PDA

View Full Version : Need help cleaning.



MadAngel
2006-10-26, 10:37
First and foremost, thank you for taking your time out of the day to help me.

Something I should mention before post any logs. I ran Spybot before and it found Command Service and couldn't fix it. So I manually went into the registry and with the help of changing the permissions deleted the following:

HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Here is my Panda AV scan:


Incident Status Location

Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.com.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.fortunecity.com/]
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.hotlog.ru/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.seeq.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.spylog.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[adserver.filefront.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[citi.bridgetrack.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[drivecleaner.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[www47.buydomains.com/]
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\ihkwmq6f.default\cookies.txt[www48.seeq.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Admin\Cookies\admin@ad.yieldmanager[2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Admin\Cookies\admin@banners.searchingbooth[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Admin\Cookies\admin@ccbill[1].txt
Adware:Adware/DigInk Not disinfected C:\Documents and Settings\NetworkService\Desktop\TagASaurus.exe
Virus:W32/Locksky.DD.worm Disinfected C:\Documents and Settings\NetworkService\Local Settings\Temp\jpg_viewer.exe
Adware:adware/popper Not disinfected C:\WINDOWS\offun.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\QmVuamFtaW4gSGF5ZXM\kApRuAIQuqb0m3Ictrg.vbs
Adware:Adware/DigInk Not disinfected C:\WINDOWS\srvifriyln.exe[Sos28.exe]
Adware:Adware/DigInk Not disinfected C:\WINDOWS\srvifriyln.exe[TagASaurus.exe]
Adware:Adware/DigInk Not disinfected C:\WINDOWS\srvmlavxvv.exe[Sos28.exe]
Adware:Adware/DigInk Not disinfected C:\WINDOWS\srvmlavxvv.exe[TagASaurus.exe]
Adware:Adware/DigInk Not disinfected C:\WINDOWS\srvxedcnav.exe[Sos28.exe]
Adware:Adware/DigInk Not disinfected C:\WINDOWS\srvxedcnav.exe[TagASaurus.exe]
Adware:Adware/DigInk Not disinfected C:\WINDOWS\srvztekoae.exe[Sos28.exe]
Adware:Adware/DigInk Not disinfected C:\WINDOWS\srvztekoae.exe[TagASaurus.exe]
Adware:Adware/DigInk Not disinfected C:\WINDOWS\uni_e6h.exe

MadAngel
2006-10-26, 10:38
And the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:26:07 AM, on 10/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?auth=DQAAAGkAAAAVXmpK4h-aIGa1ODNe9WxmYwGjdkRfbfJcZldc2vYUVy-eoGr3h9Z5jgNNzrm4VvVq7-MgpBn-VUBlJtIFvkVcYFn7SOELf7aOPiCVsuybUVXMh63CkYMf3tLK7f_XW_t_1jooG9WImZo5RLxNBXhj
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ydtcmle.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: REALTEK RTL8187 Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161750839109
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: dxclib303562752.dll,
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbjt32 - winbjt32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

pskelley
2006-10-26, 18:10
Welcome to the forum. Those entries were leftovers from a poor removal attempt by another program, possibly Ad-aware? I don't see anywhere that you mention your problem? I can see stuff that needs to go and that you are storing a lot of nasty cookies, if you wish help with those, here it is:
http://privacy.getnetwise.org/browsing/tools/firefox1/ffdisablecookies
http://www.mozilla.org/projects/security/pki/psm/help_21/using_priv_help.html
Firefox 2.0 is now being released so the instructions may vary some. If you need the same information for Internet Explorer, let me know.

Let's get rid of what I see, clean a little then run a good free Spyware program and see where we stand at that point.

1) C:\Documents and Settings\Admin\My Documents\HijackThis.exe <<< return to here and create a folder for HJT where it can safely store logs and backups. Move the .exe and the log that is there into that folder.

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

4) Start > Control Panel > Add Remove programs and look for Deluxe Communications and uninstall it. Look for any other programs you know does not belong there and uninstall them. If you are unsure let me know and I will look.
This junk used to be called SurfSideKick and it can be a bear to remove so wish us luck, perhaps it is gone?

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ydtcmle.exe
O20 - AppInit_DLLs: dxclib303562752.dll
http://www.castlecops.com/o20list-288.html <<<< see this
O20 - Winlogon Notify: winbjt32 - winbjt32.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) RIGHT Click on Start then click on Explore. Search for and delete these items if there:

ydtcmle.exe
dxclib303562752.dll

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

8) Follow the instructions in this link to download, update, install and run AVG Anti-Spyware 7.5
http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/33/
Thanks to John McKenna for the excellant tutorial

Restart the computer and post the scan results and a new HJT log. Let me know how the computer is running.

Thanks

LonnyRJones
2006-11-03, 14:29
Due to lack of responses this thread is closed
If you still need assistance a new log will be needed, send me or Tashi a PM (personal message) and we will re-open it.