Matt The Pirate: Need Help Mirar etc.

Matt The Pirate · Oct 28, 2006

I picked up some garbage. Just ran Ewido and it erased some downloaders.

It could not remove a downloader called purity.scan.da

I have the Mirar toolbar and ads are popping up

Please help. Here is my HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 2:08:12 AM, on 10/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\{54B38ED2-01F5-1033-1008-991223980001}\Update.exe
C:\DOCUME~1\Matt\APPLIC~1\WNSXS~1\iexplore.exe
C:\Program Files\M?crosoft\r?ndll32.exe
C:\PROGRA~1\COMMON~1\oukf\oukfm.exe
C:\PROGRA~1\COMMON~1\oukf\oukfa.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINNT\Qmlvc2l0ZQ\command.exe
C:\WINNT\octeltpop.exe
C:\WINNT\win320901421053652006.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\WINNT\Duce6.exe
C:\WINNT\sys031053650142.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.1.1:80
R3 - URLSearchHook: (no name) - {67C70D47-BCAC-B32D-82FB-B7693FF9DEC3} - C:\WINNT\System32\glkr.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67C70D47-BCAC-B32D-82FB-B7693FF9DEC3} - C:\WINNT\System32\glkr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINNT\System32\mqmckgbi.dll
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\System32\WinNB66.dll
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{34B38ED2-01F5-1033-1008-991223980001}\MyToolBar.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINNT\System32\wslglsnb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{34B38ED2-01F5-1033-1008-991223980001}\MyToolBar.dll
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\System32\WinNB66.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [1pop06apelt3] C:\WINNT\octeltpop.exe
O4 - HKLM\..\Run: [sys031053650142] C:\WINNT\sys031053650142.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [axi6eb78] RUNDLL32.EXE w02c52d2.dll,n 0066eb720000000202c52d2
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\Duce6.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Mam] C:\Program Files\M?crosoft\r?ndll32.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\TIELT001.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://www.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157227340828
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_games/tikgames/cinematycoon/cinematycoon.cab
O20 - Winlogon Notify: wavew - C:\WINNT\Web\printers\wavew.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Qmlvc2l0ZQ\command.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

Shaba · Oct 28, 2006

Hi Matt The Pirate

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

Send:

- a fresh HijackThis log
- combofix report
- uninstall list

Matt The Pirate · Oct 28, 2006

O.K., thanks for the help

Ran Combofix. It round Surfsidekick and a bunch of infections. Here is the Combofix log:

Matt - 06-10-28 10:17:27.35 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Matt\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINNT\system32\bk.exe

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINNT\Duce6.exe
C:\WINNT\Eim03.exe
C:\WINNT\system32\tsuninst.exe
C:\WINNT\uninstall_nmon.vbs
C:\WINNT\system32\atmtd.dll
C:\WINNT\system32\atmtd.dll._
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Cowabanga
C:\Program Files\Deskbar
C:\Program Files\Inetget2
C:\Program Files\Common Files\{34B38ED2-01F5-1033-1008-991223980001}
C:\WINNT\Qmlvc2l0ZQ
C:\Program Files\network monitor
C:\Program Files\Common Files\{54B38ED2-01F5-1033-1008-991223980001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Matt\Application Data\WNSXS~1
C:\QooBox\Purity\Documents and Settings\Matt\Application Data\WNSXS~1\iexplore.exe
C:\QooBox\Purity\Documents and Settings\Matt\Application Data\WNSXS~1\WNSXS~1
C:\QooBox\Purity\Program Files\MCROSO~1
C:\QooBox\Purity\Program Files\MCROSO~1\r?ndll32.exe
C:\QooBox\Purity\WINNT\MBOLS~1
C:\QooBox\Purity\WINNT\SCURIT~1
C:\QooBox\Purity\WINNT\MBOLS~1\MBOLS~1
C:\QooBox\Purity\WINNT\system32\SCURIT~1

((((((((((((((((((((((((((((((( Files Created from 2006-09-28 to 2006-10-28 ))))))))))))))))))))))))))))))))))

