Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

It's the bman!


  • This topic is locked This topic is locked
8 replies to this topic

#1 golfer_2_aces

golfer_2_aces

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 12 September 2005 - 10:28 PM

I know I have bman and bman1. I've run spybot, adaware and housecleaner, but its still there. Any help you could provide would be appreciated. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 5:02:21 PM, on 9/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\sys0309586542-16.exe
C:\Program Files\Belrpin\Eojaag.exe
C:\WINDOWS\system32\kgd4sd.exe
C:\WINDOWS\etb\pokapoka63.exe
C:\WINDOWS\system32\bas_fmt.exe
C:\WINDOWS\etb\pokapoka66.exe
C:\windows\rlvknlg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\WINDOWS\system32\attktz.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\EXPLOREr.EXE
C:\Program Files\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yoursearchspace.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yoursearchspace.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yoursearchspace.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tannernet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {85E547F9-95B0-C491-2D5C-32D0B6E07165} - C:\WINDOWS\Mykipgpq.dll
O4 - HKLM\..\Run: [l41hdor6] C:\Program Files\l41hdor6\l41hdor6.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [sys0309586542-16] C:\WINDOWS\sys0309586542-16.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteptb32.exe
O4 - HKLM\..\Run: [Jbvxdc] C:\Program Files\Belrpin\Eojaag.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kgd4sd.exe reg_run
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [jnh1an4i] C:\WINDOWS\system32\jnh1an4i.exe
O4 - HKLM\..\Run: [lsass] C:\windows\system32\eliteohv32.exe
O4 - HKLM\..\Run: [076f3qO] bas_fmt.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [System service66] C:\WINDOWS\etb\pokapoka66.exe
O4 - HKLM\..\Run: [OSS] C:\windows\rlvknlg.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [HwppRkiEU] attktz.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {63831824-226E-11D3-A6B0-0000861F42FA} (dbbR2WPrinting.pageMartPrinter) - https://reports.ilcusys.com/SZ/download/pageMartPrinter.CAB

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:22 AM

Posted 13 September 2005 - 08:12 AM

Hello,

There is a lot more going on on your system though... so we need to perform this step by step.

I see you don't have an antivirus installed, so I strongly suggest you install one now!!

AVG, Bitdefender OR Avast are good FREE antivirus.
Never install more than one antivirusscanner on your system! Several together can give problems and decreases the reliability of it seriously!

Update your antivirus and let it perform a full scan and delete everything it is finding!!

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Download and install CCleaner
Do not use it yet.

* Please set your system to show all files; please see here if you're unsure how to do this.

* Download LQfix.zip
Unzip it and save it to your desktop, don't use it yet!!

* Please download ewido:
http://www.ewido.net/en/download/
Let it update, but don't let it scan yet!!

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yoursearchspace.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yoursearchspace.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yoursearchspace.com/sp2.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {85E547F9-95B0-C491-2D5C-32D0B6E07165} - C:\WINDOWS\Mykipgpq.dll
O4 - HKLM\..\Run: [l41hdor6] C:\Program Files\l41hdor6\l41hdor6.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [sys0309586542-16] C:\WINDOWS\sys0309586542-16.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteptb32.exe
O4 - HKLM\..\Run: [Jbvxdc] C:\Program Files\Belrpin\Eojaag.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kgd4sd.exe reg_run
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [jnh1an4i] C:\WINDOWS\system32\jnh1an4i.exe
O4 - HKLM\..\Run: [lsass] C:\windows\system32\eliteohv32.exe
O4 - HKLM\..\Run: [076f3qO] bas_fmt.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [System service66] C:\WINDOWS\etb\pokapoka66.exe
O4 - HKLM\..\Run: [OSS] C:\windows\rlvknlg.exe -boot
O4 - HKCU\..\Run: [HwppRkiEU] attktz.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll


* Click on Fix Checked when finished and exit HijackThis.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Doubleclick LQfix.bat that you saved on your desktop before.
A doswindow will open and close again, this is normal.


* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\sys0309586542-16.exe
C:\Program Files\Belrpin <== folder
C:\WINDOWS\system32\kgd4sd.exe
C:\WINDOWS\system32\bas_fmt.exe
C:\windows\rlvknlg.exe
C:\WINDOWS\system32\attktz.exe
C:\WINDOWS\Mykipgpq.dll
C:\Program Files\l41hdor6 <== folder
C:\WINDOWS\SysCheckBop32
C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\dinst.exe
C:\WINDOWS\system32\jnh1an4i.exe
C:\WINDOWS\system32\wuauclt.dll

* Still in safe mode Start Ccleaner
click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right)

* Open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

* Reboot your system back to normal mode.

Post back a fresh HijackThis log and the log from ewido so I can take another look.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 golfer_2_aces

golfer_2_aces
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 15 September 2005 - 03:39 PM

Here's my new logs, I sure do appreciate you taking a look at this.

Logfile of HijackThis v1.99.1
Scan saved at 1:48:00 PM, on 9/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tannernet/
R3 - URLSearchHook: (no name) - {85E547F9-95B0-C491-2D5C-32D0B6E07165} - C:\WINDOWS\Mykipgpq.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [System service67] C:\WINDOWS\etb\pokapoka67.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {63831824-226E-11D3-A6B0-0000861F42FA} (dbbR2WPrinting.pageMartPrinter) - https://reports.ilcusys.com/SZ/download/pageMartPrinter.CAB
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:22:57 PM, 9/15/2005
+ Report-Checksum: D4CAB467

+ Scan result:

C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OYQHVUG5\pre[1].exe -> TrojanDropper.Small.aeq : Cleaned with backup
C:\WINDOWS\SYSTEM32\v1oa0d5h.dat -> Trojan.Smitfraud : Cleaned with backup


::Report End


---------------------------------------------------------
ewido security suite - Process report
---------------------------------------------------------

+ Created on: 2:23:20 PM, 9/15/2005
+ Report-Checksum: E68A65CE

0: System Process
4: System Process
128: C:\Program Files\Grisoft\AVG Free\avgemc.exe
308: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
324: C:\Program Files\Grisoft\AVG Free\avgcc.exe
332: C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
500: C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
544: \SystemRoot\System32\smss.exe
592: \??\C:\WINDOWS\system32\csrss.exe
616: \??\C:\WINDOWS\system32\winlogon.exe
636: C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
660: C:\WINDOWS\system32\services.exe
672: C:\WINDOWS\system32\lsass.exe
748: C:\Program Files\ewido\security suite\securitysuite.exe
832: C:\WINDOWS\system32\svchost.exe
896: C:\WINDOWS\system32\svchost.exe
956: C:\WINDOWS\System32\alg.exe
992: C:\WINDOWS\System32\svchost.exe
1032: C:\WINDOWS\System32\svchost.exe
1080: C:\WINDOWS\System32\svchost.exe
1312: C:\WINDOWS\system32\NOTEPAD.EXE
1400: C:\WINDOWS\system32\spoolsv.exe
1644: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
1732: C:\Program Files\ewido\security suite\ewidoctrl.exe
1740: C:\WINDOWS\Explorer.EXE
1800: C:\Program Files\ewido\security suite\ewidoguard.exe
1864: C:\Program Files\Messenger\msmsgs.exe
1872: C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
1880: C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
1904: C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
1936: C:\Program Files\WinZip\WZQKPICK.EXE

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:22 AM

Posted 15 September 2005 - 03:47 PM

Hi, I'm afraid you forgot to perform LQfix in safe mode
Anyway, I made a version that can be run in normal mode.

First check and fix next entry in hijackthis:

R3 - URLSearchHook: (no name) - {85E547F9-95B0-C491-2D5C-32D0B6E07165} - C:\WINDOWS\Mykipgpq.dll (file missing)

Please follow the next instructions exactly as I describe:
Next is another version of LQfix..

Please download LQfix.exe and save it to your desktop.
  • Double-Click LQfix.exe and click Next > Next > Install.
  • Leave the default settings, if you change them, the fix will Fail!
  • You need an active internetconnection, so make sure your you're not blocking any connection now.
  • Now make sure the "Launch LQfix" box is checked.
  • Click the Finish button, after clicking the Finish button the fix will start.
  • Follow the on-screen prompts.
  • Your system will reboot afterwards.
  • Please be patient after the reboot, there is a script running in the background that needs to complete.
Then do a scan with HJT and post a new log by using Add Reply
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 golfer_2_aces

golfer_2_aces
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 15 September 2005 - 03:52 PM

Here's my new logs, I sure do appreciate you taking a look at this.

Logfile of HijackThis v1.99.1
Scan saved at 1:48:00 PM, on 9/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tannernet/
R3 - URLSearchHook: (no name) - {85E547F9-95B0-C491-2D5C-32D0B6E07165} - C:\WINDOWS\Mykipgpq.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [System service67] C:\WINDOWS\etb\pokapoka67.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {63831824-226E-11D3-A6B0-0000861F42FA} (dbbR2WPrinting.pageMartPrinter) - https://reports.ilcusys.com/SZ/download/pageMartPrinter.CAB
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:22:57 PM, 9/15/2005
+ Report-Checksum: D4CAB467

+ Scan result:

C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OYQHVUG5\pre[1].exe -> TrojanDropper.Small.aeq : Cleaned with backup
C:\WINDOWS\SYSTEM32\v1oa0d5h.dat -> Trojan.Smitfraud : Cleaned with backup


::Report End


---------------------------------------------------------
ewido security suite - Process report
---------------------------------------------------------

+ Created on: 2:23:20 PM, 9/15/2005
+ Report-Checksum: E68A65CE

0: System Process
4: System Process
128: C:\Program Files\Grisoft\AVG Free\avgemc.exe
308: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
324: C:\Program Files\Grisoft\AVG Free\avgcc.exe
332: C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
500: C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
544: \SystemRoot\System32\smss.exe
592: \??\C:\WINDOWS\system32\csrss.exe
616: \??\C:\WINDOWS\system32\winlogon.exe
636: C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
660: C:\WINDOWS\system32\services.exe
672: C:\WINDOWS\system32\lsass.exe
748: C:\Program Files\ewido\security suite\securitysuite.exe
832: C:\WINDOWS\system32\svchost.exe
896: C:\WINDOWS\system32\svchost.exe
956: C:\WINDOWS\System32\alg.exe
992: C:\WINDOWS\System32\svchost.exe
1032: C:\WINDOWS\System32\svchost.exe
1080: C:\WINDOWS\System32\svchost.exe
1312: C:\WINDOWS\system32\NOTEPAD.EXE
1400: C:\WINDOWS\system32\spoolsv.exe
1644: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
1732: C:\Program Files\ewido\security suite\ewidoctrl.exe
1740: C:\WINDOWS\Explorer.EXE
1800: C:\Program Files\ewido\security suite\ewidoguard.exe
1864: C:\Program Files\Messenger\msmsgs.exe
1872: C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
1880: C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
1904: C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
1936: C:\Program Files\WinZip\WZQKPICK.EXE

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:22 AM

Posted 15 September 2005 - 07:25 PM

Hello, it seems like we fixed it.

Only that one leftover that is still there:

R3 - URLSearchHook: (no name) - {85E547F9-95B0-C491-2D5C-32D0B6E07165} - C:\WINDOWS\Mykipgpq.dll (file missing)

Did you forgot to check and fix it in hijackthis before as I asked you? Also make sure your Internet Explorer is closed when you Click Fix Checked!

Then, Perform a full scan with an updated Adaware SE and/or Spybot S&D to get rid of the leftovers.
If you don't have those programs yet, you can find the downloadlocations in my sig.

Tell me afterwards how things are running. I suppose popups are gone now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 golfer_2_aces

golfer_2_aces
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 19 September 2005 - 06:24 PM

Hi There! Below is my hjt log. Popups are gone... thanks to you! Anyway please take a look at it... BTW... What is the average contribution to your cause?

Logfile of HijackThis v1.99.1
Scan saved at 5:18:18 PM, on 9/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tannernet/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {63831824-226E-11D3-A6B0-0000861F42FA} (dbbR2WPrinting.pageMartPrinter) - https://reports.ilcusys.com/SZ/download/pageMartPrinter.CAB
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

#8 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:22 AM

Posted 20 September 2005 - 04:57 AM

Hi golfer_2_aces,

Miekiemoes is on vacation and asked me to take over, so here I am :thumbsup:

This log looks clean!

This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

This can be accessed by going to http://windowsupdate.microsoft.com/ and following the prompts. If you are running Windows XP get updated to SP-2

Please post back if you are still having any problems....

BTW... What is the average contribution to your cause?

I guess you mean a donation. I have no idea what the average donation is. Just submit what you like to donate.
Posted Image

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:22 AM

Posted 08 October 2005 - 11:27 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users