Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SpySheriff


  • Please log in to reply
5 replies to this topic

#1 floreksa

floreksa

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 17 June 2005 - 02:17 PM

Hi.

Co-worker got this spyware, along with something that put an icon of a chick along titled sexxx. I think I got rid of that, but I'm having problems getting rid of the spysheriff.

Log:
Logfile of HijackThis v1.99.1
Scan saved at 3:09:20 PM, on 6/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\HIjackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: A9 &Toolbar - {200488FD-C76C-47cd-BDE5-FC2571261B63} - C:\Program Files\A9\A9Toolbar.dll
O3 - Toolbar: A9 &Diary - {5FE96BC0-E89F-409d-9B68-6D3693E1BA83} - C:\Program Files\A9\A9Toolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{8064E44F-CF17-41A8-BB30-9723135A0042}\SECURITY.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\notify.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Search the web with &A9.com - res://C:\Program Files\A9\A9Toolbar.dll/SCONTEXT.HTML
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe


Thanks
Sarah

BC AdBot (Login to Remove)

 


#2 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:38 PM

Posted 17 June 2005 - 04:50 PM

Welcome

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!



RIGHT-CLICK HERE and go to Save As (in IE it's "Save Target As") in order to download the smitfraud reg to your desktop. Don't use it yet.

***

Please download Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.

Once the updates are installed do the following:
  • Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
  • Run Ewido.
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
Reboot into normal mode.

***

Go to Start > Control Panel > Add or Remove Programs and remove the following:

SpySheriff

Exit Add or Remove Programs.

***

Delete the following, in bold, if found:

C:\Program Files\SpySheriff <-whole folder
C:\Windows\Desktop.html
C:\winstall.exe

***

Copy the part in bold below into notepad and save it as cwsspyno.reg
Save is as type = all files.

REGEDIT4

[-HKEY_CLASSES_ROOT\MediaPass.Installer]

[-HKEY_CLASSES_ROOT\Bridge.brdg]

[-HKEY_CLASSES_ROOT\Bridge.brdg.1]

[-HKEY_CLASSES_ROOT\WinadX.Installer]

[-HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}]

[-HKEY_CLASSES_ROOT \CLSID\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF}]

[-HKEY_CLASSES_ROOT\TypeLib\{DDAF2479-6F00-4599-998A-3ED75686C6D0}]

[-HKEY_CLASSES_ROOT\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}]

[-HKEY_CLASSES_ROOT\Interface\{4FDBDBAD-FEFE-4C4C-9CC1-1181052AFB12}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Winad Client]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Winad Client]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wind Updates]


Doubleclick the file and confirm you want to merge it with the registry.

***

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items, if found, and click FIX CHECKED:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19

O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{8064E44F-CF17-41A8-BB30-9723135A0042}\SECURITY.EXE

O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll

Close HiJackThis.

***

Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES. After the merged successfully prompt, please reboot your computer.

***

Post the report from Ewido and a new HiJackThis log into this topic.


Posted Image
Life is what happens while you're making other plans

#3 floreksa

floreksa
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 20 June 2005 - 08:24 AM

About 83% throught the EWIDO scan it asked to reboot. I did but it never finished scanning.

Here's the logs.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:52:54 AM, 6/20/2005
+ Report-Checksum: 709BBBB4

+ Date of database: 6/20/2005
+ Version of scan engine: v3.0

+ Duration: 15 min
+ Scanned Files: 17442
+ Speed: 18.39 Files/Second
+ Infected files: 115
+ Removed files: 115
+ Files put in quarantine: 115
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@88287119[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@91338698[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@adknowledge[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@ads.addynamix[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@ads.inet-traffic[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@articles.health.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@bfast[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@bravenet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@inet-traffic[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@linksynergy[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@overture[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@perf.overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@phg.hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@S006-01-2-8-223233-52009[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@S122311[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@S144271[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@search.msn[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@server.iad.liveperson[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@stat.onestat[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@statse.webtrendslive[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@valueclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Cookies\pgrassetti@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Local Settings\Temp\01808300\168.tmp -> TrojanSpy.LdPinch.os -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Local Settings\Temp\01808300\1908.tmp -> TrojanSpy.LdPinch.os -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Local Settings\Temp\01808300\3932.tmp -> TrojanSpy.LdPinch.os -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Local Settings\Temp\msldf.exe -> Dialer.Generic -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Local Settings\Temp\xwxload.exe -> TrojanDownloader.Small.fo -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Local Settings\Temporary Internet Files\Content.IE5\0BR92G5F\latest[1].exe -> TrojanProxy.Lager.j -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Local Settings\Temporary Internet Files\Content.IE5\JB69JHKM\z[1].exe -> Trojan.WebSearch.i -> Cleaned with backup
C:\Documents and Settings\PGrassetti\Local Settings\Temporary Internet Files\Content.IE5\Y7519RA1\abc[1].exe -> TrojanSpy.LdPinch.os -> Cleaned with backup
C:\Documents and Settings\SFlorek\Cookies\sflorek@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\HIjackThis\backups\backup-20050617-144028-810.dll -> Spyware.MediaTickets -> Cleaned with backup
C:\HIjackThis\backups\backup-20050617-145239-798.dll -> Spyware.PurityScan.ak -> Cleaned with backup
C:\Program Files\upes\ates.exe -> Spyware.PurityScan -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-706699826-854245398-1003\Dc12\124492.dlr -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-706699826-854245398-1003\Dc12\124492.exe -> Not-A-Virus.PornWare.Downloader.Tibsystems -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-706699826-854245398-1003\Dc16.exe -> Trojan.WebSearch.i -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-706699826-854245398-1003\Dc21.exe -> Trojan.WebSearch.i -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-706699826-854245398-1003\Dc4.exe -> Not-A-Virus.PornWare.Downloader.Tibsystems -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-706699826-854245398-1003\Dc5.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-706699826-854245398-1003\Dc6.exe -> TrojanDownloader.Small.ahg -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-706699826-854245398-1003\Dc7.exe -> TrojanDownloader.Small.aod -> Cleaned with backup
C:\WINDOWS\hosts -> Trojan.Qhost.k -> Cleaned with backup
C:\WINDOWS\ms1.exe -> TrojanDownloader.Agent.ho -> Cleaned with backup
C:\WINDOWS\ms2.exe -> TrojanProxy.Mitglieder.do -> Cleaned with backup
C:\WINDOWS\ms3.exe -> Backdoor.Haxdoor.cn -> Cleaned with backup
C:\WINDOWS\ms4.exe -> Trojan.Qhost.n -> Cleaned with backup
C:\WINDOWS\ms5.exe -> Trojan.Qhost.n -> Cleaned with backup
C:\WINDOWS\ms6.exe -> Trojan.Qhost.n -> Cleaned with backup
C:\WINDOWS\nmstt.exe -> TrojanDownloader.Small.ahg -> Cleaned with backup
C:\WINDOWS\svchost.exe -> Trojan.PdPinch -> Cleaned with backup
C:\WINDOWS\sys3043.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys3044.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys517.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys518.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys5333.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys5334.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys5335.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys5911.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys597.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys631.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys632.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\system32\abc.exe -> TrojanSpy.LdPinch.os -> Cleaned with backup
C:\WINDOWS\system32\cssrs.exe -> TrojanSpy.PdPinch -> Cleaned with backup
C:\WINDOWS\system32\drivers\etc\hosts.bak -> Trojan.Qhost.k -> Cleaned with backup
C:\WINDOWS\system32\drwatson32.exe -> TrojanProxy.Mitglieder.do -> Cleaned with backup
C:\WINDOWS\system32\drwatson_.exe -> TrojanProxy.Mitglieder.do -> Cleaned with backup
C:\WINDOWS\system32\drwatson_32.exe -> TrojanProxy.Mitglieder.do -> Cleaned with backup
C:\WINDOWS\system32\init32m.exe -> TrojanDownloader.Agent.ho -> Cleaned with backup
C:\WINDOWS\system32\latest.exe -> TrojanProxy.Lager.j -> Cleaned with backup
C:\WINDOWS\system32\mѕiexec.exe -> Spyware.PurityScan -> Cleaned with backup
C:\WINDOWS\system32\newdial.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\newdial1.exe -> TrojanDropper.Agent.my -> Cleaned with backup
C:\WINDOWS\system32\paydial.exe -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\system32\paytime.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\Services\{62EF3219-C5FF-40C4-B875-3DEEEDEDC953}\SECURITY.DLL -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\Services\{62EF3219-C5FF-40C4-B875-3DEEEDEDC953}\SECURITY.EXE -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\Services\{62EF3219-C5FF-40C4-B875-3DEEEDEDC953}\SVCHOST.DLL -> Trojan.WebSearch.j -> Cleaned with backup
C:\WINDOWS\system32\Services\{62EF3219-C5FF-40C4-B875-3DEEEDEDC953}\SVCHOST.EXE -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\Services\{62EF3219-C5FF-40C4-B875-3DEEEDEDC953}\SVCHOST32.DLL -> Trojan.WebSearch.j -> Cleaned with backup
C:\WINDOWS\system32\Services\{6700613D-8F25-49B7-BD1B-123EEF3D7198}\SECURITY.EXE -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\Services\{6700613D-8F25-49B7-BD1B-123EEF3D7198}\SVCHOST.DLL -> Trojan.WebSearch.j -> Cleaned with backup
C:\WINDOWS\system32\Services\{6700613D-8F25-49B7-BD1B-123EEF3D7198}\SVCHOST.EXE -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\Services\{6700613D-8F25-49B7-BD1B-123EEF3D7198}\SVCHOST32.DLL -> Trojan.WebSearch.j -> Cleaned with backup
C:\WINDOWS\system32\Services\{8064E44F-CF17-41A8-BB30-9723135A0042}\SECURITY.DLL -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\Services\{8064E44F-CF17-41A8-BB30-9723135A0042}\SECURITY.EXE -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\Services\{8064E44F-CF17-41A8-BB30-9723135A0042}\SVCHOST.DLL -> Trojan.WebSearch.j -> Cleaned with backup
C:\WINDOWS\system32\Services\{8064E44F-CF17-41A8-BB30-9723135A0042}\SVCHOST.EXE -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\Services\{8064E44F-CF17-41A8-BB30-9723135A0042}\SVCHOST32.DLL -> Trojan.WebSearch.j -> Cleaned with backup
C:\WINDOWS\system32\Services\{8657C274-D91D-474C-9FC8-4CC708735496}\SECURITY.DLL -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\Services\{8657C274-D91D-474C-9FC8-4CC708735496}\SECURITY.EXE -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\Services\{8657C274-D91D-474C-9FC8-4CC708735496}\SVCHOST.DLL -> Trojan.WebSearch.j -> Cleaned with backup
C:\WINDOWS\system32\Services\{8657C274-D91D-474C-9FC8-4CC708735496}\SVCHOST.EXE -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\Services\{8657C274-D91D-474C-9FC8-4CC708735496}\SVCHOST32.DLL -> Trojan.WebSearch.j -> Cleaned with backup
C:\WINDOWS\system32\Services\{BEA4145D-D601-4BBC-9C4C-8A62EE2F9635}\SECURITY.EXE -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\Services\{BEA4145D-D601-4BBC-9C4C-8A62EE2F9635}\SVCHOST.DLL -> Trojan.WebSearch.j -> Cleaned with backup
C:\WINDOWS\system32\Services\{BEA4145D-D601-4BBC-9C4C-8A62EE2F9635}\SVCHOST.EXE -> Trojan.WebSearch.i -> Cleaned with backup
C:\WINDOWS\system32\Services\{BEA4145D-D601-4BBC-9C4C-8A62EE2F9635}\SVCHOST32.DLL -> Trojan.WebSearch.j -> Cleaned with backup
C:\WINDOWS\system32\tibs.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINDOWS\system32\tmpf00.exe -> Trojan.PdPinch -> Cleaned with backup
C:\WINDOWS\system32\win32.exe -> TrojanProxy.Lager.j -> Cleaned with backup
C:\WINDOWS\system32\~update.exe -> TrojanProxy.Lager.j -> Cleaned with backup
C:\WINDOWS\tool1.exe -> Trojan.LowZones.y -> Cleaned with backup
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\WINDOWS\vr_sys.dll -> TrojanSpy.PdPinch -> Cleaned with backup



Logfile of HijackThis v1.99.1
Scan saved at 9:15:08 AM, on 6/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\HIjackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: A9 &Toolbar - {200488FD-C76C-47cd-BDE5-FC2571261B63} - C:\Program Files\A9\A9Toolbar.dll
O3 - Toolbar: A9 &Diary - {5FE96BC0-E89F-409d-9B68-6D3693E1BA83} - C:\Program Files\A9\A9Toolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\notify.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Search the web with &A9.com - res://C:\Program Files\A9\A9Toolbar.dll/SCONTEXT.HTML
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe

When I rebooted at the end, her desktop was still different, but did not have the big WARNING block going throught the middle.

Thanks!

#4 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:38 PM

Posted 20 June 2005 - 02:53 PM

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!



Please RIGHT-CLICK here and go to Save As (in Internet Explorer it's "Save Target As") in order to download Metallicaís reg file. Save it to your desktop.
Leave it for now.

***

Download CleanUp!.
If that doesnít work, use this link.
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Scan local drives for temporary files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

Once it's done, press Close.

Let the system reboot.

***

Please download the Killbox.
Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\Windows\System32\hookdump.exe
C:\Windows\System32\winnook.exe
C:\Windows\desktop.html
C:\Windows\screen.html

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt if you get one.
*If the computer does not reboot by itself, do it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

***

Locate "antivirusgold.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

***

Delete the entire folder C:\Program Files\AntiVirusGold

In the Control Panel click Display > Desktop > Customize desktop > Website > Uncheck "Security Info"

Then boot back to normal

See if you can rerun Ewido (update it first), then save the log.

Run HijackThis again and post a new log.


Posted Image
Life is what happens while you're making other plans

#5 floreksa

floreksa
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 21 June 2005 - 10:59 AM

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:39:45 AM, 6/21/2005
+ Report-Checksum: 23B593D5

+ Date of database: 6/21/2005
+ Version of scan engine: v3.0

+ Duration: 11 min
+ Scanned Files: 16328
+ Speed: 23.40 Files/Second
+ Infected files: 6
+ Removed files: 6
+ Files put in quarantine: 6
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\system32\cz.dll -> Backdoor.Haxdoor.cn -> Cleaned with backup
C:\WINDOWS\system32\hz.sys -> Backdoor.Haxdoor -> Cleaned with backup
C:\WINDOWS\system32\mszx23.exe -> Backdoor.Haxdoor.cn -> Cleaned with backup
C:\WINDOWS\system32\vdmt16.sys -> Backdoor.Haxdoor -> Cleaned with backup
C:\WINDOWS\system32\winlow.sys -> Backdoor.Haxdoor.bb -> Cleaned with backup
C:\WINDOWS\system32\wz.sys -> Backdoor.Haxdoor.bb -> Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 9:40:32 AM, on 6/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Novell\GroupWise\notify.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HIjackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: A9 &Toolbar - {200488FD-C76C-47cd-BDE5-FC2571261B63} - C:\Program Files\A9\A9Toolbar.dll
O3 - Toolbar: A9 &Diary - {5FE96BC0-E89F-409d-9B68-6D3693E1BA83} - C:\Program Files\A9\A9Toolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\notify.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Search the web with &A9.com - res://C:\Program Files\A9\A9Toolbar.dll/SCONTEXT.HTML
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe

#6 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:38 PM

Posted 21 June 2005 - 03:35 PM

More work to be done.

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!
Please read through the instructions first to see if you understand what I'm asking you to do. If you have any questions, ask them first!!


***

Use Windows Explorer, move to this folder:
c:\windows\prefetch
and delete the content of that folder (all files).
Close Windows Explorer.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\SYSTEM32\mszx23.exe
C:\WINDOWS\SYSTEM32\w32tm.exe
C:\WINDOWS\SYSTEM32\cz.dll
C:\WINDOWS\SYSTEM32\vdmt16.sys
C:\WINDOWS\SYSTEM32\hz.dll
C:\WINDOWS\SYSTEM32\winlow.sys
C:\WINDOWS\SYSTEM32\wz.dll
C:\WINDOWS\SYSTEM32\p2.ini
C:\WINDOWS\svchost.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO

Click "Replace on Reboot" and check the "Use Dummy" box.
Paste the following into the top "Full Path of File to Delete" box.
C:\WINDOWS\System32\drct16.dll

Click the red-and-white "Delete File".
Click "Yes" at the Replace on Reboot prompt.
Click "YES" at the Pending Operations prompt.
Reboot the system.

Let me know how things are now. Post back a fresh log using HijackThis to check.


Posted Image
Life is what happens while you're making other plans




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users