Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Smitfraud: 404search, 7fasst, Adbreak, Adaware.z-quest, Bargainbuddy, Etc.


  • This topic is locked This topic is locked
4 replies to this topic

#1 Lisi

Lisi

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 06 March 2008 - 07:15 AM

To the team:

First of all, thanks in advance for your help. I'm mediocre at troubleshooting, but I can generally follow instructions pretty well. My computer has several spyware, adware, and data miners on it. As a result, bubbles often pop up on the system tray and the wallpaper has been replaced. There is also a keylogger (akl.exe) and task manager has also been disabled.

Attempts to remove these programs through deletion in Ad-Aware, HijackThis and registry have all failed.

In addition to multiple tracking cookies, Ad-aware found but could not delete this programs:
404search
7fasst
AdBreak
Adaware.Z-Quest
BargainBuddy
CnsMin
Toolbar.softo
Win32.Spyware.Acoona

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:03 AM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\azkbipez.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Elisa Mala\My Documents\Hijack This\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [x7vfaQpaRk] C:\WINDOWS\azkbipez.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11976 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:34 PM

Posted 06 March 2008 - 11:18 AM

Hello Lisi,

NOTE: If you have downloaded SmitfraudFix previously please delete that version and download it again! Also delete C:\rapport.txt

Please download SmitfraudFix

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of the SmitfraudFix report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Lisi

Lisi
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 07 March 2008 - 02:01 AM

SifuMike:

Thanks so much for responding so quickly! This is what the virus has been doing to my peace of mind as of late: :thumbsup:

I ran SmitFraudFix, which removed the pop-ups and wallpaper and gave me access to the task manager. However, there still seems to be something lurking in the system.

An Ad-Aware scan revealed that the following are still on my computer:
- BargainBuddy (Malware)
- Win32.Spyware.Acoona (Spyware)
- Over 100 (!) tracking cookies

Before, BargainBuddy and Win32.Spyware.Acoona were listed on the registry in both the HKLM and HKU trees.
Now, they are only listed in HKU.
Not sure if that has anything to do with it.

Pasted below are C:\Rapport, HJT, and a portion of the Ad-aware Log.

Many thanks -
Lisi



SmitFraudFix v2.300

Scan done at 0:17:46.39, Fri 03/07/2008
Run from C:\Documents and Settings\Lisi\My Documents\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\764.exe Deleted
C:\WINDOWS\7search.dll Deleted
C:\WINDOWS\absolute key logger.lnk Deleted
C:\WINDOWS\aconti.exe Deleted
C:\WINDOWS\aconti.ini Deleted
C:\WINDOWS\aconti.log Deleted
C:\WINDOWS\aconti.sdb Deleted
C:\WINDOWS\acontidialer.txt Deleted
C:\WINDOWS\adbar.dll Deleted
C:\WINDOWS\cbinst$.exe Deleted
C:\WINDOWS\daxtime.dll Deleted
C:\WINDOWS\default.htm Deleted
C:\WINDOWS\dp0.dll Deleted
C:\WINDOWS\eventlowg.dll Deleted
C:\WINDOWS\fhfmm-Uninstaller.exe Deleted
C:\WINDOWS\fhfmm.exe Deleted
C:\WINDOWS\flt.dll Deleted
C:\WINDOWS\hcwprn.exe Deleted
C:\WINDOWS\hotporn.exe Deleted
C:\WINDOWS\iexplorr23.dll Deleted
C:\WINDOWS\ie_32.exe Deleted
C:\WINDOWS\jd2002.dll Deleted
C:\WINDOWS\kkcomp$.exe Deleted
C:\WINDOWS\kkcomp.dll Deleted
C:\WINDOWS\kkcomp.exe Deleted
C:\WINDOWS\kvnab$.exe Deleted
C:\WINDOWS\kvnab.dll Deleted
C:\WINDOWS\kvnab.exe Deleted
C:\WINDOWS\liqad$.exe Deleted
C:\WINDOWS\liqad.dll Deleted
C:\WINDOWS\liqad.exe Deleted
C:\WINDOWS\liqui-Uninstaller.exe Deleted
C:\WINDOWS\liqui.dll Deleted
C:\WINDOWS\liqui.exe Deleted
C:\WINDOWS\ngd.dll Deleted
C:\WINDOWS\pbar.dll Deleted
C:\WINDOWS\pbsysie.dll Deleted
C:\WINDOWS\settn.dll Deleted
C:\WINDOWS\spredirect.dll Deleted
C:\WINDOWS\vxddsk.exe Deleted
C:\WINDOWS\wbeCheck.exe Deleted
C:\WINDOWS\wbeInst$.exe Deleted
C:\WINDOWS\wml.exe Deleted
C:\WINDOWS\xadbrk.dll Deleted
C:\WINDOWS\xadbrk.exe Deleted
C:\WINDOWS\xadbrk_.exe Deleted
C:\WINDOWS\xxxvideo.exe Deleted
C:\WINDOWS\system32\ace16win.dll Deleted
C:\WINDOWS\system32\ESHOPEE.exe Deleted
C:\WINDOWS\system32\mgmrwmrv.exe Deleted
C:\WINDOWS\system32\msole32.exe Deleted
C:\WINDOWS\system32\vxddsk.exe Deleted
C:\WINDOWS\system32\winfrun32.bin Deleted
C:\WINDOWS\system32\wml.exe Deleted
C:\WINDOWS\system32\acespy\ Deleted
C:\Program Files\3721\ Deleted
C:\Program Files\Accoona\ Deleted
C:\Program Files\akl\ Deleted
C:\Program Files\amsys\ Deleted
C:\Program Files\e-zshopper\ Deleted
C:\Program Files\p2pnetworks\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A5474618-11C9-4A3E-A94E-BA7805B4FDB0}: DhcpNameServer=24.29.103.15 24.29.103.16
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A5474618-11C9-4A3E-A94E-BA7805B4FDB0}: DhcpNameServer=24.29.103.15 24.29.103.16
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A5474618-11C9-4A3E-A94E-BA7805B4FDB0}: DhcpNameServer=24.29.103.15 24.29.103.16
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.15 24.29.103.16
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.15 24.29.103.16
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.15 24.29.103.16


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:40 AM, on 3/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\azkbipez.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Elisa Mala\My Documents\Hijack This\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [x7vfaQpaRk] C:\WINDOWS\azkbipez.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [x7vfaQpaRk] C:\WINDOWS\azkbipez.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10169 bytes


Portion of Ad-Aware Log:

Infections Found
Family Id Name Category TAI
203 BargainBuddy Malware 8
[300004342] Root: HKU Path: S-1-5-21-1013159525-1455705724-3126522967-1005\software\microsoft\windows\currentversion\ext\stats\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}

926 Win32.Spyware.Acoona Spyware 7
[300018729] Root: HKU Path: S-1-5-21-1013159525-1455705724-3126522967-1005\software\microsoft\windows\currentversion\ext\stats\{944864a5-3916-46e2-96a9-a2e84f3f1208}

725 Tracking Cookie DataMiner 3
[600000073] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat specificclick.net dmc /
[600000073] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat specificclick.net dmk /
[600000073] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat specificclick.net smc /
[600000073] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat specificclick.net smk /
[600000073] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat specificclick.net dmp /
[600000073] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat specificclick.net apfe /
[600000073] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat specificclick.net smx /
[600000173] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat bluestreak.com id /
[600000190] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat www.googleadservices.com Conversion /pagead/conversion/1072645447/
[600000179] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat atdmt.com AA002 /
[600000434] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat casalemedia.com CMID /
[600000434] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat casalemedia.com CMPS /
[600000434] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat casalemedia.com CMPP /
[600000434] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat casalemedia.com CMX1 /
[600000434] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat casalemedia.com CMS /
[600000434] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat casalemedia.com CMIMP /
[600000050] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat tribalfusion.com ANON_ID /
[600000413] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat rotator.adjuggler.com ajess1_4A48AEC4D493ADEFB4889D35 /
[600000413] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat rotator.adjuggler.com ajcmp /
[600000555] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat insightexpressai.com IXAIBanners934 /
[600000555] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat insightexpressai.com IXAIBannerCounter26648 /
[600000555] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat insightexpressai.com IXAIBannerCounter26633 /
[600000555] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat insightexpressai.com IXAIFirstHit934 /
[600000555] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat insightexpressai.com IXAILastHit934 /
[600000555] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat insightexpressai.com IXAICampaignCounter934 /
[600000555] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat insightexpressai.com IXAIBanners936 /
[600000555] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat insightexpressai.com IXAIBanners937 /
[600000555] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat insightexpressai.com IXAIBannerCounter26736 /
[600000555] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat insightexpressai.com IXAIBannerCounter26739 /
[600000555] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat insightexpressai.com IXAIBanners938 /
[600000555] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat insightexpressai.com IXAIBanners990 /
[600000555] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat insightexpressai.com IXAIBannerCounter26742 /
[600000555] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat insightexpressai.com IXAIBannerCounter27888 /
[600000513] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat adbrite.com Apache /
[600000513] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat adbrite.com b /
[600000542] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ivwbox.de i00 /
[600000263] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat mediaplex.com svid /
[600000113] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat linksynergy.com linkshare_cookie132171 /
[600000513] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat 4.adbrite.com ihc_9644 /
[600000415] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ads.revsci.net rsi_us_1000000 /adserver
[600000052] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat trafficmp.com dly2 /
[600000052] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat trafficmp.com dmg2 /
[600000052] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat trafficmp.com hst2 /
[600000052] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat trafficmp.com rth /
[600000052] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat trafficmp.com uid2 /
[600000460] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ad.yieldmanager.com uid /
[600000460] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ad.yieldmanager.com vuday1 /
[600000460] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ad.yieldmanager.com pv1 /
[600000460] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ad.yieldmanager.com ih /
[600000460] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ad.yieldmanager.com liday1 /
[600000460] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ad.yieldmanager.com crday1 /
[600000460] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ad.yieldmanager.com fl_inst /
[600000476] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat statcounter.com session_928969 /
[600000476] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat statcounter.com session_699328 /
[600000476] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat statcounter.com session_2447031 /
[600000476] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat statcounter.com session_1747187 /
[600000220] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat xxxcounter.com CID215263 /
[600000076] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat sexlist.com TSLID196679 /
[600000098] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat paycounter.com pctrackd2 /
[600000247] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat counter11.sextracker.com CID383642 /
[600000247] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat counter11.sextracker.com CID381082 /
[600000247] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat counter16.sextracker.com CID357135 /
[600000247] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat sextracker.com DYNGFX_ST383642 /
[600000247] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat sextracker.com DYNGFX_ST381082 /
[600000247] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat sextracker.com DYNGFX_ST357135 /
[600000447] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat apmebf.com S /
[600000201] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat media.adrevolver.com BIGipServerar-slave /
[600000415] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat revsci.net rsi_segs_1000000 /
[600000415] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat revsci.net NETID01 /
[600000415] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat revsci.net NETSEGS_E05510 /
[600000085] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat questionmarket.com ES /
[600000085] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat questionmarket.com CS1 /
[600000457] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat adopt.euroclick.com DMEXP /
[600000457] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat adopt.euroclick.com CTCI /
[600000457] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat adopt.euroclick.com HS /
[600000457] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat adopt.euroclick.com UI /
[600000457] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat adopt.euroclick.com NSC_mc-bepqu.fvspdmjdl.dpn-iuuq /
[600000093] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ads.pointroll.com PRID /
[600000093] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ads.pointroll.com PRimp /
[600000093] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ads.pointroll.com PRca /
[600000093] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ads.pointroll.com PRcp /
[600000093] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ads.pointroll.com PRpl /
[600000093] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ads.pointroll.com PRcr /
[600000093] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ads.pointroll.com PRpc /
[600000093] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ads.pointroll.com F1C1ur /
[600000171] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat bs.serving-sys.com eyeblaster /
[600000408] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat serving-sys.com U /
[600000408] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat serving-sys.com A2 /
[600000408] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat serving-sys.com B2 /
[600000408] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat serving-sys.com C3 /
[600000408] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat serving-sys.com D3 /
[600000408] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat serving-sys.com E2 /
[600000400] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat tacoda.net TID /
[600000400] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat tacoda.net ANRTT /
[600000400] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat tacoda.net TData /
[600000400] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat tacoda.net Anxd /
[600000400] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat tacoda.net Tcc /
[600000400] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat tacoda.net Tsid /
[600000000] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat zedo.com geo /
[600000000] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat zedo.com ZEDOIDX /
[600000000] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat zedo.com FFcat /
[600000000] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat zedo.com FFad /
[600000000] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat zedo.com ZEDOIDA /
[600000000] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat zedo.com FFChanCap /
[600000000] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat zedo.com __qca /
[600000073] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat adopt.specificclick.net DMEXP /
[600000073] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat adopt.specificclick.net CTCI /
[600000073] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat adopt.specificclick.net HS /
[600000073] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat adopt.specificclick.net LO /
[600000073] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat adopt.specificclick.net DGI /
[600000073] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat adopt.specificclick.net UI /
[600000138] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat fastclick.net pjw /
[600000138] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat fastclick.net pluto /
[600000138] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat fastclick.net adv_ic /
[600000138] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat fastclick.net pop /
[600000138] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat fastclick.net vt /
[600000126] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ehg-newyorkpost.hitbox.com DM570918N4FDV6 /
[600000126] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat hitbox.com CTG /
[600000126] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat hitbox.com WSS_GW /
[600000187] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat advertising.com ACID /
[600000187] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat advertising.com BASE /
[600000187] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat advertising.com ROLL /
[600000187] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat advertising.com F1 /
[600000187] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat advertising.com C2 /
[600000126] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ehg-dig.hitbox.com DM51031542SZV6 /
[600000126] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ehg-dig.hitbox.com DM5103083LCAV6 /
[600000126] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat ehg-dig.hitbox.com DM56042677CEV6 /
[600000201] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat adrevolver.com adrev_adpath /
[600000201] Browser: Internet Explorer Cookie: C:\Documents and Settings\Elisa Mala\Cookies\index.dat adrevolver.com adrev_adpath2 /

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:34 PM

Posted 07 March 2008 - 11:34 AM

Hi Lisi,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Sun Java Runtime Environment 6 Update 5.
  • Scroll down to where it says "Sun Java Runtime Environment 6 Update 5".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6u5-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.
Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O4 - HKLM\..\Run: [x7vfaQpaRk] C:\WINDOWS\azkbipez.exe
O4 - HKLM\..\Policies\Explorer\Run: [x7vfaQpaRk] C:\WINDOWS\azkbipez.exe


*******************************************
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\azkbipez.exe

  • Return to OTMoveIt2, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt2\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt2 is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer, post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:34 PM

Posted 14 March 2008 - 09:42 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users