Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recent Trojan Horse Downloader.generic5.biu (outerinfo, Yazzlesudoku?), Troj_puritysc.bl Type Trojan & (possible) Obfustat.evn Infection


  • Please log in to reply
12 replies to this topic

#1 alassnsane

alassnsane

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 08 August 2007 - 03:20 PM

Evening...I realize that this is a strange way of going about this, but I think in the long run it will be easier to understand. Below is an explaination of what was happening with my PC as of a few days ago. At that time I intended to request your help in ensuring I'd succeeded in removing all malware, however, after having performed all your prep scans, everything appeared to be fine, and since my PC was behaving in no way suspiciously, I thought, perhaps, I wouldn't have to bother you after all, unfortunately, that may have changed.

This morning, while removing a couple of unnecessary start up processes via Msconfig, AVG alerted to a virus and then a short time later, to two more, this is what it "healed" and vaulted:

C:WINDOWSsystem32Obfustat.EVN
C:ProgramFilesLogMeInx86
C:ProgramFilesLogMeInx86update3-00-600bakx86

From what I've been able to glean online, I now suspect that this could be a false positive and somehow was brought about by what I was doing at the time...possibly? I haven't yet deleted these three "viruses" from my virus vault, and hesitate to do so if they aren't actually viruses at all. However, please read on...

I originally wrote the following a few days ago, before I ultimately, decided I might just be in the clear. Fortunately, I hadn't discarded it yet. I apologize for how long and convoluted this is...


"Hello...
Before we begin, I should point out that my comprehension re computer issues is minimal, at best. So, please bear with me should I provide information that isn't pertinent since I don't really understand enough to differentiate between what is, and
isn't, important.

Several days ago I, stupidly, visited a lyrics site. Immediately, AVG alerted that I was infected with a trojan downloader (Trojan horse Downloader.Generic5.BIUon C:Program FilesCommon FilesYazzle15520inAdmin.exe). AVG then closed the
webpage and presented me with the options of "heal" or "move to vault". I chose heal. After a second scan AVG reported that it had healed and vaulted the following:

Trojan Horse Downloader.Generic5.HXS
Trojan horse Generic-cEQ
Trojan horse Downloader.Generic5.BIU

The final results overview reported that they had all been "deleted". I wiped all three from the vault.

Immediately afterward, while using IE, an "internet speed moniter" popup appeared. I emptied cookies, deleted temporary files manually, then immediately ran both Ad- Aware SE Personal, which alerted and removed 27 critical objects, and Spybot which detected and removed "YazzleSudoku", amoung a few other bits of spyware.

Either just prior to or just after (can't recall) running my adware detectors I discovered the process ISMModule.exe running in Task Manager as well as "Outerinfo" listed in Add/Remove. I ended the ISM process and removed the Outerinfo program...at least it reported that it had been removed successfully. I checked my program files for any obvious related folders and didn't see anything.

Even though all my scans were now reporting no malware, just to be safe, I ran Trend Secure's House Call which picked up one spyware and one virus and reported:

1 infected files are cleaned
1 detected security risk cannot be solved
The spyware's name was Adware_Purityscan, the type was adware.

It asked me to specify required actions for the security risks and I chose "remove all"...

Virus, Trojan and Worms Check results:

0 cleaned,
0 incleanable,
0 passed,
1 deleted,
0 undeletable

Deleted TROJ_PURITYSC.BL type trojan, infected file source C:77.tmp


Spyware check results:

1 removed, Adware-Purityscan
0 passed
0 unremovable
0 vulnerabilities detected

House Call then reported "Congratulations! All security threats have been cleaned or removed successfully!" and I was prematurely Slightly optimistic, but I knew enough to be worried re what might happen as soon as I rebooted and as it turns out, my fears were justified.

As soon as I rebooted popups took over my Google search engine, so, recalling something I had heard recommend as a temporary measure, I narrowed down which add-on was involved and disabled it. This seemed to succeed in minimizing, if not stopping, the popups. The add-on was named "BndDrive BHO Class". At this point I noticed "Internet Speed Monitor" listed under programs and uninstalled that, as well. I'm not certain if it was due to removing this program, or due to cleaning by one of the scan, but soon after this I noticed that the disabled add-on had disappeared.

Next, I ran Panda virus scan. It did detect and remove Something, however, IE errored (unrelated, due to something I did) and the window closed before I could retrieve a report.

Finally, I ran BitDefender Online virus scan and this is a copy of the report:

Results:
identified viruses 1
infected files 2
suspect files 0
warnings 0
disinfected files 0
deleted files 2

C: System Volume Information_restore{E244971E-F8D5-4F35-8145-89EA748E2281}RP877A0085005.dll

Infected with Generic Malware SIMDWYNVdpm.D9407F4E
Disinfection failed
Deleted


CWINDOWSLastGoodsystem32ActiveScanpsk.ahk.dll

Infected with Generic Malware SIMDWYNVdpm.D9407F4E
Disinfection failed
Deleted


At this point, I'm not experiencing any especially noticable performance issues, or popups. Also, I've rebooted and no suspicious processes are running in Task Manager, but I am hesitant to trust this since scans have persisted in reporting a virus even though a previous scan would claim my system checked out fine. Until I've an expert opinion, I doubt I'd trust a clean scan. I've included a HT log in the optimistic hope that you will provide an all clear or, if necessary, further advice re what my next step should be.

A few last things...I've no idea if this is even related (I suspect it is), but shortly after the infection occured a window popped up which I could make no sense of containing the following info, so, I thought I should mention it just in case:

"Last query: INSERT INTO vnr_creatives_history SET uid=2646428780724659604,
cid=0, view_time=UNIX_TIMESTAMP() ON DUPLICATE KEY UPDATE
view_time=UNIX_TIMESTAMP()
Error: 1114 The table 'vnr_creatives_history' is full
Last query: INSERT INTO vnr_creatives_history SET uid=2646428780724659604,
cid=24, view_time=UNIX_TIMESTAMP() ON DUPLICATE KEY UPDATE
view_time=UNIX_TIMESTAMP()
Error: 1114 The table 'vnr_creatives_history' is full"

Secondly, as a complete newbie, and before I knew any better, I downloaded Weatherbug, I did (long ago) remove it via add/remove but it still shows up as an add-on in IE though I have disabled it. A program file still remains as well.

Thirdly, after these troubles began I noticed in C: three files that I'd never noticed before. I've became suspicious of the one especially because just after becoming infected as I was logging off with all programs closed, Windows notified me that "Program 78" was shutting down. A rather long pause followed before it did, finally, shut down. Also, and Especially, because House Call deleted TROJ_PURITYSC.BL from "C:77.tmp" I am highly distrustful of these files.

The three files are:

C:.rnd
C:7A.tmp
C:78.tmp

Should I delete these files manually? I must admit, I'm itching to.

Lastly, I was going to run McAfee Stinger as per your prep instructions, however I noticed that the instructions direct XP users to disable our system restore before running the scan. When I begin to do this I am notified that doing so would wipe all of my restore points and I'm hesitant to do so...or are my restore points Already, basically, useless now due to this infection? (I just ran Stinger in report mode only and it found nothing.)"

Finally, we're up to date...This morning, following this latest 'infection', and after running another online Bit Defender scan (detected nothing), I scanned the 3 suspicious files individually at "VirusTotal" and while file .rnd scanned clean, and file 7A.tmp reported no data, 78.tmp was flagged six different ways by various scanners as follows:

DR/Agent.AY.2,
Adware:Win32/Bnddrive,
Trojan.Click.3573,
not-a-virus:AdWare.Win32.Agent.ay,
Adware:Win32/Bnddrive,
AdWare.Win32.Agent.ay,
Trojan.Agent.AY.2

I haven't rebooted since the most recent 'infection' this morning, and I don't see any unusual processess running in TM, or any unfamiliour programs in add/remove.

I hope you can make heads or tales out of all this. Thank you for your immense patience, and your assistence.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:43 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32LEXBCES.EXE
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32LEXPPS.EXE
C:PROGRA~1COMMON~1AOLACSacsd.exe
C:PROGRA~1GrisoftAVG7avgamsvr.exe
C:PROGRA~1GrisoftAVG7avgupsvc.exe
C:PROGRA~1GrisoftAVG7avgemc.exe
C:Program FilesCheetah BurnerCheetah CD BurnerNMSAccess.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSwanmpsvc.exe
C:Program FilesJavajre1.6.0_01binjusched.exe
C:Program FilesATI TechnologiesATI.ACEcli.exe
C:Program FilesATI TechnologiesATI HYDRAVISIONHydraDM.exe
C:PROGRA~1GrisoftAVG7avgcc.exe
C:Program FilesATI TechnologiesATI.ACECLI.exe
C:Program FilesLogitechMouseWaresystemem_exec.exe
C:WINDOWSsystem32NOTEPAD.EXE
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.emachines.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_02binssv.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:Program FilesAIM ToolbarAIMBar.dll
O4 - HKLM..Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM..Run: [HotKeysCmds] C:WINDOWSsystem32hkcmd.exe
O4 - HKLM..Run: [Lexmark X74-X75] "C:Program FilesLexmark X74-X75lxbbbmgr.exe"
O4 - HKLM..Run: [zBrowser Launcher] C:Program FilesLogitechiTouchiTouch.exe
O4 - HKLM..Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [IgfxTray] C:WINDOWSsystem32igfxtray.exe
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_02binjusched.exe"
O4 - HKLM..Run: [ATIPTA] C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
O4 - HKLM..Run: [ATICCC] "C:Program FilesATI TechnologiesATI.ACEcli.exe" runtime
O4 - HKLM..Run: [HydraVisionDesktopManager] C:Program FilesATI TechnologiesATI HYDRAVISIONHydraDM.exe
O4 - HKLM..Run: [LogMeIn GUI] "C:Program FilesLogMeInx86LogMeInSystray.exe"
O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVG7avgcc.exe /STARTUP
O4 - HKLM..Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:Program FilesGoogleGmail Notifiergnotify.exe
O4 - HKCU..Run: [Microsoft Works Update Detection] C:Program FilesMicrosoft WorksWkDetect.exe
O4 - HKUSS-1-5-19..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [] (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [] (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:Program FilesATI TechnologiesATI.ACECLI.exe
O4 - Global Startup: BigFix.lnk = C:Program FilesBigFixBigFix.exe
O8 - Extra context menu item: &AIM Search - res://C:Program FilesAIM ToolbarAIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_02binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_02binssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:WINDOWSbdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:WINDOWSbdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:Program Filesaimaim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSsystem32Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:Program FilesAWSWeatherBugWeather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {975390A5-CD67-4C07-8F00-934D23824E0F} - http://www.directxtras.com/speaksforitself...d/mstts_sam.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C9BEF1E9-21F6-486F-80A2-32D61DE86E5E} - http://www.directxtras.com/speaksforitself...oad/ms_sapi.cab
O16 - DPF: {D4BC3B10-F024-4EF7-A62C-A298A11B51B5} - http://www.directxtras.com/speaksforitself.../mstts_mike.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/chzl/default/p...ploader_v10.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:PROGRA~1COMMON~1AOLACSacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:WINDOWSsystem32ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:WINDOWSsystem32LEXBCES.EXE
O23 - Service: NMSAccess - Unknown owner - C:Program FilesCheetah BurnerCheetah CD BurnerNMSAccess.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:WINDOWSwanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://i.i.com.com/cnet.g2/shared/page_bg.jpg
O24 - Desktop Component 1: (no name) - http://www.runescape.com/img/title/mm_player.jpg

--
End of file - 8382 bytes

BC AdBot (Login to Remove)

 


m

#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:05:22 AM

Posted 19 August 2007 - 12:19 AM

Hello alassnsane and welcome to BleepingComputer!

Apollogies for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 alassnsane

alassnsane
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 29 August 2007 - 09:11 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:19 AM, on 8/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {975390A5-CD67-4C07-8F00-934D23824E0F} - http://www.directxtras.com/speaksforitself...d/mstts_sam.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C9BEF1E9-21F6-486F-80A2-32D61DE86E5E} - http://www.directxtras.com/speaksforitself...oad/ms_sapi.cab
O16 - DPF: {D4BC3B10-F024-4EF7-A62C-A298A11B51B5} - http://www.directxtras.com/speaksforitself.../mstts_mike.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/chzl/default/p...ploader_v10.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://i.i.com.com/cnet.g2/shared/page_bg.jpg
O24 - Desktop Component 1: (no name) - http://www.runescape.com/img/title/mm_player.jpg

--
End of file - 8874 bytes

#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:05:22 AM

Posted 31 August 2007 - 11:10 AM

Hi alassnsane,

Step #1

It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled it, please re-enable it.
If you do not have a firewall installed, please download and install one of these excellent (and free) products:If you want to have a look at the user manuals for the above suggested programs, have a look at the following:Step #2

Run HijackThis, press Scan, and put a check mark next to all these entries:

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')


Close all other windows and browsers, and press the Fix Checked button.

Step #3

Did you set the following two items as active desktop elements yourself?

Desktop Component 0: (no name) - http://i.i.com.com/cnet.g2/shared/page_bg.jpg
Desktop Component 1: (no name) - http://www.runescape.com/img/title/mm_player.jpg

If you did not do so, have it fixed with HijackThis too please.

Step #4

Once you have done this please create an uninstall list:
  • Start HiJackThis
  • Press 'Config'
  • Press 'Misc Tools'
  • Press 'Open Uninstall Manager'
  • Press 'Save List'
  • Save the log to a convenient location
Step #5

Please copy and paste the following text into Notepad:

regedit.exe /e msconfigfolder.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"
regedit.exe /e msconfigreg.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
type msconfigfolder.txt > msconfig.txt
type msconfigreg.txt >> msconfig.txt
del msconfigfolder.txt
del msconfigreg.txt
notepad.exe msconfig.txt
del msconfig.txt
del msconfig.bat

Save this as "msconfig.bat" Choose to save as *all files and place it on your Desktop.
Double-click msconfig.bat. Soon it should disappear from your Desktop; this is fine.

Please post the contents of msconfig.txt

Step #6

Now just a few final notes.

LogMeIn is a legit tool and is still showing in your log. So if you or some other family member installed it to be able to access the others' computer from home, you can leave it. If you do not recall installing such, or any other family member, please let me know.

Regarding your System Restore point, we will deal with that later.

Now please report back with a new HijackThis log, the uninstall list and the msconfig.txt log.

Thanks

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 alassnsane

alassnsane
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 31 August 2007 - 09:56 PM

Hello, Yourhighness (heh btw, great nic). Thank you for answering my post. :thumbsup:

I do have Window's firewall enabled, I'm not sure why it's not appearing on the log...perhaps because it's built in with XP Service Pack 2?

Yes, LogMeIn was originally installed so that my brother-in-law could access my PC to help sort out an unrelated network issue.


You asked me to post the content of "msconfig.txt". I am assuming this is what popped up in notepad? I hope this is what you wanted...

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]


The uninstall list...

ABBYY FineReader 5.0 Sprint
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
AIM Toolbar
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Instant Messenger
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
ATI HYDRAVISION
Avance AC'97 Audio
AVG 7.5
BigFix
CCleaner (remove only)
CEP - Color Enable Package
Cheetah CD Burner
CompuServe
Conexant SoftK56 Modem(M)
DivX Web Player
ExtractNow
Google Earth
Google Gmail Notifier
Google Talk (remove only)
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
HP Product Detection
Intel® Extreme Graphics Driver
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment Standard Edition v1.3.1_02
Java™ 6 Update 2
Java™ SE Runtime Environment 6 Update 1
Learn2 Player (Uninstall Only)
Lemonade Tycoon 2
Lexmark X74-X75
LimeWire 4.8.1
Logitech iTouch Software
Logitech MouseWare 9.79
LogMeIn
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Works 6.0
MSN Messenger 7.5
Netscape 6 (6.2.1)
Outlook Express To HTML Converter v1.2
Panda ActiveScan
Power MP3 WMA Converter 2005, (ver 2.0)
Power Video to Audio Converter 1.01
QuickTime
RealPlayer Basic
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
SimPE 0.58b (alpha)
Sims2DB Version 1.2
Sims2Pack Clean Installer
Spybot - Search & Destroy 1.4
The Sims 2
TS2 WTF Editor v1.0
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WavePad Uninstall
WD Diagnostics
Winamp (remove only)
Windows Backup Utility
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885295
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinMX
WinZip
World of Warcraft
Yahoo! Messenger


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:42 PM, on 8/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {975390A5-CD67-4C07-8F00-934D23824E0F} - http://www.directxtras.com/speaksforitself...d/mstts_sam.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C9BEF1E9-21F6-486F-80A2-32D61DE86E5E} - http://www.directxtras.com/speaksforitself...oad/ms_sapi.cab
O16 - DPF: {D4BC3B10-F024-4EF7-A62C-A298A11B51B5} - http://www.directxtras.com/speaksforitself.../mstts_mike.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/chzl/default/p...ploader_v10.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8406 bytes

#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:05:22 AM

Posted 01 September 2007 - 03:43 AM

Hey Alassnsane,

The Windows firewall is better than nothing, but doesn't monitor outgoing packets very well. A third party firewall will bug you with a lot of deny or allow questions for a while, but you should be able to tell it to remember your decision so after about a week or so you will rarely be asked for a decision. It's up to you, I just think you should really give it a try. For a bit more on the firewall thing, have a read here: http://www.us-cert.gov/cas/tips/ST04-004.html.

You asked me to post the content of "msconfig.txt". I am assuming this is what popped up in notepad? I hope this is what you wanted...

Yes indeed. Exactly what I was after.

Step #1

You have multiple instances of Java installed. These older versions leave you open to attacks used by malware authors, who take advantages of security leaks in previous versions of Java. It is therefore necessary to always only have one version (and that is the latest) on your pc.

Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist:
  • J2SE Runtime Environment 5.0 Update 1
  • J2SE Runtime Environment 5.0 Update 10
  • J2SE Runtime Environment 5.0 Update 2
  • J2SE Runtime Environment 5.0 Update 6
  • Java 2 Runtime Environment Standard Edition v1.3.1_02
  • Java™ SE Runtime Environment 6 Update 1
Step #2

I see you have WinMX and Limewire installed. Limewire (The most current version of Limewire is reported to include spyware. LimeWire 4.9.28 is clean. Older and newer version may not be.) chances are junk was bundled with this product even if you paid for it. If you are going to use p2p file sharing, I suggest you choose a safe program from here: http://p2p.malwareremoval.com/.

If you use P2P software, make sure you are careful about what you open and what P2P program you install. Malware is all over the P2P networks and the programs often come bundled with Adware and Spyware.

Further readings of interest in regards to the p2p "issue" are: http://pcpitstop.com/spycheck/p2p.asp and this: http://pcpitstop.com/spycheck/badtorrent.asp

Step #3

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player

Step #4

Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction Here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Step #5

Please post back with a fresh HijackThis log and the result from F-Secure Online Scanner.

Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 alassnsane

alassnsane
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 01 September 2007 - 08:58 PM

Hello again...

I am running the F-secure scan as I type this...this will be the second time that I've attempted to do so, the first time, midway through, my PC froze, hopefully that won't recur.

I've removed WinMX as you suggested. Thank you for providing the links re P2P software. For the time being, since it wasn't listed as one of the more iffy programs, I'd like to hang onto Lime. At least until I've the time to review all the material and choose a better source.

I really am uncomfortable with P2P downloading. The only reason I occasionally succumb at all is that my musical tastes are quite off the wall. Many of the tunes I listen to are virtually unknown and legit sources, such as Rhapsody, which I used to have, almost Never carry those things I'm seeking. However, I've some idea as to what to look out for, file size, extensions, etc and do try to be quite careful as to what I do DL.

I am also looking over my options for a software firewall, as well, and will definately replace the Windows firewall with one of those that you suggested. Thank you for those links, btw.

While uninstalling Java 2 Runtime Environment Standard Edition v1.3.1_02 the uninstaller reported that it succeeded in uninstalling all parts but for...

C:\Program Files\JavaSoft\JRE\1.3.1_02'.
C:\Program Files\JavaSoft\JRE'.
C:\Program Files\JavaSoft'.

and that these needed to be removed manually...I've found the file, is it okay if I simply delete it manually?


A few things I thought to mention...

I used to have no choice but to run AOL. Over the years, once when I was attempting to upgrade to a newer version, and once simply on its own, my AOL has gone buggy. To make a long story short, I've now 3 versions of AOL on my PC, because my efforts to remove the first two have been thwarted. I now have Roadrunner and use Gmail and am opening AOL less and less these days, in fact I cringe when I have to..I don't know if it's just my luck, but opening AOL seems to treble ongoing issues I have with connectivity.

So, I've these two earlier versions of AOL I'd like to remove, if possible, if it isn't opening another can of worms...can I remove them via hijackthis? If I attempt to remove them via add/remove it always fails, so all this time I've simply left them there. If you think it'd be best to leave well enough alone until I have to do a reinstall at some point, that's fine too.

Also, if you think it might help, I've no problem, at all, with uninstalling, Cheetah, Compuserve, Netscape (do it need this for any reason? I always use IE), World of Warcraft and Real Player (keeps sneaking back on my PC somehow).


Something I feel I should mention...my infection with the Trojan downloader really wasn't the first issue with this PC....Earlier this year I was experiencing problems with slowdowns but nothing startlingly obvious, mostly it seemed to be running a bit slower than it ought to be, certainly a little slower than it had in the past. My PC's speed was one of the reasons why I increased my RAM to 1.50 and replaced my video card with one with 256 MB of memory.

Initially, I was really pleased with the changes, especially related to gaming. As you can see from the remove list, I used to play the Sims 2 and it eats up resources like a starving man. The upgrade eased most of the difficulties caused by my (lets face it) crappy little E-Machine while playing the Sims. Earlier this year I noticed that my speed when not gaming didn't seem up to par. So, I invested in an external hard drive with 111 GBs and moved my music, videos etc onto it. Thinking that I might improve performance if I freed up some space on C-drive. I can't really explain my logic here, but regardless, freeing up space on C-drive didn't seem to make much difference.

Eventually I consulted my brother-in-law who knows a little something about computers (probably enough to be dangerous) and he recommended I DL and scan with CCleaner, which I did. I wanted to mention that I have saved those CC registry backups (but I may well have been infected with something at the time that I was unaware of, and which the recent online scanners have since removed).

It seems to me that ever since running CCleaner I have been experiencing fatal crashes and episodes of my PC freezing. If I try to play the Sims, inevitably it now crashes. I do realize that the Sims can be buggy, and have a good understanding of how often this is related to the DLing of mods, and have even resolved a number of these episodes in the past on my own, but my game has always been relatively stable, and these crashes and freezes are happening when I'm not running the Sims, so, my gut tells me that I am now dealing with something else entirely.

I've considered E-Machine's propensity to overheat might be causing the crashes, but fortunately, my HD doesn't seem to ever get that warm. I do keep it especially well ventilated and clean though. Still, I placed a fan directly on the tower during one of the periods when it was freezing and crashing and it didn't seem to make any difference at all.

Because of the timing of when these crashes began I am wondering if I didn't muck something up within the registry?

When my post here went so long unanswered, I began thinking that, considering the age of my operating system, I probably should do a complete reinstall, and since I do have my restore CD I have been working at moving all my data onto my external drive in preparation. If these issues, and the virus issues, can be taken care of without a reinstall it would be nice because I could save a few programs I'd rather not lose, such as my old version of Limewire...but at the same time I wonder if it wouldn't be the best thing To do the reinstall as I've been running this original version of Windows for going on three years now.

I guess my question is, in your opinion, do you think it might be the best thing all 'round to simply reinstall? I'm not trying to say I've no desire to work with you and make the necessary changes to clean up my HD, I'm simply wondering if I might be putting you to all this trouble for nothing if my version of Windows might be irretrievably damaged somehow.

Also, thank you for being patient with the delay in my responses to your posts. My life atm prevents me from checking in as often as I'd like, but please trust that I'm not ignoring you and will answer asap...and thank you for your continuing assitance.



I've included a new hijackthis log, and will include another along with the F-Secure scan report when it finishes.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:26 PM, on 9/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1188662176\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1188662176\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {975390A5-CD67-4C07-8F00-934D23824E0F} - http://www.directxtras.com/speaksforitself...d/mstts_sam.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C9BEF1E9-21F6-486F-80A2-32D61DE86E5E} - http://www.directxtras.com/speaksforitself...oad/ms_sapi.cab
O16 - DPF: {D4BC3B10-F024-4EF7-A62C-A298A11B51B5} - http://www.directxtras.com/speaksforitself.../mstts_mike.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/chzl/default/p...ploader_v10.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8910 bytes

#8 alassnsane

alassnsane
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 01 September 2007 - 10:08 PM

Hmmm...unfortunately, my computer froze Again while running the F- Secure scan, and from all appearances, it froze at the same stage both times. Also unfortunately, I had the scan minimized both times, so I don't know what file might be causing it to freeze.

I could run the scan a third time with the scan window open so I could record which file it freezes at. Would that information be helpful?

I'm not sure if this is related, but for some time now, if I do a deep scan with Ad Aware, it too freezes at a certain spot, always the same spot, but when this happens only Ad Aware freezes, not my entire system.

Oh, I forgot to mention that it Did detect one virus and 18 pieces of spyware before freezing.

Edited by alassnsane, 01 September 2007 - 10:30 PM.


#9 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:05:22 AM

Posted 02 September 2007 - 02:27 PM

Hey Alassnsane,

While uninstalling Java 2 Runtime Environment Standard Edition v1.3.1_02 the uninstaller reported that it succeeded in uninstalling all parts but for...

C:\Program Files\JavaSoft\JRE\1.3.1_02'.
C:\Program Files\JavaSoft\JRE'.
C:\Program Files\JavaSoft'.

Check if you have "C:\Program Files\Java\jre1.6.0_02." This should be the path to the latest version of Java. If it is under that path, I see no reason why you should not delete the folders and files manually.

I've now 3 versions of AOL on my PC

I can only see the one in your add/remove list. Can you point out the paths to the three versions? Just so we would not delete the wrong ones :flowers: .

...can I remove them via hijackthis? If I attempt to remove them via add/remove it always fails...

No you cannot. HijackThis is only a "front end" of the Windows Registry. Removing a line there only "deactivates" a program, but does not remove it completely.

Lets try this:

Open HijackThis.
Click Open the Misc Tools section.
Click Open Uninstall Manager.
Find and Select this item: previous version of AOL.
After you have selected the item click Delete this entry.
Then close HijackThis.
More information with a screenshot, can be found here.

If this does not work, please copy the path "uninstall command." This would give me something to work with as an alternative.

Also, if you think it might help, I've no problem, at all, with uninstalling, Cheetah, Compuserve, Netscape (do it need this for any reason? I always use IE), World of Warcraft and Real Player (keeps sneaking back on my PC somehow).

Using the same method as described in the previous post, feel free to uninstall those programs. The programs I mentioned "needed" to go for security issues. All other tools are personal choice and shall be removed if you wish.

...he recommended I DL and scan with CCleaner, which I did. I wanted to mention that I have saved those CC registry backups (but I may well have been infected with something at the time that I was unaware of, and which the recent online scanners have since removed)...

CCleaner is not a bad product, I use it myself. However, it is quite powerful and thence not used here while helping others, to avoid problems that may arise on wrong usage. If you could please post those backups here, it would give us a better idea if it is related to your problems or not.

do you think it might be the best thing all 'round to simply reinstall?

I would not quite go that far as yet. Let us "dig" a bit further to see if we can get yourself up and running without the hassle of reinstalling. However, one should point out that regular backups are a must. You can use something like Cobian Backup, for which I wrote a tutorial here too (in the tutorial section). Many people consider format and reinstall to be done once a year as normal, but if you do your backups regularly and surf the net with care, it is not always necessary.

I have a busy life too and since we do this in our free time, a bit of a lag can always be caused from my side too. So no need to apologise. I keep myself busy with other people in the HijackThis area :thumbsup: too, and do not realise pure lag this way anyway.

Step #1

Please have F-Secure scan run again and note down the stage at which it freezes. Best would be to do the same for adaware, to see if it is the same problem, or multiple problems.

Step #2

Please post back with the CCleaner backup details, the stage at which Adaware & F-Secure stall and the paths to the AOL versions, if the above mentioned method did not work.

Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#10 alassnsane

alassnsane
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 03 September 2007 - 03:05 PM

Well, when it rains, it certainly pours. My seemingly benign idea to remove programs that I didn't need via Add/Remove has backfired. I've the sinking feeling that I may have created a real mess.

From the beginning, things weren't going very well. All but two of the programs that I tried to remove presented some sort of complication during the removal process. I've described each issue below. The very last program I was trying to remove was World of Warcraft. I opened Add/Remove, selected "remove WOW" and recieved an error message stating that the game couldn't be found. I'd forgotten that I had installed the game on my external F-drive and had no idea how to persuade add/remove to recognize it.

This is when I messed up big time ..I really don't know what possessed me, but I moved the complete installed game folder from my external F-drive to my C-drive, then, realizing what I'd done in a bit of a panic I replaced it directly back in the F-Drive. The World of Warcraft no longer shows up in add/remove and I have no idea how badly I might have damaged my system...nor the slightest idea what the consequences might be. I can only hope none will be as serious as I'm imagining then cross my fingers and wait to hear back from you.

I'm really not trying to make your task more difficult, though I'm sure it probably appears that way.


The following is a list of each program that I experienced difficulty removing and a brief description of what happened:

-Netscape 6
The programe appeared to be uninstalling, but then froze midway. I was forced to end program. Netscape disappeared from the add/remove options but when I physically checked the program folder I discovered a 28.3 MB folder.

The path to this folder is: C:\Program Files\Netscape


-Spybot - Search & Destroy
Because I was experiencing problems with updating, I decided to uninstall then reinstall Search & Destroy. When I attempted to remove in add/remove I received the following error..."File C:\Program Files\Spybot - Search & Destroy\unins000.dat" could not be opened. Cannot uninstall. Error 5. Access denied.

The path to this folder is C:\Program Files\Spybot - Search & Destroy


-Compuserve
I received the error "Uninstall Compuserve has encountered a problem and needs to close."

The path to this folder is C:\Program Files\CompuServe 7.0


-Cheetah CD Burner
"An installation support file could not be installed. Access Denied."

The path to this folder is C:\Program Files\Cheetah Burner


-AOL

As far as AOL is concerned, I did try one last time to remove. "Choose which version to remove" was all that appeared in add/remove, and when I selected it, it errored "Uninstall America Online has encountered a problem and needs to close."

So, I followed your instructions with HijackThis Uninstall Manager. Unfortunately, the selection was exactly the same as that in add/remove (choose which version) only, but no versions. So I didn't do anything and am providing you with the pathways.

If you think it would be better in the long run to uninstall all three versions (which considering their history, might very well be borked) that's fine with me. I've an AOL disc I can use should I choose to reinstall the program.

I noticed that, strangely, the one functioning version's folder (9.0a) contains very few folders and files compared to the other two versions. Since one of these defunct versions happened during a disasterous reinstall, I wouldn't be surprised if a clean AOL slate, if possible, might not be the wisest route. Leaving the current version installed is fine too, whatever you think is best.

The uninstall command you requested: C:\Program Files\Common Files\aolshare\Aolunins_us.exe

The defunct versions...
C:\Program Files\America Online 8.0
C:\Program Files\America Online 9.0

The current 'functional' version...
C:\Program Files\America Online 9.0a


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


The file where Ad Aware deep scans freeze:
C\WINDOWS\SERVICEPACKFILES\i386\msrdp.cab


While last night the F-Secure scan repeatedly froze, today it went through the very first time I ran it. Perhaps one of the programs I removed was causing the problem? In any case, the F-Scan Report:

Scanning Report
Monday, September 03, 2007 12:45:16 - 14:38:55
Computer name: CATHSBLUEMEANIE
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ F:\

Result: 26 malware found
Adware.Ismas (spyware)
System (Disinfected)
Possible Browser Hijack attempt (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
W32/DLoader.DAJD (virus)
C:\WINDOWS\DOWNLOADED PROGRAM FILES\POPCAPLOADER.DLL (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 38332
System: 5937
Not scanned: 3
Actions:
Disinfected: 3
Renamed: 0
Deleted: 0
None: 23
Submitted: 1
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{9151F2D2-CA56-4BE8-939F-EA58A206ECC6}.BIN

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-09-02
F-Secure AVP: 7.0.171, 2007-09-03
F-Secure Orion: 1.2.37, 2007-09-03
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2007-08-27
F-Secure Pegasus: 1.19.0, 2007-08-01
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

And finally, I've attached my CCleaner registry backup. Thank you again for your continuing assistance :thumbsup:

#11 alassnsane

alassnsane
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 03 September 2007 - 03:22 PM

Attached File  Copy_of_CCleaner_Registry_Backup_1_of_2.txt   247.16KB   18 downloads


(Sorry to have to tack this on here, but there wasn't enough space to include the entire file as an attachment :thumbsup: then again, I've never done this before and may not quite have the hang of it.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Nero\NeroVision Express 3]
"Order"=hex:08,00,00,00,02,00,00,00,ce,03,00,00,01,00,00,00,07,00,00,00,90,00,\
00,00,00,00,00,00,82,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,70,00,32,\
00,bf,03,00,00,7d,31,0f,6b,20,00,4e,45,52,4f,43,4f,7e,31,2e,4c,4e,4b,00,00,\
46,00,03,00,04,00,ef,be,7d,31,0f,6b,7d,31,0f,6b,14,00,00,00,4e,00,65,00,72,\
00,6f,00,20,00,43,00,6f,00,76,00,65,00,72,00,20,00,44,00,65,00,73,00,69,00,\
67,00,6e,00,65,00,72,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,\
00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,86,00,00,00,01,00,00,00,\
78,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,66,00,32,00,37,04,00,00,7d,\
31,10,6b,20,00,4e,45,52,4f,4d,45,7e,31,2e,4c,4e,4b,00,00,3c,00,03,00,04,00,\
ef,be,7d,31,10,6b,7d,31,10,6b,14,00,00,00,4e,00,65,00,72,00,6f,00,20,00,4d,\
00,65,00,64,00,69,00,61,00,48,00,6f,00,6d,00,65,00,2e,00,6c,00,6e,00,6b,00,\
00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,\
00,86,00,00,00,02,00,00,00,78,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,\
66,00,32,00,e9,03,00,00,7d,31,10,6b,20,00,4e,45,52,4f,50,48,7e,31,2e,4c,4e,\
4b,00,00,3c,00,03,00,04,00,ef,be,7d,31,10,6b,7d,31,10,6b,14,00,00,00,4e,00,\
65,00,72,00,6f,00,20,00,50,00,68,00,6f,00,74,00,6f,00,53,00,6e,00,61,00,70,\
00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,\
1c,00,00,00,00,00,00,00,00,00,94,00,00,00,03,00,00,00,86,00,00,00,41,75,67,\
4d,02,00,00,00,01,00,00,00,74,00,32,00,fb,03,00,00,7d,31,10,6b,20,00,4e,45,\
52,4f,50,48,7e,32,2e,4c,4e,4b,00,00,4a,00,03,00,04,00,ef,be,7d,31,10,6b,7d,\
31,10,6b,14,00,00,00,4e,00,65,00,72,00,6f,00,20,00,50,00,68,00,6f,00,74,00,\
6f,00,53,00,6e,00,61,00,70,00,20,00,56,00,69,00,65,00,77,00,65,00,72,00,2e,\
00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,\
00,00,00,00,00,00,00,00,80,00,00,00,04,00,00,00,72,00,00,00,41,75,67,4d,02,\
00,00,00,01,00,00,00,60,00,32,00,d3,05,00,00,7d,31,10,6b,20,00,4e,45,52,4f,\
52,45,7e,31,2e,4c,4e,4b,00,00,36,00,03,00,04,00,ef,be,7d,31,10,6b,7d,31,10,\
6b,14,00,00,00,4e,00,65,00,72,00,6f,00,20,00,52,00,65,00,63,00,6f,00,64,00,\
65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,\
00,1c,00,00,00,00,00,00,00,00,00,84,00,00,00,05,00,00,00,76,00,00,00,41,75,\
67,4d,02,00,00,00,01,00,00,00,64,00,32,00,d3,03,00,00,7d,31,10,6b,20,00,4e,\
45,52,4f,53,48,7e,31,2e,4c,4e,4b,00,00,3a,00,03,00,04,00,ef,be,7d,31,10,6b,\
7d,31,10,6b,14,00,00,00,4e,00,65,00,72,00,6f,00,20,00,53,00,68,00,6f,00,77,\
00,54,00,69,00,6d,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,\
0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,8e,00,00,00,06,00,00,\
00,80,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6e,00,32,00,cc,04,00,00,\
7d,31,0f,6b,20,00,4e,45,52,4f,56,49,7e,31,2e,4c,4e,4b,00,00,44,00,03,00,04,\
00,ef,be,7d,31,0f,6b,7d,31,0f,6b,14,00,00,00,4e,00,65,00,72,00,6f,00,56,00,\
69,00,73,00,69,00,6f,00,6e,00,20,00,45,00,78,00,70,00,72,00,65,00,73,00,73,\
00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,\
1c,00,00,00,00,00,00,00,00,00


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Nero\Nero 6 Demo]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Nero\Nero Media Player]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Nero\Nero Toolkit]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Nero\NeroVision Express 3]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Yahoo! Games\Tradewinds]
"Order"=hex:08,00,00,00,02,00,00,00,26,01,00,00,01,00,00,00,02,00,00,00,88,00,\
00,00,00,00,00,00,7a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,68,00,32,\
00,fb,06,00,00,86,33,c2,32,20,00,50,4c,41,59,54,52,7e,31,2e,4c,4e,4b,00,00,\
3e,00,03,00,04,00,ef,be,86,33,c2,32,86,33,c2,32,14,00,00,00,50,00,6c,00,61,\
00,79,00,20,00,54,00,72,00,61,00,64,00,65,00,77,00,69,00,6e,00,64,00,73,00,\
2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,\
00,00,00,00,00,00,00,00,00,92,00,00,00,01,00,00,00,84,00,00,00,41,75,67,4d,\
02,00,00,00,01,00,00,00,72,00,32,00,b7,02,00,00,86,33,c2,32,20,00,55,4e,49,\
4e,53,54,7e,31,2e,4c,4e,4b,00,00,48,00,03,00,04,00,ef,be,86,33,c2,32,86,33,\
c2,32,14,00,00,00,55,00,6e,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,20,\
00,54,00,72,00,61,00,64,00,65,00,77,00,69,00,6e,00,64,00,73,00,2e,00,6c,00,\
6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,\
00,00,00,00,00


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Yahoo! Games\TradeWinds 2]
"Order"=hex:08,00,00,00,02,00,00,00,24,01,00,00,01,00,00,00,02,00,00,00,82,00,\
00,00,00,00,00,00,74,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,62,00,32,\
00,fa,06,00,00,86,33,37,29,20,00,54,52,41,44,45,57,7e,31,2e,4c,4e,4b,00,00,\
38,00,03,00,04,00,ef,be,86,33,37,29,86,33,37,29,14,00,00,00,54,00,72,00,61,\
00,64,00,65,00,57,00,69,00,6e,00,64,00,73,00,20,00,32,00,2e,00,6c,00,6e,00,\
6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,\
00,00,00,96,00,00,00,01,00,00,00,88,00,00,00,41,75,67,4d,02,00,00,00,01,00,\
00,00,76,00,32,00,ab,02,00,00,86,33,37,29,20,00,55,4e,49,4e,53,54,7e,31,2e,\
4c,4e,4b,00,00,4c,00,03,00,04,00,ef,be,86,33,37,29,86,33,37,29,14,00,00,00,\
55,00,6e,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,20,00,54,00,72,00,61,\
00,64,00,65,00,57,00,69,00,6e,00,64,00,73,00,20,00,32,00,2e,00,6c,00,6e,00,\
6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,\
00,00,00

Edited by alassnsane, 03 September 2007 - 03:30 PM.


#12 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:05:22 AM

Posted 04 September 2007 - 01:26 PM

Hey Alassnsane,

to be honest, I think your best bet would be to reformat your PC. As you suggested, over the time too many things have gotten twisted about.
If you wish to pursue other means first, I would suggest to visit the Windows XP forum part.

Thanks for your understanding.

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#13 alassnsane

alassnsane
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 04 September 2007 - 05:05 PM

Thank you for taking a stab at it, Yourhighness. In the long run, I'm quite sure giving up the ship is the wisest course, especially as I discovered yesterday that this version of Windows is actually nearly 4 years old. :flowers:

Anyway, thanks again for all your effort :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users