Settings\Mchan\Application Data\Adobe
2006-08-28 21:51 -------- d-------- C:\Program Files\Common Files\Adobe
2006-08-28 21:25 877 --a------ C:\Documents and Settings\Mchan\Application Data\AdobeDLM.log
2006-08-28 21:25 21290704 --a------ C:\Program Files\AdbeRdr708_en_US.exe
2006-08-28 21:25 0 --a------ C:\Documents and Settings\Mchan\Application Data\dm.ini
2006-08-28 21:25 -------- d-------- C:\Program Files\Adobe
2006-08-28 20:57 -------- d-------- C:\Program Files\InstallShield Installation Information
2006-08-28 20:56 -------- d-------- C:\Program Files\QuickTime
2006-08-28 20:56 -------- d-------- C:\Documents and Settings\Mchan\Application Data\Apple Computer
2006-08-28 20:55 -------- d-------- C:\Program Files\iTunes
2006-08-28 20:52 -------- d-------- C:\Program Files\iPod
2006-08-26 17:41 34486153 --a------ C:\Program Files\jdk-1_5_0_08-windows-amd64.exe
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Esat"="\"C:\\DOCUME~1\\Mchan\\APPLIC~1\\SSTEM~1\\attrib.exe\" -vt tzt"
"Kfgcqw"="C:\\WINDOWS\\system32\\??curity\\r?gedit.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"{C0-06-6D-DE-ZN}"="C:\\windows\\system32\\ojdsregn.exe GEN001"
"adstart"="\"iexplore.exe\" \"http://iesettingsupdate\""
"SunServer"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\Consumer\\sunserver.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Common Files\\kyze.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\ComPlus Applications\\howypy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,9c,00,00,00,00,00,00,00,64,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{076394AD-7FDD-44EF-A075-32C68DBAB99B}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-25 13:39:34.98
C:\ComboFix.txt ... 06-10-25 13:39

2) HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 1:43:16 PM, on 25/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Mchan\APPLIC~1\SSTEM~1\attrib.exe
C:\WINDOWS\system32\??curity\r?gedit.exe
C:\Program Files\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\hijackthis\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {413D9D45-58A6-0105-D6AE-02B5E3B6DDEE} - C:\WINDOWS\system32\vjbstsng.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{C0-06-6D-DE-ZN}] C:\windows\system32\ojdsregn.exe GEN001
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Esat] "C:\DOCUME~1\Mchan\APPLIC~1\SSTEM~1\attrib.exe" -vt tzt
O4 - HKCU\..\Run: [Kfgcqw] C:\WINDOWS\system32\??curity\r?gedit.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Shaba

2006-10-25, 20:54

Hi

First we need to temporarily disable CounterSpy that it doesn't prevent fixes:

1. Right-click the running icon of CounterSpy in the system tray.
2. With your mouse, hover over Active Protection Status (This should be enabled).
3. A menu will slide out and then you need to right click on "Disable Active Protection".

Open HijackThis, click do a system scan only and checkmark these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {413D9D45-58A6-0105-D6AE-02B5E3B6DDEE} - C:\WINDOWS\system32\vjbstsng.dll
O4 - HKLM\..\Run: [{C0-06-6D-DE-ZN}] C:\windows\system32\ojdsregn.exe GEN001
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKCU\..\Run: [Esat] "C:\DOCUME~1\Mchan\APPLIC~1\SSTEM~1\attrib.exe" -vt tzt
O4 - HKCU\..\Run: [Kfgcqw] C:\WINDOWS\system32\??curity\r?gedit.exe

Close all windows including browser and press fix checked.

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*) on Desktop

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]

Doubleclick fix.reg, press Yes and ok.

Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.zip).
Unzip it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\vjbstsng.dll
C:\WINDOWS\system32\winpfg32.sys
C:\WINDOWS\system32\fgg1ead9.sys
C:\WINDOWS\system32\WinNB65.dll
C:\WINDOWS\srvvkekdpl.exe
C:\Program Files\Common Files\kyze.html
C:\Program Files\ComPlus Applications\howypy.html
C:\windows\system32\ojdsregn.exe
C:\WINDOWS\system32\ciphsbwu.dll

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Make you hidden &system files visible, info (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

Delete if found:

C:\WINDOWS\system32\Security
C:\DOCUME~1\Mchan\APPLIC~1\System
C:\Program Files\Common Files\uooq

Empty Recycle Bin

Re-run combofix

Send:

- a fresh HijackThis log
- combofix report

Wolverines

2006-10-25, 21:16

Hello, thanks!

1) ComboFix

Mchan - 06-10-25 14:13:55.14 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Mchan\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Mchan\Application Data\SSTEM~1
C:\QooBox\Purity\Documents and Settings\Mchan\Application Data\SSTEM~1\attrib.exe
C:\QooBox\Purity\Documents and Settings\Mchan\Application Data\SSTEM~1\W?nSxS
C:\QooBox\Purity\Documents and Settings\Mchan\My Documents\ICROSO~1
C:\QooBox\Purity\Documents and Settings\Mchan\My Documents\ICROSO~1\w?aclt.exe
C:\QooBox\Purity\Program Files\STEM32~1
C:\QooBox\Purity\WINDOWS\DOBE~1
C:\QooBox\Purity\WINDOWS\system32\CURITY~1
C:\QooBox\Purity\WINDOWS\system32\SSEMBL~1
C:\QooBox\Purity\WINDOWS\system32\CURITY~1\r?gedit.exe

((((((((((((((((((((((((((((((( Files Created from 2006-09-25 to 2006-10-25 ))))))))))))))))))))))))))))))))))

No new files created in this timespan

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-25 14:12 -------- d-------- C:\Program Files\Common Files
2006-10-23 14:44 2 --a------ C:\WINDOWS\system32\wnsapisv.exe
2006-10-20 21:54 -------- d-------- C:\Program Files\Google
2006-10-12 11:42 -------- d-------- C:\Program Files\XoftSpy
2006-10-01 17:11 -------- d-------- C:\Program Files\Messenger
2006-10-01 17:10 -------- d-------- C:\Program Files\Internet Explorer
2006-10-01 17:09 -------- d-------- C:\Program Files\Windows Media Player
2006-10-01 17:04 -------- d-------- C:\Program Files\Outlook Express
2006-10-01 17:04 -------- d-------- C:\Program Files\Common Files\System
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-10 17:49 -------- d-------- C:\Program Files\ComPlus Applications
2006-09-10 17:21 -------- d-------- C:\Program Files\Sunbelt Software
2006-09-10 17:15 -------- d-------- C:\Program Files\Lavasoft
2006-09-10 17:15 -------- d-------- C:\Documents and Settings\Mchan\Application Data\Lavasoft
2006-09-10 17:10 -------- d-------- C:\Documents and Settings\Mchan\Application Data\Google
2006-09-10 16:28 811584 --a------ C:\GoogleToolbarInstaller.exe
2006-09-06 18:15 -------- d---s---- C:\Documents and Settings\Mchan\Application Data\Microsoft
2006-08-28 21:53 -------- d-------- C:\Documents and Settings\Mchan\Application Data\AdobeUM
2006-08-28 21:52 -------- d-------- C:\Documents and Settings\Mchan\Application Data\Adobe
2006-08-28 21:51 -------- d-------- C:\Program Files\Common Files\Adobe
2006-08-28 21:25 877 --a------ C:\Documents and Settings\Mchan\Application Data\AdobeDLM.log
2006-08-28 21:25 21290704 --a------ C:\Program Files\AdbeRdr708_en_US.exe
2006-08-28 21:25 0 --a------ C:\Documents and Settings\Mchan\Application Data\dm.ini
2006-08-28 21:25 -------- d-------- C:\Program Files\Adobe
2006-08-28 20:57 -------- d-------- C:\Program Files\InstallShield Installation Information
2006-08-28 20:56 -------- d-------- C:\Program Files\QuickTime
2006-08-28 20:56 -------- d-------- C:\Documents and Settings\Mchan\Application Data\Apple Computer
2006-08-28 20:55 -------- d-------- C:\Program Files\iTunes
2006-08-28 20:52 -------- d-------- C:\Program Files\iPod
2006-08-26 17:41 34486153 --a------ C:\Program Files\jdk-1_5_0_08-windows-amd64.exe
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-25 14:14:32.31
C:\ComboFix.txt ... 06-10-25 14:14
C:\ComboFix2.txt ... 06-10-25 13:39

2) HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 2:15:51 PM, on 25/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\hijackthis\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Shaba

2006-10-26, 15:53

Hi

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post along with a fresh HijackThis log.

Wolverines

2006-10-26, 17:28

Hi Shaba, here is the output. I had to attach Kaspersky because the text was too long. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 10:21:09 AM, on 26/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Shaba

2006-10-26, 18:25

Hi

Delete these:

C:\WINDOWS\Downloaded Program Files\int_ver34.ocx
C:\Documents and Settings\Mchan\Local Settings\Temporary Internet Files\Content.IE5\SPEVW9Q3\sinstaller2[1].exe

Empty these folders:

C:\Documents and Settings\Mchan\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine
C:\!KillBox\

Empty Recycle Bin

Re-scan with kaspersky

Send:

- a fresh HijackThis log
- kaspersky report

Wolverines

2006-10-26, 19:57

Hi Shaba, here it is:

1) Kaspersky

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, October 26, 2006 12:54:37 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 26/10/2006
Kaspersky Anti-Virus database records: 235223
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
H:\

Scan Statistics:
Total number of scanned objects: 74758
Number of viruses found: 34
Number of infected objects: 87 / 0
Number of suspicious objects: 2
Duration of the scan process: 01:09:02

Infected Object Name / Virus Name / Last Action
C:\Backed up Data (DELETE)\merideth\Outlook\outlook.ost/Offline store/Root - Mailbox/IPM_SUBTREE/Deleted Items/23 May 2003 14:58 from ngai_kenneth:Or save this information in .rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Backed up Data (DELETE)\merideth\Outlook\outlook.ost Mail MS Mail: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mchan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mchan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mchan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mchan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mchan\Local Settings\History\History.IE5\MSHist012006102620061027\index.dat Object is locked skipped
C:\Documents and Settings\Mchan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mchan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mchan\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Purity\Documents and Settings\Mchan\Application Data\SSTEM~1\attrib.exe Infected: Trojan-Downloader.Win32.PurityScan.cx skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP35\A0004171.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP35\A0005151.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP35\A0005152.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP35\A0005170.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP35\A0005173.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP35\A0005176.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP35\A0005178.dll Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP35\A0005180.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP35\A0005217.exe Infected: Trojan-Downloader.Win32.Dyfuca.ey skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP35\A0005244.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP35\A0005247.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP35\A0005252.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP35\A0005259.dll Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP38\A0005308.exe Infected: Trojan-Downloader.Win32.VB.alg skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP38\A0005312.dll Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005327.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005327.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005327.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005328.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005328.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005328.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005329.dll Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005334.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005334.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005334.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005334.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.az skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005334.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.az skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005334.exe CAB: infected - 5 skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005335.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005336.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005337.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005340.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.o skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005341.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.m skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005342.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005343.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005344.exe Infected: Trojan-Downloader.Win32.Adload.fg skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005345.exe Infected: Trojan-Downloader.Win32.VB.alg skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005347.exe Infected: Trojan-Downloader.Win32.Dyfuca.ey skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005348.exe Infected: Trojan-Downloader.Win32.Dyfuca.ey skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005350.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.c skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005353.exe Infected: Trojan-Downloader.Win32.Dyfuca.fb skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005354.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005355.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005355.exe/stream Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005355.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005356.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bj skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005357.dll Infected: Trojan-Downloader.Win32.Agent.awb skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP40\A0005358.dll Infected: Trojan-Downloader.Win32.Agent.aol skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP41\A0009623.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP41\A0009623.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP41\A0009623.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP41\A0009624.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP41\A0009624.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP41\A0009624.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP41\A0009625.dll Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP41\A0009635.exe Infected: Trojan-Downloader.Win32.VB.alg skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP41\A0009637.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP41\A0009640.exe Infected: Trojan-Downloader.Win32.PurityScan.dc skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP46\A0044527.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP48\A0053726.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.s skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP48\A0053728.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP48\A0053730.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.s skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP48\A0053731.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP51\A0053795.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP51\A0053796.exe Infected: not-a-virus:AdWare.Win32.PurityScan.eu skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP53\A0053820.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP54\A0053895.exe Infected: Trojan-Clicker.Win32.VB.ly skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP54\A0053896.exe Infected: Trojan-Downloader.Win32.VB.amb skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP54\A0053897.exe Infected: Trojan-Downloader.Win32.Adload.fy skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP54\A0053902.exe Infected: Trojan-Downloader.Win32.VB.agk skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP54\A0053914.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP54\A0053918.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP54\A0053918.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP54\A0053918.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP54\A0053918.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP54\A0053919.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP55\A0054021.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP55\A0054023.ocx Infected: not-a-virus:Porn-Dialer.Win32.VB.j skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP55\A0054024.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.Comet.ac skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP55\A0054024.exe/stream Infected: not-a-virus:AdWare.Win32.Comet.ac skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP55\A0054024.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP55\A0054025.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP55\A0054025.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP55\A0054025.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP55\A0054025.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP55\A0054026.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{FBE4C57F-3334-4925-BEB3-A8636FADE4BC}\RP55\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C58CFD5D-890F-452E-9B21-B6EC25991F7C}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Wolverines

2006-10-26, 19:58

2) HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 12:55:37 PM, on 26/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Shaba

2006-10-26, 20:11

Hi

Empty this folder -> C:\QooBox

Empty Recycle Bin

Otherwise looking good :)

Do you still have problems?

Wolverines

2006-10-26, 20:16

Hi Shaba, thanks so much! Things are running well now!

Wolverines

Shaba

2006-10-26, 20:21

Hi

Glad to hear!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

I see no antivirus or firewall on your log. It's essential that every computer has those. See "Virus, Spyware, and Malware Protection and Removal Resources" and "Understanding and using firewalls" for more info how to get those. If you use windows own firewall, I recommend to get a better one.
In that case disable windows own firewall after installation of another firewall via Control Panel.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Reenable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)

Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

Instructions for - Spybot S & D and Ad-aware (http://www.bleepingcomputer.com/forums/?showtutorial=43)

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

IE/Spyad (http://www.staff.uiuc.edu/~ehowes/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean!

Shaba

2006-11-02, 20:21

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.