View Full Version : Uskyonline, ect. Popups
I recently was lucky enough to stumble upon an infected website and I aquired all kinds of new goodies that succeeded in bombarding me with popups, a general slowdown, and 'program not responding' messages. I also keep getting 'Connect or Work offline' messages in mid-internet romp. I guess I should mention those window highjackings as well. I've run both SpybotS&D and Ad-awareSE and both claim I am clean. Although the first time I ran them, they said three somethings would need to be removed in startup and when that process was completed it said only one something was found. So two 'somethings' have escaped and are running rampant in my tubes and wires. Sorry if all that was confusing. I followed the 'prior to posting rules' to the best of my abilities and would appreciate any help. Any help definently deserves some :heart: :heart: :heart:
Here is my HJT file thing:
Logfile of HijackThis v1.99.1
Scan saved at 1:44:50 AM, on 10/29/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\octeltpop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {A4676816-868E-8079-8FD8-D828905763BA} - C:\WINDOWS\System32\capzm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [1pop06apelt3] C:\WINDOWS\octeltpop.exe
O4 - HKLM\..\Run: [{F4-49-9D-D7-ZN}] c:\windows\system32\ondsregm.exe ELT001
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Sxyrgft] C:\Program Files\s?stem\?ervices.exe
O4 - HKCU\..\Run: [kifi] C:\Program Files\InetGet2\stub_109_4_0_4_0.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4836/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B94CEA5C-429A-4F01-8914-D6D9FBC29FBD}: NameServer = 68.238.64.12,68.238.128.12
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
And here is my Panda Online Scan results:
Incident Status Location
Adware:adware/superspider Not disinfected c:\windows\system32\a.exe
Spyware:spyware/media-motor Not disinfected c:\windows\unstall.exe
Adware:adware/mirar Not disinfected Windows Registry
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\kim\Cookies\kim@realmedia[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\kim\Cookies\kim@server.iad.liveperson[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\kim\Cookies\kim@www.myaffiliateprogram[2].txt
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\kim\Local Settings\Temp\b103.exe[stub_109_4_0_4_0.exe]
Adware:Adware/PCodec Not disinfected C:\Documents and Settings\kim\Local Settings\Temp\b103.exe[²ÜÇ\nsRandom.dll]
Adware:Adware/ISearch Not disinfected C:\Documents and Settings\kim\Local Settings\Temp\b104.exe[MTE3MTk6ODoxNg.exe]
Adware:Adware/PCodec Not disinfected C:\Documents and Settings\kim\Local Settings\Temp\b104.exe[²ÜÇ\nsRandom.dll]
Adware:Adware/EliteBar Not disinfected C:\Documents and Settings\kim\Local Settings\Temp\b111.exe
Virus:Trj/Banker.CZI Disinfected C:\Documents and Settings\kim\Local Settings\Temp\bl4ck.com
Possible Virus. Not disinfected C:\Documents and Settings\kim\Local Settings\Temp\metasploit.exe
Adware:Adware/Mirar Not disinfected C:\Documents and Settings\kim\Local Settings\Temp\mit10.tmp
Adware:Adware/Mirar Not disinfected C:\Documents and Settings\kim\Local Settings\Temp\mit10.tmp.cab
Adware:Adware/PCodec Not disinfected C:\Documents and Settings\kim\Local Settings\Temp\nsoB.tmp\nsRandom.dll
Potentially unwanted tool:Application/FamilyKeylogger Not disinfected C:\Documents and Settings\kim\My Documents\New Folder (3)\keylogger-download.zip[HomeKeyLogger-setup.exe][KeyLogger.exe]
Potentially unwanted tool:Application/Keylogger-Pro Not disinfected C:\Documents and Settings\kim\My Documents\New Folder (3)\keylogger-download.zip[HomeKeyLogger-setup.exe][KeyLogger.Dll]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\kim\My Documents\New Folder (3)\??crosoft.NET\wucrtupd.exe
Adware:Adware/YazzleSudoku Not disinfected C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
Adware:Adware/YazzleSudoku Not disinfected C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\{3C6F49D7-07D9-1033-0825-051228050001}\Uninst.exe
Adware:Adware/WebHancer Not disinfected C:\Program Files\em\dohancer\whCC-GIANT3.exe[whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\Program Files\em\dohancer\whCC-GIANT3.exe[whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\Program Files\em\dohancer\whCC-GIANT3.exe[webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\Program Files\em\dohancer\whCC-GIANT3.exe[whiehlpr.dll]
Possible Virus. Renamed C:\Program Files\s?stem\?ervices.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\ac3_0002.exe
Adware:Adware/WebHancer Not disinfected C:\WINDOWS\hancerdoem.exe[whCC-GIANT3.exe][whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\WINDOWS\hancerdoem.exe[whCC-GIANT3.exe][whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\WINDOWS\hancerdoem.exe[whCC-GIANT3.exe][webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\WINDOWS\hancerdoem.exe[whCC-GIANT3.exe][whiehlpr.dll]
Adware:Adware/CommAd Not disinfected C:\WINDOWS\IEtpbQ\KHQDvk.vbs
Possible Virus. Not disinfected C:\WINDOWS\metasploit.exe
Adware:Adware/Mirar Not disinfected C:\WINDOWS\MirarSetup_876057.exe
Adware:Adware/DigInk Not disinfected C:\WINDOWS\Setup90.exe[Sos28.exe]
Adware:Adware/DigInk Not disinfected C:\WINDOWS\Setup90.exe[TagASaurus.exe]
Adware:Adware/Zenosearch Not disinfected C:\WINDOWS\TIELT001.exe
Thanks in advance fellas.
Hi kimsm
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Send:
- a fresh HijackThis log
- combofix report
Combo Fix report:
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\kim\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\wapisvsu.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\{3C6F49D7-07D9-1033-0825-051228050001}
C:\Program Files\Common Files\{9C6F49D7-07D9-1033-0825-051228050001}
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Program Files\SSTEM~1
C:\QooBox\Purity\Program Files\Common Files\CROSOF~1
C:\QooBox\Purity\Program Files\Common Files\MBOLS~1
C:\QooBox\Purity\Program Files\Common Files\MBOLS~1\MBOLS~1
C:\QooBox\Purity\Program Files\SSTEM~1\?ervices_exe.vir
((((((((((((((((((((((((((((((( Files Created from 2006-09-30 to 2006-10-30 ))))))))))))))))))))))))))))))))))
2006-10-28 00:35 53,248 --a------ C:\WINDOWS\ab_02.exe
2006-10-28 00:35 49,428 --a------ C:\WINDOWS\system32\mtbmiarl.dll
2006-10-28 00:35 45,065 --a------ C:\WINDOWS\TIELT001.exe
2006-10-28 00:35 45,056 --a------ C:\WINDOWS\octeltpop.exe
2006-10-28 00:35 433,632 --a------ C:\WINDOWS\hancerdoem.exe
2006-10-28 00:35 32,768 --a------ C:\WINDOWS\unstall.exe
2006-10-28 00:35 217,346 --a------ C:\WINDOWS\Setup90.exe
2006-10-28 00:35 2,560 --a------ C:\WINDOWS\ac3_0002.exe
2006-10-28 00:35 139,264 --a------ C:\WINDOWS\MirarSetup_876057.exe
2006-10-28 00:35 122,900 --a------ C:\WINDOWS\system32\drbbinxy.dll
2006-10-28 00:30 126,976 --a------ C:\WINDOWS\system32\capzm.dll
2006-10-28 00:30 1,685 --a------ C:\WINDOWS\metasploit.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-30 00:21 -------- d-------- C:\Program Files\Common Files
2006-10-30 00:07 5330 --ahs---- C:\Documents and Settings\kim\Application Data\9CC2F7FA2DB548D2A7FC222D74B8D509.sta
2006-10-30 00:07 17374 --ahs---- C:\Documents and Settings\kim\Application Data\9CC2F7FA2DB548D2A7FC222D74B8D509.rul
2006-10-29 01:44 4461 --a------ C:\Program Files\hijackthis.log
2006-10-29 01:11 -------- d-------- C:\Program Files\Windows Media Player
2006-10-29 01:11 -------- d-------- C:\Program Files\QuickTime
2006-10-29 01:10 -------- d-------- C:\Program Files\Messenger
2006-10-29 01:10 -------- d-------- C:\Program Files\iTunes
2006-10-29 01:10 -------- d-------- C:\Program Files\Internet Explorer
2006-10-29 00:51 -------- d-------- C:\Program Files\Google
2006-10-28 01:09 -------- d-------- C:\Program Files\Lavasoft
2006-10-28 01:09 -------- d-------- C:\Documents and Settings\kim\Application Data\Lavasoft
2006-10-28 01:07 -------- d-------- C:\Program Files\OIN Search
2006-10-28 00:35 -------- d-------- C:\Program Files\em
2006-10-28 00:30 -------- d-------- C:\Program Files\Common Files\àdobe
2006-10-25 00:28 -------- d-------- C:\Documents and Settings\kim\Application Data\uTorrent
2006-09-03 02:57 6444 --a------ C:\WINDOWS\system32\a.exe
2006-09-01 00:25 -------- d-------- C:\Program Files\Canon
2006-09-01 00:22 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-31 23:50 -------- d-------- C:\Program Files\SpywareGuard
2006-08-31 01:39 -------- d---s---- C:\Documents and Settings\kim\Application Data\Microsoft
2006-08-30 04:06 -------- d-------- C:\Program Files\Common Files\Services
2006-08-14 09:43 1213 --------- C:\Documents and Settings\kim\Application Data\AdobeDLM.log
2006-08-14 01:12 253 --------- C:\Documents and Settings\kim\Application Data\dm.ini
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"Sxyrgft"="C:\\Program Files\\s?stem\\?ervices.exe"
"kifi"="C:\\Program Files\\InetGet2\\stub_109_4_0_4_0.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"1pop06apelt3"="C:\\WINDOWS\\octeltpop.exe"
"{F4-49-9D-D7-ZN}"="c:\\windows\\system32\\ondsregm.exe ELT001"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\diskinfo
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Completion time: 06-10-30 0:21:23.27
C:\ComboFix.txt ... 06-10-30 00:21
HJT Report:
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\kim\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\wapisvsu.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\{3C6F49D7-07D9-1033-0825-051228050001}
C:\Program Files\Common Files\{9C6F49D7-07D9-1033-0825-051228050001}
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Program Files\SSTEM~1
C:\QooBox\Purity\Program Files\Common Files\CROSOF~1
C:\QooBox\Purity\Program Files\Common Files\MBOLS~1
C:\QooBox\Purity\Program Files\Common Files\MBOLS~1\MBOLS~1
C:\QooBox\Purity\Program Files\SSTEM~1\?ervices_exe.vir
((((((((((((((((((((((((((((((( Files Created from 2006-09-30 to 2006-10-30 ))))))))))))))))))))))))))))))))))
2006-10-28 00:35 53,248 --a------ C:\WINDOWS\ab_02.exe
2006-10-28 00:35 49,428 --a------ C:\WINDOWS\system32\mtbmiarl.dll
2006-10-28 00:35 45,065 --a------ C:\WINDOWS\TIELT001.exe
2006-10-28 00:35 45,056 --a------ C:\WINDOWS\octeltpop.exe
2006-10-28 00:35 433,632 --a------ C:\WINDOWS\hancerdoem.exe
2006-10-28 00:35 32,768 --a------ C:\WINDOWS\unstall.exe
2006-10-28 00:35 217,346 --a------ C:\WINDOWS\Setup90.exe
2006-10-28 00:35 2,560 --a------ C:\WINDOWS\ac3_0002.exe
2006-10-28 00:35 139,264 --a------ C:\WINDOWS\MirarSetup_876057.exe
2006-10-28 00:35 122,900 --a------ C:\WINDOWS\system32\drbbinxy.dll
2006-10-28 00:30 126,976 --a------ C:\WINDOWS\system32\capzm.dll
2006-10-28 00:30 1,685 --a------ C:\WINDOWS\metasploit.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-30 00:21 -------- d-------- C:\Program Files\Common Files
2006-10-30 00:07 5330 --ahs---- C:\Documents and Settings\kim\Application Data\9CC2F7FA2DB548D2A7FC222D74B8D509.sta
2006-10-30 00:07 17374 --ahs---- C:\Documents and Settings\kim\Application Data\9CC2F7FA2DB548D2A7FC222D74B8D509.rul
2006-10-29 01:44 4461 --a------ C:\Program Files\hijackthis.log
2006-10-29 01:11 -------- d-------- C:\Program Files\Windows Media Player
2006-10-29 01:11 -------- d-------- C:\Program Files\QuickTime
2006-10-29 01:10 -------- d-------- C:\Program Files\Messenger
2006-10-29 01:10 -------- d-------- C:\Program Files\iTunes
2006-10-29 01:10 -------- d-------- C:\Program Files\Internet Explorer
2006-10-29 00:51 -------- d-------- C:\Program Files\Google
2006-10-28 01:09 -------- d-------- C:\Program Files\Lavasoft
2006-10-28 01:09 -------- d-------- C:\Documents and Settings\kim\Application Data\Lavasoft
2006-10-28 01:07 -------- d-------- C:\Program Files\OIN Search
2006-10-28 00:35 -------- d-------- C:\Program Files\em
2006-10-28 00:30 -------- d-------- C:\Program Files\Common Files\àdobe
2006-10-25 00:28 -------- d-------- C:\Documents and Settings\kim\Application Data\uTorrent
2006-09-03 02:57 6444 --a------ C:\WINDOWS\system32\a.exe
2006-09-01 00:25 -------- d-------- C:\Program Files\Canon
2006-09-01 00:22 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-31 23:50 -------- d-------- C:\Program Files\SpywareGuard
2006-08-31 01:39 -------- d---s---- C:\Documents and Settings\kim\Application Data\Microsoft
2006-08-30 04:06 -------- d-------- C:\Program Files\Common Files\Services
2006-08-14 09:43 1213 --------- C:\Documents and Settings\kim\Application Data\AdobeDLM.log
2006-08-14 01:12 253 --------- C:\Documents and Settings\kim\Application Data\dm.ini
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"Sxyrgft"="C:\\Program Files\\s?stem\\?ervices.exe"
"kifi"="C:\\Program Files\\InetGet2\\stub_109_4_0_4_0.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"1pop06apelt3"="C:\\WINDOWS\\octeltpop.exe"
"{F4-49-9D-D7-ZN}"="c:\\windows\\system32\\ondsregm.exe ELT001"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\diskinfo
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Completion time: 06-10-30 0:21:23.27
C:\ComboFix.txt ... 06-10-30 00:21
Wow. Thanks for responding so fast. I was expecting to wait for at least a few days seeing how swamped this forum is. I'm very grateful for your help. :D: :heart: :D:
Sorry I just realized I posted the combofix twice. I guess that's what I get for not previewing/double checking. Shame on me. :oops:
HJT Report:
Logfile of HijackThis v1.99.1
Scan saved at 4:01:32 AM, on 10/30/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\octeltpop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {A4676816-868E-8079-8FD8-D828905763BA} - C:\WINDOWS\System32\capzm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [1pop06apelt3] C:\WINDOWS\octeltpop.exe
O4 - HKLM\..\Run: [{F4-49-9D-D7-ZN}] c:\windows\system32\ondsregm.exe ELT001
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Sxyrgft] C:\Program Files\s?stem\?ervices.exe
O4 - HKCU\..\Run: [kifi] C:\Program Files\InetGet2\stub_109_4_0_4_0.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4836/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B94CEA5C-429A-4F01-8914-D6D9FBC29FBD}: NameServer = 68.238.64.12,68.238.128.12
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
Hi
Uninstall via add/remove programs:
OIN Search
Open HijackThis, click do a system scan only and checkmark these:
R3 - URLSearchHook: (no name) - {A4676816-868E-8079-8FD8-D828905763BA} - C:\WINDOWS\System32\capzm.dll
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O4 - HKLM\..\Run: [1pop06apelt3] C:\WINDOWS\octeltpop.exe
O4 - HKCU\..\Run: [Sxyrgft] C:\Program Files\s?stem\?ervices.exe
O4 - HKCU\..\Run: [kifi] C:\Program Files\InetGet2\stub_109_4_0_4_0.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
Close all windows including browser and press fix checked.
Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.zip).
Unzip it to the desktop.
Please run Killbox.
Select "Delete on Reboot" and "All files"
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\ab_02.exe
C:\WINDOWS\system32\mtbmiarl.dll
C:\WINDOWS\TIELT001.exe
C:\WINDOWS\octeltpop.exe
C:\WINDOWS\hancerdoem.exe
C:\WINDOWS\unstall.exe
C:\WINDOWS\Setup90.exe
C:\WINDOWS\ac3_0002.exe
C:\WINDOWS\MirarSetup_876057.exe
C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\drbbinxy.dll
C:\WINDOWS\system32\capzm.dll
C:\WINDOWS\metasploit.exe
Go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..
If your computer does not restart automatically, please restart it manually.
Re-run combofix
Send:
- a fresh HijackThis log
- combofix report
ComboFix Report :
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\kim\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Program Files\SSTEM~1
C:\QooBox\Purity\Program Files\Common Files\CROSOF~1
C:\QooBox\Purity\Program Files\Common Files\MBOLS~1
C:\QooBox\Purity\Program Files\Common Files\MBOLS~1\MBOLS~1
C:\QooBox\Purity\Program Files\SSTEM~1\?ervices_exe.vir
((((((((((((((((((((((((((((((( Files Created from 2006-09-30 to 2006-10-30 ))))))))))))))))))))))))))))))))))
2006-10-30 14:33 276,918 --a------ C:\combofix.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-30 14:30 3874 --a------ C:\Program Files\hijackthis.log
2006-10-30 14:29 6121 --ahs---- C:\Documents and Settings\kim\Application Data\9CC2F7FA2DB548D2A7FC222D74B8D509.sta
2006-10-30 14:29 17374 --ahs---- C:\Documents and Settings\kim\Application Data\9CC2F7FA2DB548D2A7FC222D74B8D509.rul
2006-10-30 14:20 -------- d-------- C:\Program Files\backups
2006-10-30 01:23 -------- d-------- C:\Program Files\SpywareBlaster
2006-10-30 00:21 -------- d-------- C:\Program Files\Common Files
2006-10-29 01:11 -------- d-------- C:\Program Files\Windows Media Player
2006-10-29 01:11 -------- d-------- C:\Program Files\QuickTime
2006-10-29 01:10 -------- d-------- C:\Program Files\Messenger
2006-10-29 01:10 -------- d-------- C:\Program Files\iTunes
2006-10-29 01:10 -------- d-------- C:\Program Files\Internet Explorer
2006-10-29 00:51 -------- d-------- C:\Program Files\Google
2006-10-28 01:09 -------- d-------- C:\Program Files\Lavasoft
2006-10-28 01:09 -------- d-------- C:\Documents and Settings\kim\Application Data\Lavasoft
2006-10-28 00:35 -------- d-------- C:\Program Files\em
2006-10-28 00:30 -------- d-------- C:\Program Files\Common Files\àdobe
2006-10-25 00:28 -------- d-------- C:\Documents and Settings\kim\Application Data\uTorrent
2006-09-01 00:25 -------- d-------- C:\Program Files\Canon
2006-09-01 00:22 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-31 23:50 -------- d-------- C:\Program Files\SpywareGuard
2006-08-31 01:39 -------- d---s---- C:\Documents and Settings\kim\Application Data\Microsoft
2006-08-30 04:06 -------- d-------- C:\Program Files\Common Files\Services
2006-08-14 09:43 1213 --------- C:\Documents and Settings\kim\Application Data\AdobeDLM.log
2006-08-14 01:12 253 --------- C:\Documents and Settings\kim\Application Data\dm.ini
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"{F4-49-9D-D7-ZN}"="c:\\windows\\system32\\ondsregm.exe ELT001"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\diskinfo
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Completion time: 06-10-30 14:33:50.24
C:\ComboFix.txt ... 06-10-30 14:33
C:\ComboFix2.txt ... 06-10-30 00:21
HJT Report:
Logfile of HijackThis v1.99.1
Scan saved at 2:35:27 PM, on 10/30/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [{F4-49-9D-D7-ZN}] c:\windows\system32\ondsregm.exe ELT001
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4836/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B94CEA5C-429A-4F01-8914-D6D9FBC29FBD}: NameServer = 68.238.64.12,68.238.128.12
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
Hi
Please re-run panda active scan and send its report here along with a fresh HijackThis log :)
Hey thanks for taking the time out to help me with this here. The pop ups have seemed to stop, but according to what little I understand from this Panda Report thing, there is still something wrong.
Panda Report:
Incident Status Location
Adware:adware/mirar Not disinfected Windows Registry
Virus:Trj/Banker.CZI Disinfected C:\!KillBox\a.exe
Adware:Adware/DollarRevenue Not disinfected C:\!KillBox\ac3_0002.exe
Adware:Adware/PurityScan Not disinfected C:\!KillBox\capzm.dll
Adware:Adware/WebHancer Not disinfected C:\!KillBox\hancerdoem.exe[whCC-GIANT3.exe][whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\!KillBox\hancerdoem.exe[whCC-GIANT3.exe][whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\!KillBox\hancerdoem.exe[whCC-GIANT3.exe][webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\!KillBox\hancerdoem.exe[whCC-GIANT3.exe][whiehlpr.dll]
Virus:Trj/Downloader.LBY Disinfected C:\!KillBox\metasploit.exe
Adware:Adware/Mirar Not disinfected C:\!KillBox\MirarSetup_876057.exe
Adware:Adware/DigInk Not disinfected C:\!KillBox\Setup90.exe[Sos28.exe]
Adware:Adware/DigInk Not disinfected C:\!KillBox\Setup90.exe[TagASaurus.exe]
Adware:Adware/Zenosearch Not disinfected C:\!KillBox\TIELT001.exe
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\kim\Cookies\kim@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\kim\Cookies\kim@belnk[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\kim\Cookies\kim@com[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\kim\Cookies\kim@dist.belnk[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\kim\Cookies\kim@realmedia[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\kim\Cookies\kim@server.iad.liveperson[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\kim\Cookies\kim@www.myaffiliateprogram[2].txt
Potentially unwanted tool:Application/FamilyKeylogger Not disinfected C:\Documents and Settings\kim\My Documents\New Folder (3)\keylogger-download.zip[HomeKeyLogger-setup.exe][KeyLogger.exe]
Potentially unwanted tool:Application/Keylogger-Pro Not disinfected C:\Documents and Settings\kim\My Documents\New Folder (3)\keylogger-download.zip[HomeKeyLogger-setup.exe][KeyLogger.Dll]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\kim\My Documents\New Folder (3)\??crosoft.NET\wucrtupd.exe
Adware:Adware/WebHancer Not disinfected C:\Program Files\em\dohancer\whCC-GIANT3.exe[whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\Program Files\em\dohancer\whCC-GIANT3.exe[whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\Program Files\em\dohancer\whCC-GIANT3.exe[webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\Program Files\em\dohancer\whCC-GIANT3.exe[whiehlpr.dll]
Possible Virus. Renamed C:\QooBox\Purity\Program Files\SSTEM~1\?ervices_exe.vir
Adware:Adware/CommAd Not disinfected C:\WINDOWS\IEtpbQ\KHQDvk.vbs
And here is the HJT Report:
Logfile of HijackThis v1.99.1
Scan saved at 1:10:31 AM, on 10/31/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [{F4-49-9D-D7-ZN}] c:\windows\system32\ondsregm.exe ELT001
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4836/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B94CEA5C-429A-4F01-8914-D6D9FBC29FBD}: NameServer = 68.238.64.12,68.238.128.12
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
Thanks again for all your help man. Your freaking awesome. Hope I will be able to repay you some how? :heart: :bigthumb:
Hi
Open HijackThis, click do a system scan only and checkmark this:
O4 - HKLM\..\Run: [{F4-49-9D-D7-ZN}] c:\windows\system32\ondsregm.exe ELT001
Close all windows including browser and press fix checked.
Reboot
Empty this folder -> C:\!KillBox
Delete these:
C:\Documents and Settings\kim\My Documents\New Folder (3)\keylogger-download.zip
C:\Documents and Settings\kim\My Documents\New Folder (3)\Microsoft.NET
C:\Program Files\em\dohancer
C:\WINDOWS\IEtpbQ
Empty Recycle Bin
Re-scan with panda
Send:
- a fresh HijackThis log
- panda report
I couldn't find the C:\WINDOWS\IEtpbQ file I was instructed to delete.
Here is the Panda Report:
Incident Status Location
Adware:adware/mirar Not disinfected Windows Registry
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\kim\Cookies\kim@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\kim\Cookies\kim@belnk[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\kim\Cookies\kim@com[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\kim\Cookies\kim@dist.belnk[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\kim\Cookies\kim@realmedia[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\kim\Cookies\kim@server.iad.liveperson[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\kim\Cookies\kim@www.myaffiliateprogram[2].txt
Possible Virus. Renamed C:\QooBox\Purity\Program Files\SSTEM~1\?ervices_exe.vir
Adware:Adware/CommAd Not disinfected C:\WINDOWS\IEtpbQ\KHQDvk.vbs
HJT Report:
Logfile of HijackThis v1.99.1
Scan saved at 2:45:58 PM, on 10/31/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4836/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B94CEA5C-429A-4F01-8914-D6D9FBC29FBD}: NameServer = 68.238.64.12,68.238.128.12
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
Thank you!!!:heart:
Hi
Empty this folder -> C:\QooBox
Make your hidden & system files visible, info (http://www.pchell.com/support/safemode.shtml)
Now try to locate this and delete it -> C:\WINDOWS\IEtpbQ
And tell me whether or not did you find it :)
Ok Qoobox(whatever it was called)file is empty. Pop ups have returned along with an 888bar. I looked again for that IEtpbQ file, I tried finding it in safemode, I think that is what you ment me to do, and I looked again in regualr mode and I still cannot find it.
I figured you'd probably want another HJT and Panda log so have at it if you need them. Thanks for being so patient with me :)
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 1:40:57 AM, on 11/1/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\ipwins\ipwins.exe
C:\Program Files\Common Files\{9C6F49D7-07D9-1033-0825-051228050001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\DOCUME~1\kim\MYDOCU~1\DOBE~1\wuauboot.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\System32\drbbinxy.dll (file missing)
O2 - BHO: (no name) - {A4676816-868E-8079-8FD8-D828905763BA} - C:\WINDOWS\System32\capzm.dll (file missing)
O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3C6F49D7-07D9-1033-0825-051228050001}\888Bar.dll
O2 - BHO: (no name) - {C5BBE568-4AE2-0645-DC9D-543E70EB40A1} - C:\WINDOWS\System32\wbo.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\System32\npgububp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3C6F49D7-07D9-1033-0825-051228050001}\888Bar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Rnas] "C:\DOCUME~1\kim\MYDOCU~1\DOBE~1\wuauboot.exe" -vt yazr
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4836/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B94CEA5C-429A-4F01-8914-D6D9FBC29FBD}: NameServer = 68.238.64.12,68.238.128.12
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
Panda log:
Incident Status Location
Adware:Adware/PurityScan Not disinfected c:\docume~1\kim\mydocu~1\dobe~1\wuauboot.exe
Adware:Adware/ActiveSearch Not disinfected C:\Program Files\Common Files\{3C6F49D7-07D9-1033-0825-051228050001}\888Bar.dll
Adware:Adware/ActiveSearch Not disinfected C:\Program Files\Common Files\{9C6F49D7-07D9-1033-0825-051228050001}\Services.dll
Adware:Adware/ActiveSearch Not disinfected C:\Program Files\Common Files\{9C6F49D7-07D9-1033-0825-051228050001}\Update.exe
Virus:trj/abwiz.a Disinfected Operating system
Adware:adware/mirar Not disinfected Windows Registry
Possible Virus. Not disinfected C:\48027001.exe
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\kim\Cookies\kim@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\kim\Cookies\kim@belnk[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\kim\Cookies\kim@com[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\kim\Cookies\kim@dist.belnk[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\kim\Cookies\kim@realmedia[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\kim\Cookies\kim@server.iad.liveperson[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\kim\Cookies\kim@www.myaffiliateprogram[2].txt
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\kim\Local Settings\Temp\!update.exe
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\kim\Local Settings\Temp\b122.exe
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\kim\Local Settings\Temporary Internet Files\Content.IE5\W1YR0XIZ\122[1].net
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\kim\My Documents\?dobe\wuauboot.exe
Adware:Adware/ActiveSearch Not disinfected C:\Program Files\Common Files\{3C6F49D7-07D9-1033-0825-051228050001}\Activate.exe
Adware:Adware/ActiveSearch Not disinfected C:\Program Files\Common Files\{3C6F49D7-07D9-1033-0825-051228050001}\Uninst.exe
Adware:Adware/PurityScan Not disinfected C:\Program Files\Cowabanga\Cowabanga.exe
Adware:Adware/PurityScan Not disinfected C:\Program Files\Cowabanga\uninstaller.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\ipwins\Uninst.exe[²ÜÇ\nsProcess.dll]
Adware:Adware/ActiveSearch Not disinfected C:\sstray.exe
Adware:Adware/ActiveSearch Not disinfected C:\svhost.exe
Adware:Adware/PurityScan Not disinfected C:\tskmgr.exe
Possible Virus. Not disinfected C:\WINDOWS\48027001.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\IEtpbQ\KHQDvk.vbs
In that case we'll start with two things:
The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here to get WinXP SP1a: http://www.microsoft.com/downloads/details...&DisplayLang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=0136e5f8-1684-4202-b2d0-c6a43430f12a&DisplayLang=en)
Apply the update, reboot, then go to Windows Update and install all the Critical Updates (Note: Except for WinXP SP2)
Click here for Windows Update: http://www.windowsupdate.com/ (http://www.windowsupdate.com/)
After installing all the Patches and updates, reboot.
Next install an antivirus. See this link -> http://www.bleepingcomputer.com/forums/topic405.html
After those steps, send a fresh HijackThis log
:sad: Apparently my windows is not genuine. Sorry. Thanks for trying to help me out. It'll be a week before I can buy an authentic version. Maybe when I get that settled I'll have another go at clearing up this mess. Sorry again for wasting your time. Much love and best wishes.
This Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.