2006-10-28 10:19 106,496 --a------ C:\WINNT\Duce6.exe
2006-10-28 10:13 163,840 --a------ C:\WINNT\sys022105365014.exe
2006-10-28 01:49 1,259 --a------ C:\WINNT\system32\axi6eb78.sys
2006-10-28 01:46 913,576 --a------ C:\WINNT\system32\WinNB66.dll
2006-10-28 01:46 53,248 --a------ C:\WINNT\ab_02.exe
2006-10-28 01:46 49,428 --a------ C:\WINNT\system32\wslglsnb.dll
2006-10-28 01:46 45,056 --a------ C:\WINNT\octeltpop.exe
2006-10-28 01:46 433,632 --a------ C:\WINNT\hancerdoem.exe
2006-10-28 01:46 32,768 --a------ C:\WINNT\unstall.exe
2006-10-28 01:46 217,346 --a------ C:\WINNT\Setup90.exe
2006-10-28 01:46 122,900 --a------ C:\WINNT\system32\mqmckgbi.dll
2006-10-28 01:29 2 --a------ C:\WINNT\system32\wnstssv.exe
2006-10-28 01:29 131,072 --a------ C:\WINNT\system32\glkr.dll
2006-10-28 01:28 310,482 --a------ C:\tskmgr.exe
2006-10-28 01:28 115,947 --a------ C:\sstray.exe
2006-10-28 01:28 1,685 --a------ C:\WINNT\2389759.exe
2006-10-28 01:28 1,685 --a------ C:\2389759.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-28 10:22 8636 --ahs---- C:\Documents and Settings\Matt\Application Data\3C0C84CB87974D3694CF44AF76982793.sta
2006-10-28 10:22 17374 --ahs---- C:\Documents and Settings\Matt\Application Data\3C0C84CB87974D3694CF44AF76982793.rul
2006-10-28 10:22 -------- d-a------ C:\Program Files\Common Files
2006-10-28 10:11 -------- d-------- C:\Program Files\Common Files\oukf
2006-10-28 02:08 -------- d-------- C:\Program Files\HijackThis
2006-10-28 01:46 163840 --a------ C:\WINNT\win320901421053652006.exe
2006-10-28 01:46 -------- d-------- C:\Program Files\webHancer
2006-10-28 01:46 -------- d-------- C:\Program Files\em
2006-10-14 22:44 -------- d-------- C:\Program Files\captaincooks
2006-10-14 12:03 -------- d---s---- C:\Documents and Settings\Matt\Application Data\Microsoft
2006-10-08 14:10 -------- d-------- C:\Documents and Settings\Matt\Application Data\AdobeUM
2006-10-08 14:09 -------- d-------- C:\Documents and Settings\Matt\Application Data\Adobe
2006-09-29 23:03 -------- d-------- C:\Documents and Settings\Matt\Application Data\LimeWire
2006-09-22 07:38 53248 --a------ C:\WINNT\109uninst.exe
2006-09-22 07:36 53248 --a------ C:\WINNT\uni_7eh.exe
2006-09-21 17:42 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-19 21:32 -------- d-------- C:\Program Files\Java
2006-09-19 21:30 -------- d-------- C:\Program Files\Common Files\Java
2006-09-18 21:58 -------- d-------- C:\Documents and Settings\Matt\Application Data\Sun
2006-09-06 21:25 -------- d-------- C:\Program Files\CCleaner
2006-09-05 01:35 -------- d-------- C:\Program Files\maplecasino
2006-09-04 20:29 -------- d-------- C:\Program Files\Outlook Express
2006-09-04 20:29 -------- d-------- C:\Program Files\ComPlus Applications
2006-09-03 01:12 -------- d-------- C:\Program Files\LimeWire
2006-09-02 13:02 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-02 00:50 -------- d-------- C:\Documents and Settings\Matt\Application Data\Real
2006-08-31 17:24 -------- d-------- C:\Documents and Settings\Matt\Application Data\Lavasoft
2006-08-31 17:17 -------- d-------- C:\Documents and Settings\Matt\Application Data\Macromedia
2006-08-30 23:16 -------- d-------- C:\Documents and Settings\Matt\Application Data\MSN6
2006-08-30 22:52 -------- d-------- C:\Documents and Settings\Matt\Application Data\Identities
2006-08-30 22:38 -------- d-------- C:\Program Files\Internet Explorer
2006-08-30 20:56 -------- d-------- C:\Program Files\Lavasoft
2006-08-30 20:52 517 --a------ C:\Program Files\Common Files\mebo
2006-08-30 18:33 73216 --a------ C:\WINNT\system32\juakvwl.dll
2006-08-30 10:20 94720 --a------ C:\WINNT\system32\llbvmcm.dll
2006-08-30 10:20 72192 --a------ C:\WINNT\system32\dtqntmc.dll
2006-08-28 20:32 215308 --a------ C:\WINNT\srvzwienlo.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PopUpStopperFreeEdition"="\"C:\\PROGRA~1\\PANICW~1\\POP-UP~1\\PSFree.exe\""
"Mam"="C:\\Program Files\\M?crosoft\\r?ndll32.exe"
"oukf"="C:\\PROGRA~1\\COMMON~1\\oukf\\oukfm.exe"
"Oras"="\"C:\\DOCUME~1\\Matt\\APPLIC~1\\WNSXS~1\\iexplore.exe\" -vt ndrv"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"tgcmd"="\"C:\\Program Files\\support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"1pop06apelt3"="C:\\WINNT\\octeltpop.exe"
"axi6eb78"="RUNDLL32.EXE w02c52d2.dll,n 0066eb720000000202c52d2"
"sys022105365014"="C:\\WINNT\\sys022105365014.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"DisableCAD"=dword:00000000
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wavew

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-28 10:22:42.39
C:\ComboFix.txt ... 06-10-28 10:22

Matt The Pirate · Oct 28, 2006

new hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 10:41:07 AM, on 10/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\octeltpop.exe
C:\WINNT\sys022105365014.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\System32\imapi.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.1.1:80
R3 - URLSearchHook: (no name) - {67C70D47-BCAC-B32D-82FB-B7693FF9DEC3} - C:\WINNT\System32\glkr.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{34B38ED2-01F5-1033-1008-991223980001}\MyToolBar.dll (file missing)
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\System32\WinNB66.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [1pop06apelt3] C:\WINNT\octeltpop.exe
O4 - HKLM\..\Run: [axi6eb78] RUNDLL32.EXE w02c52d2.dll,n 0066eb720000000202c52d2
O4 - HKLM\..\Run: [sys022105365014] C:\WINNT\sys022105365014.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Mam] C:\Program Files\M?crosoft\r?ndll32.exe
O4 - HKCU\..\Run: [oukf] C:\PROGRA~1\COMMON~1\oukf\oukfm.exe
O4 - HKCU\..\Run: [Oras] "C:\DOCUME~1\Matt\APPLIC~1\WNSXS~1\iexplore.exe" -vt ndrv
O4 - Startup: TA_Start.lnk = C:\WINNT\TIELT001.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://www.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157227340828
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_games/tikgames/cinematycoon/cinematycoon.cab
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Matt The Pirate · Oct 28, 2006

I'm trying to get you a copy of the programs list but when I click on SAVE LIST it does not go to the next step and ask me where I want to save the list. I tried to print screen but I can't seem to get the option to paste into this message box. I also saved print screens to wordpad and tried to upload as attachments but it does not seem to work.

Hmm, how can I get you a copy of my programs list?

Thx,
M the P

Shaba · Oct 28, 2006

Hi

Send that picture to eg. imageshack or some similar service and paste link here, please

Matt The Pirate · Oct 28, 2006

Shaba said:
Hi

Send that picture to eg. imageshack or some similar service and paste link here, please

I'm went to the imageshack.com website but there are tons of programs and I have no clue what to do or how to get my printscreen posted to an address so that I can post it here. I registered for Smilebox but it did not seem to work.

NOTES:
by the way. Just as notes. The TagAsauruS icon downloaded onto my computer when the virus hit last night. I erased the Icon on my desktop but I'm sure that didn't remove any real programs.

Also, when I first boot up I get a DLL message box that says it can't find w02c52d2.dll

Matt The Pirate · Oct 28, 2006

Here is my program list with me manually typing in the names:

Ad Aware SE Personal
Adobe Download Manager 1.2 (remove only)
Adobe Reader 6.0.1
Advanced Browser
Captain Cooks Casion
Captain Cooks Poker
Casino Kingdom
C Cleaner (remove only)
DivX
DivX Player
elitemediagroup
ewido anti-spyware 4.0
Google Toolbar for IE
HiJackThis 1.99.1
Internet Explorer Q832894
Irfanview (remove only)
J2SE Runtime Environment 5.0 update 6
Limewire Pro 4.9.37
LucasArts Curse Of Monkey Island
Macromedia Shockwave Player
Maple Casino
Mirar
MSN Music Assistant
Outlook Express Q837009
Pop Up Stopper Free Edition
Realplayer
RealProducer Basic 8.5
Roadrunner Medic 5.2
Smilebox
Spybot Search And Destroy 1.4
Sun Vegas Casino
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix (See Q828026 for more information)
SEVERAL WINDOWS XP HOTFIX with numbers following such as KB821557
WinRAR Archiver

Shaba · Oct 29, 2006

Hi

Uninstall these:

elitemediagroup
Mirar

Open HijackThis, click do a system scan only and checkmark these:

R3 - URLSearchHook: (no name) - {67C70D47-BCAC-B32D-82FB-B7693FF9DEC3} - C:\WINNT\System32\glkr.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{34B38ED2-01F5-1033-1008-991223980001}\MyToolBar.dll (file missing)
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\System32\WinNB66.dll
O4 - HKLM\..\Run: [1pop06apelt3] C:\WINNT\octeltpop.exe
O4 - HKLM\..\Run: [axi6eb78] RUNDLL32.EXE w02c52d2.dll,n 0066eb720000000202c52d2
O4 - HKLM\..\Run: [sys022105365014] C:\WINNT\sys022105365014.exe
O4 - HKCU\..\Run: [Mam] C:\Program Files\M?crosoft\r?ndll32.exe
O4 - HKCU\..\Run: [oukf] C:\PROGRA~1\COMMON~1\oukf\oukfm.exe
O4 - HKCU\..\Run: [Oras] "C:\DOCUME~1\Matt\APPLIC~1\WNSXS~1\iexplore.exe" -vt ndrv
O4 - Startup: TA_Start.lnk = C:\WINNT\TIELT001.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://www.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

Close all windows including browser and press fix checked.

Please download the Killbox.
Unzip it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\Duce6.exe
C:\WINNT\sys022105365014.exe
C:\WINNT\system32\axi6eb78.sys
C:\WINNT\system32\WinNB66.dll
C:\WINNT\ab_02.exe
C:\WINNT\system32\wslglsnb.dll
C:\WINNT\octeltpop.exe
C:\WINNT\hancerdoem.exe
C:\WINNT\unstall.exe
C:\WINNT\Setup90.exe
C:\WINNT\system32\mqmckgbi.dll
C:\WINNT\system32\wnstssv.exe
C:\WINNT\system32\glkr.dll
C:\tskmgr.exe
C:\sstray.exe
C:\WINNT\2389759.exe
C:\2389759.exe
C:\WINNT\win320901421053652006.exe
C:\WINNT\109uninst.exe
C:\WINNT\uni_7eh.exe
C:\WINNT\system32\juakvwl.dll
C:\WINNT\system32\llbvmcm.dll
C:\WINNT\system32\dtqntmc.dll
C:\WINNT\srvzwienlo.exe
C:\Documents and Settings\Matt\Application Data\3C0C84CB87974D3694CF44AF76982793.sta
C:\Documents and Settings\Matt\Application Data\3C0C84CB87974D3694CF44AF76982793.rul

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Delete these:

C:\Program Files\Common Files\oukf
C:\Program Files\webHancer
C:\Program Files\Common Files\mebo

Empty Recycle Bin

Re-run combofix

Send:

- a fresh HijackThis log
- combofix report

Matt The Pirate · Oct 29, 2006

O.K., I was able to complete the steps. Only slight problems I had were as follows:

1. elitemediagroup seemed to already be unistalled
2. mirar made me go to their webpage but it seemed to uninstall O.K.
3. on Killbox I did not see an option for "all files" but everything seemed to work O.K. for the killbox steps and it rebooted just fine
4. I do not see this C

rogram Files/Common Files/mebo when I go to file manager. The other two I deleted

Here is my Combofix log:

Matt - 06-10-29 11:32:08.97 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Matt\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Matt\Application Data\WNSXS~1
C:\QooBox\Purity\Documents and Settings\Matt\Application Data\WNSXS~1\iexplore.exe
C:\QooBox\Purity\Documents and Settings\Matt\Application Data\WNSXS~1\WNSXS~1
C:\QooBox\Purity\Program Files\MCROSO~1
C:\QooBox\Purity\Program Files\MCROSO~1\r?ndll32.exe
C:\QooBox\Purity\WINNT\MBOLS~1
C:\QooBox\Purity\WINNT\SCURIT~1
C:\QooBox\Purity\WINNT\MBOLS~1\MBOLS~1
C:\QooBox\Purity\WINNT\system32\SCURIT~1

((((((((((((((((((((((((((((((( Files Created from 2006-09-29 to 2006-10-29 ))))))))))))))))))))))))))))))))))

No new files created in this timespan

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-29 11:30 -------- d-a------ C:\Program Files\Common Files
2006-10-29 11:28 4201 --ahs---- C:\Documents and Settings\Matt\Application Data\3C0C84CB87974D3694CF44AF76982793.sta
2006-10-29 11:28 17358 --ahs---- C:\Documents and Settings\Matt\Application Data\3C0C84CB87974D3694CF44AF76982793.rul
2006-10-29 11:22 -------- d-------- C:\Program Files\HijackThis
2006-10-28 10:38 -------- d-------- C:\Program Files\Smilebox
2006-10-28 10:38 -------- d-------- C:\Documents and Settings\Matt\Application Data\Smilebox
2006-10-28 00:46 -------- d-------- C:\Program Files\em
2006-10-14 21:44 -------- d-------- C:\Program Files\captaincooks
2006-10-14 11:03 -------- d---s---- C:\Documents and Settings\Matt\Application Data\Microsoft
2006-10-08 13:10 -------- d-------- C:\Documents and Settings\Matt\Application Data\AdobeUM
2006-10-08 13:09 -------- d-------- C:\Documents and Settings\Matt\Application Data\Adobe
2006-09-29 22:03 -------- d-------- C:\Documents and Settings\Matt\Application Data\LimeWire
2006-09-21 16:42 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-19 20:32 -------- d-------- C:\Program Files\Java
2006-09-19 20:30 -------- d-------- C:\Program Files\Common Files\Java
2006-09-18 20:58 -------- d-------- C:\Documents and Settings\Matt\Application Data\Sun
2006-09-06 20:25 -------- d-------- C:\Program Files\CCleaner
2006-09-05 00:35 -------- d-------- C:\Program Files\maplecasino
2006-09-04 19:29 -------- d-------- C:\Program Files\Outlook Express
2006-09-04 19:29 -------- d-------- C:\Program Files\ComPlus Applications
2006-09-03 00:12 -------- d-------- C:\Program Files\LimeWire
2006-09-02 12:02 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-01 23:50 -------- d-------- C:\Documents and Settings\Matt\Application Data\Real
2006-08-31 16:24 -------- d-------- C:\Documents and Settings\Matt\Application Data\Lavasoft
2006-08-31 16:17 -------- d-------- C:\Documents and Settings\Matt\Application Data\Macromedia
2006-08-30 22:16 -------- d-------- C:\Documents and Settings\Matt\Application Data\MSN6
2006-08-30 21:52 -------- d-------- C:\Documents and Settings\Matt\Application Data\Identities
2006-08-30 21:38 -------- d-------- C:\Program Files\Internet Explorer
2006-08-30 19:56 -------- d-------- C:\Program Files\Lavasoft
2006-08-30 19:52 517 --a------ C:\Program Files\Common Files\mebo

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PopUpStopperFreeEdition"="\"C:\\PROGRA~1\\PANICW~1\\POP-UP~1\\PSFree.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"tgcmd"="\"C:\\Program Files\\support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"sys022105365014"="C:\\WINNT\\sys022105365014.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"DisableCAD"=dword:00000000
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wavew

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-29 11:32:52.27
C:\ComboFix.txt ... 06-10-29 11:32
C:\ComboFix2.txt ... 06-10-28 09:22

Matt The Pirate · Oct 29, 2006

new HJT LOG:

Logfile of HijackThis v1.99.1
Scan saved at 11:40:53 AM, on 10/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.1.1:80
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{34B38ED2-01F5-1033-1008-991223980001}\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [sys022105365014] C:\WINNT\sys022105365014.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157227340828
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_games/tikgames/cinematycoon/cinematycoon.cab
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Matt The Pirate · Oct 29, 2006

Notes:

1. O.K., I found the mebo file now and deleted it.
2. In my hijack this log it will not delete the "toolbar888" line

How does everything look?

Matt The Pirate

Shaba · Oct 30, 2006

Hi

Please re-run combofix and send its report here

Matt The Pirate · Oct 31, 2006

Shabo,

My combofix log is the last post on the previous page. I thought that might be confusing. Please look at last post on page 1 of this thread.

Thx,
Matt The Pirate

Shaba · Oct 31, 2006

Hi

Yes, I can see that, but I'd like to see a fresh combofix report

Matt The Pirate · Nov 1, 2006

Oh, O.K., here is a fresh combofix:

Matt - 06-10-31 18:36:49.60 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Matt\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Matt\Application Data\WNSXS~1
C:\QooBox\Purity\Documents and Settings\Matt\Application Data\WNSXS~1\iexplore.exe
C:\QooBox\Purity\Documents and Settings\Matt\Application Data\WNSXS~1\WNSXS~1
C:\QooBox\Purity\Program Files\MCROSO~1
C:\QooBox\Purity\Program Files\MCROSO~1\r?ndll32.exe
C:\QooBox\Purity\WINNT\MBOLS~1
C:\QooBox\Purity\WINNT\SCURIT~1
C:\QooBox\Purity\WINNT\MBOLS~1\MBOLS~1
C:\QooBox\Purity\WINNT\system32\SCURIT~1

((((((((((((((((((((((((((((((( Files Created from 2006-09-31 to 2006-10-31 ))))))))))))))))))))))))))))))))))

No new files created in this timespan

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-31 18:31 4115 --ahs---- C:\Documents and Settings\Matt\Application Data\3C0C84CB87974D3694CF44AF76982793.sta
2006-10-31 18:31 17067 --ahs---- C:\Documents and Settings\Matt\Application Data\3C0C84CB87974D3694CF44AF76982793.rul
2006-10-30 19:27 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-10-29 11:40 -------- d-------- C:\Program Files\HijackThis
2006-10-29 11:39 -------- d-a------ C:\Program Files\Common Files
2006-10-28 10:38 -------- d-------- C:\Program Files\Smilebox
2006-10-28 10:38 -------- d-------- C:\Documents and Settings\Matt\Application Data\Smilebox
2006-10-28 00:46 -------- d-------- C:\Program Files\em
2006-10-14 21:44 -------- d-------- C:\Program Files\captaincooks
2006-10-14 11:03 -------- d---s---- C:\Documents and Settings\Matt\Application Data\Microsoft
2006-10-08 13:10 -------- d-------- C:\Documents and Settings\Matt\Application Data\AdobeUM
2006-10-08 13:09 -------- d-------- C:\Documents and Settings\Matt\Application Data\Adobe
2006-09-29 22:03 -------- d-------- C:\Documents and Settings\Matt\Application Data\LimeWire
2006-09-19 20:32 -------- d-------- C:\Program Files\Java
2006-09-19 20:30 -------- d-------- C:\Program Files\Common Files\Java
2006-09-18 20:58 -------- d-------- C:\Documents and Settings\Matt\Application Data\Sun
2006-09-06 20:25 -------- d-------- C:\Program Files\CCleaner
2006-09-05 00:35 -------- d-------- C:\Program Files\maplecasino
2006-09-04 19:29 -------- d-------- C:\Program Files\Outlook Express
2006-09-04 19:29 -------- d-------- C:\Program Files\ComPlus Applications
2006-09-03 00:12 -------- d-------- C:\Program Files\LimeWire
2006-09-02 12:02 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-01 23:50 -------- d-------- C:\Documents and Settings\Matt\Application Data\Real
2006-08-31 16:24 -------- d-------- C:\Documents and Settings\Matt\Application Data\Lavasoft
2006-08-31 16:17 -------- d-------- C:\Documents and Settings\Matt\Application Data\Macromedia

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PopUpStopperFreeEdition"="\"C:\\PROGRA~1\\PANICW~1\\POP-UP~1\\PSFree.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"tgcmd"="\"C:\\Program Files\\support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"sys022105365014"="C:\\WINNT\\sys022105365014.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"DisableCAD"=dword:00000000
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wavew

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-31 18:37:29.11
C:\ComboFix.txt ... 06-10-31 18:37
C:\ComboFix2.txt ... 06-10-29 11:32
C:\ComboFix3.txt ... 06-10-28 09:22

Shaba · Nov 1, 2006

Hi

Boot in safe mode

Open HijackThis, click do a system scan only and checkmark these:

O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{34B38ED2-01F5-1033-1008-991223980001}\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [sys022105365014] C:\WINNT\sys022105365014.exe

Close all windows including browser and press fix checked.

Reboot.

Send a fresh HijackThis log.

Matt The Pirate · Nov 1, 2006

Here is an EWIDO report:

+ Created at: 3:47:06 AM 11/1/2006

+ Scan result:

C:\Program Files\em\dohancer\whCC-GIANT3.exe/whAgent.exe -> Adware.Webhancer.a : No action taken.
C:\WINNT\Web\printers\wavew.dll -> Downloader.Agent.bai : No action taken.
[1384] C:\WINNT\Web\printers\wavew.dll -> Downloader.Agent.bai : No action taken.
C:\QooBox\Purity\Documents and Settings\Matt\Application Data\WNSXS~1\iexplore.exe -> Downloader.PurityScan.co : No action taken.
C:\Documents and Settings\Matt\Cookies\matt@advertising[1].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Matt\Cookies\matt@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Matt\Cookies\matt@bluestreak[1].txt -> TrackingCookie.Bluestreak : No action taken.
C:\Documents and Settings\Matt\Cookies\matt@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Matt\Cookies\matt@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Matt\Cookies\matt@trafficmp[1].txt -> TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\Matt\Cookies\matt@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.

::Report end

I applied all actions and killed this stuff.

Will now do your instructions in next post.

M the P

Matt The Pirate · Nov 1, 2006

Here is a fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:59:52 AM, on 11/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\fxssvc.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.1.1:80
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{34B38ED2-01F5-1033-1008-991223980001}\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157227340828
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_games/tikgames/cinematycoon/cinematycoon.cab
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{34B38ED2-01F5-1033-1008-991223980001}

THIS LINE WILL NOT DELETE OUT OF HJT

Is this my problem?

M the P

Shaba · Nov 1, 2006

Hi

Download -> http://www.billsway.com/vbspage/ registry search tool and do a search with "C004DEC2-2623-438e-9CA2-C9043AB28508" (without ""). If antivirus warns about the script, let it run.

Send results here, please.

Matt The Pirate: Need Help Mirar etc.

New member

Security Expert: Emeritus

New member

New member

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus