Results 1 to 5 of 5

Thread: I have SpywareQuake too...:(

  1. #1
    Junior Member
    Join Date
    Mar 2006
    Posts
    2

    Default I have SpywareQuake too...:(

    I've been affected by spyware quake for the past 2 days. I did not do anything significant to my machine in the meantime.

    I am posting the log file created by silentrunners... Pls advice.
    Thanks for your time and help.



    Startup items buried in registry:
    ---------------------------------

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
    "wininet.dll" = "dfrgsrv.exe" [null data]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "(Default)" = (empty string)
    "IntelWireless" = "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless" ["Intel Corporation"]
    "dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
    "BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
    "ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
    "Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
    "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
    "ShStatEXE" = ""C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE" ["Network Associates, Inc."]
    "McAfeeUpdaterUI" = ""C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey" ["Network Associates, Inc."]
    "Network Associates Error Reporting Service" = ""C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"" ["Network Associates, Inc."]
    "Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {4D25F921-B9FE-4682-BF72-8AB8210D6D75}\(Default) = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll" ["MyWay.com"]
    {5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "DriveLetterAccess"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
    {A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "IeCatch2 Class"
    \InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\jccatch.dll" ["Amaze Soft"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
    -> {HKLM...CLSID} = "Display Panning CPL Extension"
    \InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
    "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
    -> {HKLM...CLSID} = "Portable Media Devices"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
    -> {HKLM...CLSID} = "Portable Media Devices Menu"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
    -> {HKLM...CLSID} = "RecordNow! SendToExt"
    \InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data]
    "{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
    -> {HKLM...CLSID} = "DriveLetterAccess"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
    "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
    -> {HKLM...CLSID} = "Universal Plug and Play Devices"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
    "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
    -> {HKLM...CLSID} = "Microsoft Office Outlook"
    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]
    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
    -> {HKLM...CLSID} = "Outlook File Icon Extension"
    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
    -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
    \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
    -> {HKLM...CLSID} = "Shell Search Band"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
    "{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
    -> {HKLM...CLSID} = "SmartFTP Shell Extension DLL"
    \InProcServer32\(Default) = "C:\Program Files\SmartFTP\smarthook.dll" ["SmartFTP"]
    "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
    -> {HKLM...CLSID} = "iTunes"
    \InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
    INFECTION WARNING! "{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}" = "USB Ware"
    -> {HKCU...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\WINDOWS\system32\stickrep.dll" [null data]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    INFECTION WARNING! "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
    -> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
    \InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~4\MpShHook.dll" [MS]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
    INFECTION WARNING! IntelWireless\DLLName = "C:\Program Files\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"]

    HKLM\Software\Classes\PROTOCOLS\Filter\
    INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

    HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
    {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
    -> {HKLM...CLSID} = "PDF Shell Extension"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop is disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Documents and Settings\home\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


    Enabled Screen Saver:
    ---------------------

    HKCU\Control Panel\Desktop\
    "SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


    Enabled Scheduled Tasks:
    ------------------------

    "MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -ScanType config -Privileges restricted" [MS]
    "Winamp" -> launches: "E:\Songs\Tamil\Arasu\Malligai Malligai.MP3" [file not found]
    "Winamp1" -> launches: "E:\Songs\Tamil\12B\6.mp3" [file not found]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 26
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Explorer Bars

    HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
    {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Real.com"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

    Dormant Explorer Bars in "View, Explorer Bar" menu

    HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
    Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
    InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

    {92780B25-18CC-41C8-B9BE-3C9C571A8263}\
    "ButtonText" = "Research"

    {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
    "ButtonText" = "Real.com"

    {D81CA86B-EF63-42AF-BEE3-4502D9A03C2D}\
    "ButtonText" = "MUSICMATCH MX Web Player"
    "Script" = "http://wwws.musicmatch.com/mmz/openWebRadio.html" [file not found]

    {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
    "ButtonText" = "Yahoo! Messenger"
    "MenuText" = "Yahoo! Messenger"
    "Exec" = "C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe" ["Yahoo! Inc."]

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


    Miscellaneous IE Hijack Points
    ------------------------------

    HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

    Missing lines (compared with English-language version):
    "{4D25F926-B9FE-4682-BF72-8AB8210D6D75}" = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll" ["MyWay.com"]


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
    Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
    Cisco Systems, Inc. VPN Service, CVPND, ""C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
    EvtEng, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
    LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
    McAfee Framework Service, McAfeeFramework, "C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart" ["Network Associates, Inc."]
    Network Associates McShield, McShield, ""C:\Program Files\Network Associates\VirusScan\Mcshield.exe"" ["Network Associates, Inc."]
    Network Associates Task Manager, McTaskManager, ""C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe"" ["Network Associates, Inc."]
    NICCONFIGSVC, NICCONFIGSVC, "C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe" ["Dell Inc."]
    RegSrvc, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
    Spectrum24 Event Monitor, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
    Windows Defender Service, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
    WLANKEEPER, WLANKEEPER, "C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe" ["Intel® Corporation"]


    Print Monitors:
    ---------------

    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    Dell Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
    Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
    Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
    PDFCreator\Driver = "pdfcmnnt.dll" [null data]
    Toshiba Bluetooth Monitor\Driver = "tbtmon.dll" ["Toshiba America Business Solutions, Inc."]


    ----------
    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + The search for DESKTOP.INI DLL launch points on all local fixed drives
    took 96 seconds.
    + The search for all Registry CLSIDs containing dormant Explorer Bars
    took 8 seconds.
    ---------- (total run time: 141 seconds)

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Hello and welcome to the forum. It is best to review the Pinned information at the top of the page. That is where you would have found these instructions: http://forums.spybot.info/showthread.php?t=3261 Please stay in this same topic and post only the logs requested. I suggest you read the rest of the Pinned information, it was placed there for your benefit.

    Thanks...pskelley
    Safer Networking Forums

  3. #3
    Junior Member
    Join Date
    Mar 2006
    Posts
    2

    Default My logs

    Hi,
    I followed the steps given in the Spyware Quake Removal Thread. I am posting the following logs here as instructed.

    1. The contents of the C:\smitfiles.txt log
    2. The Ewido log
    3. The Spybot-S&D log (too long to post > 20000 characters)
    4. The HijackThis log

    I would be glad if you could tell me if I have gotten rid of Spyware Quake. Also, pls let me know if I need to post the Panda Activescan results. Thanks for the help.

    shank_s
    ------------------------------------------------------------------------
    smitRem © log file
    version 2.8

    by noahdfear


    Microsoft Windows XP [Version 5.1.2600]
    The current date is: Thu 03/30/2006
    The current time is: 18:28:52.75

    Running from
    C:\Program Files\smitRem\smitRem

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Pre-run SharedTask Export

    (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
    Copyright(C) 2006 BleepingComputer.com

    Registry Pseudo-Format Mode (Not a valid reg file):

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
    @="%SystemRoot%\system32\browseui.dll"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
    @="%SystemRoot%\system32\browseui.dll"


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    checking for ShudderLTD key

    ShudderLTD key not present!

    checking for PSGuard.com key


    PSGuard.com key not present!


    checking for WinHound.com key


    WinHound.com key not present!

    spyaxe uninstaller NOT present
    Winhound uninstaller NOT present
    SpywareStrike uninstaller NOT present

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Existing Pre-run Files


    ~~~ Program Files ~~~



    ~~~ Shortcuts ~~~

    Online Security Guide.url
    Online Security Guide.url
    Security Troubleshooting.url
    Security Troubleshooting.url


    ~~~ Favorites ~~~

    Antivirus Test Online.url


    ~~~ system32 folder ~~~

    ncompat.tlb
    logfiles


    ~~~ Icons in System32 ~~~

    ts.ico
    ot.ico


    ~~~ Windows directory ~~~



    ~~~ Drive root ~~~


    ~~~ Miscellaneous Files/folders ~~~




    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    Killing PID 864 'explorer.exe'
    Killing PID 864 'explorer.exe'

    Starting registry repairs

    Registry repairs complete

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    SharedTask Export after registry fix

    (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
    Copyright(C) 2006 BleepingComputer.com

    Registry Pseudo-Format Mode (Not a valid reg file):

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
    @="%SystemRoot%\system32\browseui.dll"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
    @="%SystemRoot%\system32\browseui.dll"


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Deleting files

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Remaining Post-run Files


    ~~~ Program Files ~~~



    ~~~ Shortcuts ~~~



    ~~~ Favorites ~~~



    ~~~ system32 folder ~~~



    ~~~ Icons in System32 ~~~



    ~~~ Windows directory ~~~



    ~~~ Drive root ~~~


    ~~~ Miscellaneous Files/folders ~~~


    ~~~ Wininet.dll ~~~

    CLEAN!

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 8:05:08 PM, 3/30/2006
    + Report-Checksum: 127075BE

    + Scan result:

    C:\QUARANTINE\aanlhlmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\afeofemd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\afkkfomd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\aiilfomd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\alldlgmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\bdgifomd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\bfaafimd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\bgmccpmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\blchdpmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\bnpimmmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\codhcjmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\ddjicpmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\ebpicpmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\enggjnmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\ghlkmmmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\gmnmcfmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\hbeafomd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\ijjkmmmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\kdkbammd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\kikepmmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\kjpmcpmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\kmlpfomd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\leojhlmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\lkaicpmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\llgfgpmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\lpmpmcmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\mdmbaimd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\nabfcpmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\nlmflkmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\nvctrl.exe.Vir -> Trojan.AI.c : Cleaned with backup
    C:\QUARANTINE\nvctrl.exe.Vir.0 -> Trojan.AI.c : Cleaned with backup
    C:\QUARANTINE\nvctrl.exe.Vir.1 -> Downloader.Zlob.jk : Cleaned with backup
    C:\QUARANTINE\nvctrl.exe.Vir.2 -> Downloader.Zlob.jp : Cleaned with backup
    C:\QUARANTINE\nvctrl.exe.Vir.3 -> Downloader.Zlob.jp : Cleaned with backup
    C:\QUARANTINE\ocdhjjmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\pbpnmgmd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
    C:\QUARANTINE\pjejfomd.exe.Vir -> Trojan.Dialer.ay : Cleaned with backup


    ::Report End

    ------------------------------------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 11:12:21 PM, on 3/30/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mrl.uiuc.edu
    O17 - HKLM\Software\..\Telephony: DomainName = mrl.uiuc.edu
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mrl.uiuc.edu
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mrl.uiuc.edu
    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    -------------------------------------------------------------------------

  4. #4
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for returning your information, I am looking it over now. You can hold the Spybot and Panda scans, but don't delete them until we are done. According to noahdfears smitRem, all instances of the infection have been successfully removed.

    ewido anti-malware - Scan report Created on: 8:05:08 PM, 3/30/2006
    C:\QUARANTINE\ <<< delete the contents of the folder highlited in red.

    Logfile of HijackThis v1.99.1 Scan saved at 11:12:21 PM, on 3/30/2006

    Before we start, please read about this program:
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    http://www.trendmicro.com/vinfo/gray...5FFLASHGET%2EA
    These items are optional but suggested. I would not have them on my computer. You get to make the call.

    Windows Defender may block the fix, if so you will need to be offline and turn it off:
    We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
    Open Windows Defender, Click on Tools, General Settings.
    Scroll down and uncheck Turn on real-time protection (recommended).
    After you uncheck this, click on the Save button and close Windows Defender.
    After all of the fixes are complete it is very important that you enable Real-time Protection again.

    Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    (if you clean your Prefetch folder routinely you may skip this step, if not, read the link and follow the directions)

    Enable hidden files&folders..reverse the process when finished.
    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    RIGHT Click on Start then click on Explore. Locate and delete these items:

    C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
    Prefetch info: http://www.windowsnetworking.com/art...efetch-XP.html

    (a good cleaner may be a very good idea after an infection)

    If you don't have a good cleaner, use this free one with these instructions:
    Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
    Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

    Post a last HJT log, i'll have some great information to help you stay clean and safe. Please include your comments, how is the computer running now?

    Your Java program is outdated: C:\Program Files\Java\j2re1.4.2_03\ <<< this is a security risk, please review this information: http://forums.spybot.info/showthread.php?t=2559 and update as soon as possible.

    Thanks...Phil
    Last edited by pskelley; 2006-03-31 at 15:36.

  5. #5
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    How is it going shank_s?
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •