Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde


  • This topic is locked This topic is locked
14 replies to this topic

#1 Biermaken

Biermaken

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 09 September 2007 - 02:05 PM

Hello. I had a problem an another computer about a month and a half ago, but now I'm house sitting for a friend and told him I'd work on getting his computer free of a virus, so I'm back here again. It worked great the first time here and I trust it will work again.

I've run the newest Ad-Aware, SpyBot S&D, online scans from House Call and BitDefender. I've also run Stinger and now I'm posting my HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:42 PM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{ZN}] C:\DOCUME~1\Jason\LOCALS~1\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe"
O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 8281 bytes

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 09 September 2007 - 03:37 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Using My Computer, navigate to where you have HijackThis saved.
Right-click on the HijackThis.exe file.
Select "Rename", call it fluffybunny and press enter.
Use fluffybunny.exe from now on.

Please download VundoFix to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please include VundoFix.txt and a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Biermaken

Biermaken
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 09 September 2007 - 04:13 PM

Thanks Charles. I renamed HijackThis.exe to fluffybunny as you said. Then I followed the instructions for VundoFix. One thing I do want to say is that I installed the current version of Java (JRE 6 Update 2) and removed the old version before I ran VundoFix. I'm not sure why the old version is in the VundoFix log.

Here's the VundoFix log:

VundoFix V6.5.8

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 4:56:10 PM 9/9/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\bupdkprn.dll
C:\WINDOWS\system32\ddcyvus.dll
C:\WINDOWS\system32\hgggdbb.dll
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini
C:\WINDOWS\system32\nqtwa.bak1
C:\WINDOWS\system32\nqtwa.bak2
C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\pmnlk.dll
C:\WINDOWS\system32\ssqqomj.dll
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\sstqn.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\hgggdbb.dll
C:\WINDOWS\system32\hgggdbb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\klnmp.ini
C:\WINDOWS\system32\klnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtwa.bak1
C:\WINDOWS\system32\nqtwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtwa.bak2
C:\WINDOWS\system32\nqtwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\nqtwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnlk.dll
C:\WINDOWS\system32\pmnlk.dll Has been deleted!

Performing Repairs to the registry.
Done!

---------------------------------------------

The HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:37 PM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0BE1B4AC-DFD0-42A8-AD57-F437133004C1} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {13F081A9-9D62-4D0A-A519-5A4141B3A8C0} - C:\WINDOWS\system32\awtqn.dll (file missing)
O2 - BHO: (no name) - {2F4E37F9-B661-45C2-A1AD-D60782C19DBA} - C:\WINDOWS\system32\sstqn.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {C6E904C7-0B62-4C54-B948-82CF79FB63F3} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {EDAF7B77-032F-4506-AE0D-0AE57D85537E} - C:\WINDOWS\system32\ssqrq.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{ZN}] C:\DOCUME~1\Jason\LOCALS~1\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe"
O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O20 - Winlogon Notify: awtqn - C:\WINDOWS\system32\awtqn.dll (file missing)
O20 - Winlogon Notify: ssqqomj - ssqqomj.dll (file missing)
O20 - Winlogon Notify: ssqrq - C:\WINDOWS\system32\ssqrq.dll (file missing)
O20 - Winlogon Notify: sstqn - C:\WINDOWS\system32\sstqn.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 9623 bytes

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 10 September 2007 - 10:56 AM

Hello again,
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Download the following uninstaller to your Desktop:
http://www.purityscan.com/ps_uninstaller.exe
Double click ps_uninstaller.exe and let it run.
Reboot afterwards: IMPORTANT

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: (no name) - {0BE1B4AC-DFD0-42A8-AD57-F437133004C1} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {13F081A9-9D62-4D0A-A519-5A4141B3A8C0} - C:\WINDOWS\system32\awtqn.dll (file missing)
O2 - BHO: (no name) - {2F4E37F9-B661-45C2-A1AD-D60782C19DBA} - C:\WINDOWS\system32\sstqn.dll (file missing)
O2 - BHO: (no name) - {C6E904C7-0B62-4C54-B948-82CF79FB63F3} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {EDAF7B77-032F-4506-AE0D-0AE57D85537E} - C:\WINDOWS\system32\ssqrq.dll (file missing)
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [{ZN}] C:\DOCUME~1\Jason\LOCALS~1\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe"
O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe"
O20 - Winlogon Notify: awtqn - C:\WINDOWS\system32\awtqn.dll (file missing)
O20 - Winlogon Notify: ssqqomj - ssqqomj.dll (file missing)
O20 - Winlogon Notify: ssqrq - C:\WINDOWS\system32\ssqrq.dll (file missing)
O20 - Winlogon Notify: sstqn - C:\WINDOWS\system32\sstqn.dll (file missing)


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Next, please find and delete the following folder (if present):

C:\Program Files\Outerinfo

Reboot into Normal Mode again.

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.

Then scan once more with HijackThis and post the log in your reply along with the Combofix log.
Thanks,
Charles

EDIT: Typos

Edited by rookie147, 10 September 2007 - 10:57 AM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 Biermaken

Biermaken
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 10 September 2007 - 07:55 PM

Alrighty, Charles. I've followed your instructions again. There are a few things to note: S&D Resident was running in the background and was continuing to pop up notices as both HJT and ComboFix were running, and avast! was giving me warnings of a virus infection when ComboFix was running. I'm not sure if these had any effect, but it's a good idea to let you know what's going on.

ComboFix log:

ComboFix 07-09-10.6 - "Jason" 2007-09-10 20:36:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.629 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\DOCUME~1\Jason\APPLIC~1\macromedia\Flash Player\#SharedObjects\GRGTY9KX\www.broadcaster.com
C:\DOCUME~1\Jason\APPLIC~1\macromedia\Flash Player\#SharedObjects\GRGTY9KX\www.broadcaster.com\played_list.sol
C:\DOCUME~1\Jason\APPLIC~1\macromedia\Flash Player\#SharedObjects\GRGTY9KX\www.broadcaster.com\video_queue.sol
C:\DOCUME~1\Jason\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Jason\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\Jason\APPLIC~1\WinAntiSpyware 2007
C:\DOCUME~1\Jason\APPLIC~1\WinAntiSpyware 2007\Logs\update.log
C:\DOCUME~1\Jason\STARTM~1\Programs\Outerinfo
C:\DOCUME~1\Jason\STARTM~1\Programs\Outerinfo\Terms.lnk
C:\DOCUME~1\Jason\STARTM~1\Programs\Outerinfo\Uninstall.lnk
C:\DOCUME~1\Nancy\APPLIC~1\FunWebProducts
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\svhost
C:\temp\0c2
C:\temp\0c2\tmpFF.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\Temp\fse
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\G1
C:\WINDOWS\system32\G11
C:\WINDOWS\system32\G3
C:\WINDOWS\system32\G7
C:\WINDOWS\system32\G9
C:\WINDOWS\system32\win


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN


((((((((((((((((((((((((( Files Created from 2007-08-11 to 2007-09-11 )))))))))))))))))))))))))))))))
.

2007-09-10 20:35 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-09 15:09 <DIR> d-------- C:\VundoFix Backups
2007-09-09 14:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-09 14:00 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-09 14:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-09 13:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-09 13:11 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-09 13:07 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-09-09 12:03 <DIR> d-------- C:\DOCUME~1\Jason\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-10 20:39 --------- d-------- C:\Program Files\Eraser
2007-08-20 18:47 --------- d-------- C:\Program Files\Mozilla Thunderbird
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-27 18:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 18:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 18:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 17:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 17:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-11 14:37 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2005-10-25 09:39 1508 --a------ C:\Program Files\uninstal.log
2005-07-06 19:18 123001 --a------ C:\Program Files\qtpasswd.exe
2005-07-06 19:17 798720 --a------ C:\Program Files\DarwinStreamingServer.exe
2005-07-06 19:15 73878 --a------ C:\Program Files\QTSSRawFileModule.dll
2005-07-06 19:15 274565 --a------ C:\Program Files\StreamingLoadTool.exe
2005-07-06 19:15 172179 --a------ C:\Program Files\RegistrySystemPathEditor.exe
2005-07-06 19:15 114846 --a------ C:\Program Files\QTSSSpamDefenseModule.dll
2005-07-06 19:15 114834 --a------ C:\Program Files\QTSSRefMovieModule.dll
2005-07-06 19:14 458752 --a------ C:\Program Files\PlaylistBroadcaster.exe
2005-07-06 19:14 245760 --a------ C:\Program Files\MP3Broadcaster.exe
2005-07-06 17:11 14835 --a------ C:\Program Files\ReadMe.rtf
2005-07-06 16:57 61605 --a------ C:\Program Files\streamingadminserver.pl
2005-05-24 17:17 6122 --a------ C:\Program Files\Install.bat
2005-02-28 19:39 1055700 --a------ C:\Program Files\sample_100kbit.mov
2005-02-28 19:36 2518388 --a------ C:\Program Files\sample_300kbit.mov
2005-02-28 18:59 603730 --a------ C:\Program Files\sample_50kbit.3gp
2005-02-24 20:50 8925466 --a------ C:\Program Files\sample_h264_1mbit.mp4
2005-02-24 20:38 2445088 --a------ C:\Program Files\sample_300kbit.mp4
2005-02-24 20:35 933456 --a------ C:\Program Files\sample_100kbit.mp4
2005-02-24 16:57 999438 --a------ C:\Program Files\sample_h264_100kbit.mp4
2003-11-10 18:55 3005 --a------ C:\Program Files\streamingloadtool.cfg
2002-08-08 19:01 27722 --a------ C:\Program Files\streamingserver.xml
2002-05-21 10:00 1362 -ra------ C:\Program Files\ReadMe.txt
2002-02-28 15:03 2457 --a------ C:\Program Files\WinPasswdAssistant.pl
2001-11-15 19:37 1789985 --a------ C:\Program Files\sample.mp3
2001-10-04 17:48 103 --a------ C:\Program Files\qtusers
2001-10-04 10:33 16 --a------ C:\Program Files\qtgroups
2001-09-20 18:37 4929 --a------ C:\Program Files\relayconfig.xml-Sample
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 14:16]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 13:52]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 12:43]
"P17Helper"="P17.dll" [2004-06-10 13:51 C:\WINDOWS\SYSTEM32\P17.dll]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 18:54]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 03:05]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 04:00]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2003-05-14 06:21]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [2003-02-19 17:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 18:03]
"My Web Search Bar Search Scope Monitor"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" []
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Eraser"="C:\Program Files\Eraser\eraser.exe" [2006-08-07 17:07]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
DESKTOP.INI [2004-08-10 15:04:12]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-02-14 12:27:15]

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]

C:\DOCUME~1\Jason\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50]
DESKTOP.INI [2004-08-10 15:04:12]

C:\DOCUME~1\Nancy\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-10 20:41:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-10 20:42:10 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-10 20:42
.
--- E O F ---


-----------------------------------------------

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:47 PM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 8257 bytes

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 11 September 2007 - 11:22 AM

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the Desktop but do not run it yet.

Then reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Paste the following bold part into the Suspicious File Packer window:
C:\Program Files\QTSSRawFileModule.dll
C:\Program Files\MP3Broadcaster.exe
C:\Program Files\sample_h264_100kbit.mp4

Allow SFP to pack the file.
This will generate a CAB archive on your Desktop.

Boot back into Normal Mode again.

Go to this page.
Enter the URL of this thread in the first field.
Where it says: "Browse to the file that you want to submit", click the Choose ... button next to the second field and browse to the CAB archive that was been created on your Desktop.
The CAB file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.

Please let me know when you have submitted the files.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 Biermaken

Biermaken
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 11 September 2007 - 05:31 PM

The file was submitted. :thumbsup:

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 12 September 2007 - 03:39 PM

Those files look clean to me ...

Please run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open, click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan has finished - if anything malicious is found - click the See Report button.
Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

In your next reply I'd like to see the Panda log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 Biermaken

Biermaken
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 13 September 2007 - 12:48 AM

Here is the Activescan log:


Incident Status Location

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\aca6mffo.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\aca6mffo.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\aca6mffo.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\aca6mffo.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\aca6mffo.default\cookies.txt[.advertising.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\aca6mffo.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\aca6mffo.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\aca6mffo.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\aca6mffo.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\aca6mffo.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\aca6mffo.default\cookies.txt[.2o7.net/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\aca6mffo.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\aca6mffo.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\aca6mffo.default\cookies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\aca6mffo.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\aca6mffo.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\aca6mffo.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\aca6mffo.default\cookies.txt[.anm.co.uk/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jason\Cookies\jason@atdmt[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jason\Cookies\jason@atdmt[3].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jason\Cookies\jason@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jason\Cookies\jason@doubleclick[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jason\Cookies\jason@doubleclick[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Jason\Cookies\jason@fastclick[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Jason\Cookies\jason@overture[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Jason\Cookies\jason@questionmarket[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Jason\Cookies\jason@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jason\Cookies\jason@tribalfusion[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Jason\Cookies\jason@zedo[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Jason\Desktop\ComboFix.exe[nircmd.exe]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.zedo.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.target.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.overture.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.ads.addynamix.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.hotlog.ru/]
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.spylog.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.xiti.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[citi.bridgetrack.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.atwola.com/]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.go.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Nancy\Application Data\Mozilla\Firefox\Profiles\y54zwkeo.default\cookies.txt[.revenue.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@112.2o7[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@2o7[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@adrevolver[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@ads.addynamix[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@adtech[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@adultfriendfinder[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@ath.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@azjmp[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@belnk[1].txt
Spyware:Cookie/Bilbo.counted Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@bilbo.counted[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@bluestreak[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@bravenet[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@bs.serving-sys[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@burstnet[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@centrport[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@cgi-bin[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@cgi-bin[4].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@cgi-bin[6].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@citi.bridgetrack[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@com[1].txt
Spyware:Cookie/Date Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@date[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@fastclick[1].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@findwhat[1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@fortunecity[2].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@goclick[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@go[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@i.screensavers[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@maxserving[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@media.adrevolver[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@perf.overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@qksrv[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@revenue[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@searchportal.information[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@serving-sys[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@stat.onestat[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@statcounter[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@target[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@tribalfusion[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@www.burstbeacon[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Nancy\Cookies\nancy@zedo[1].txt
Potentially unwanted tool:Application/MyWay Not disinfected C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
Adware:Adware/OuterInfo Not disinfected C:\RECYCLER\S-1-5-21-1549740454-2625975621-2850661344-500\Dc1\OinUninstall.exe
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\hgggdbb.dll.bad
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 13 September 2007 - 11:43 AM

Hi there,
Please download ATF Cleaner to your Desktop.
Don't run it yet.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Double click ATF-Cleaner.exe to run the program.
Under Main choose Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

Click Exit on the main menu to close the program.

C:\VundoFix Backups can also be deleted now.

Then boot back into Normal Mode. Let me know in your reply how things are running now.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 Biermaken

Biermaken
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 14 September 2007 - 01:08 AM

Followed your instructions again, Charles.

Everything appears to be running normally. No popups or anti-virus warnings anymore.

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 14 September 2007 - 12:21 PM

Great job! Now that you're free from malware, please follow these simple steps to decrease the likelihood of getting re-infected again:

Set your system to not show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Do not show hidden files and folders".
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

In order to protect yourself against spyware, you should consider installing and running the following free programs:
Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place.
Thanks and happy computing,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 Biermaken

Biermaken
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 14 September 2007 - 12:56 PM

Thanks for the help, Charles. I'll pass this info on so my friends don't re-infect their computer.

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 14 September 2007 - 03:57 PM

You're very welcome :thumbsup:

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 25 September 2007 - 04:42 PM

Since this issue appears to be resolved, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users