Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Trojan.vundo.b


  • This topic is locked This topic is locked
4 replies to this topic

#1 tjcasias

tjcasias

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 21 October 2005 - 11:37 PM

I have read other discussions, but I am not sure how to do a hijack this log. I just really want this virus gone, but can't figure out how to delete it.

okay, here is my log I think
Logfile of HijackThis v1.99.1
Scan saved at 9:32:58 PM, on 10/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EBWP6L83\hijackthis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\98mnv9mi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\iiihh.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...34/sdcregie.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photoworks.com/pixami/BPImageEditor.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104538938780
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F0663B1-E0CF-49FE-A0C6-F31B998FE6D9}: NameServer = 205.188.146.145
O20 - Winlogon Notify: iiihh - C:\WINDOWS\system32\iiihh.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

BC AdBot (Login to Remove)

 


#2 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 22 October 2005 - 02:03 AM

Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB)

When SpySweeper starts, please accept any prompts to update definitions.

Then configure it as followed:
  • From the left pane, click Options
  • Select the Sweep Options tab & ensure the following are ticked:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All Users accounts
    • Do Not Sweep System Restore Folder
    • Enable Direct Disk Sweeping
    • Sweep For Rootkits
  • After that's done, select Sweep from the left pane & click on the Start button
  • Allow Spysweeper to reboot your machine to remove the infected files.
After rebooting, launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.

#3 tjcasias

tjcasias
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 23 October 2005 - 06:56 PM

Here is the log

********
3:41 PM: | Start of Session, Sunday, October 23, 2005 |
3:41 PM: Spy Sweeper started
3:41 PM: Sweep initiated using definitions version 560
3:41 PM: Starting Memory Sweep
3:41 PM: Warning: Failed to load image: C:\WINDOWS\system32\iiihh.dll
3:43 PM: Found Adware: virtumonde
3:43 PM: Detected running threat: C:\WINDOWS\system32\iiihh.dll (ID = 77)
3:46 PM: Memory Sweep Complete, Elapsed Time: 00:05:29
3:46 PM: Starting Registry Sweep
3:47 PM: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130)
3:47 PM: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136)
3:47 PM: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153)
3:47 PM: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157)
3:47 PM: HKCR\clsid\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (12 subtraces) (ID = 812324)
3:47 PM: HKLM\software\classes\clsid\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (12 subtraces) (ID = 812338)
3:47 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (ID = 812351)
3:47 PM: Registry Sweep Complete, Elapsed Time:00:00:54
3:47 PM: Starting Cookie Sweep
3:47 PM: Found Spy Cookie: 2o7.net cookie
3:47 PM: tommy@2o7[2].txt (ID = 1957)
3:47 PM: Found Spy Cookie: yieldmanager cookie
3:47 PM: tommy@ad.yieldmanager[1].txt (ID = 3751)
3:47 PM: Found Spy Cookie: adrevolver cookie
3:47 PM: tommy@adrevolver[2].txt (ID = 2088)
3:47 PM: tommy@adrevolver[3].txt (ID = 2088)
3:47 PM: Found Spy Cookie: pointroll cookie
3:47 PM: tommy@ads.pointroll[1].txt (ID = 3148)
3:47 PM: Found Spy Cookie: advertising cookie
3:47 PM: tommy@advertising[1].txt (ID = 2175)
3:47 PM: Found Spy Cookie: atlas dmt cookie
3:47 PM: tommy@atdmt[2].txt (ID = 2253)
3:47 PM: Found Spy Cookie: atwola cookie
3:47 PM: tommy@atwola[1].txt (ID = 2255)
3:47 PM: Found Spy Cookie: centrport net cookie
3:47 PM: tommy@centrport[1].txt (ID = 2374)
3:47 PM: Found Spy Cookie: fastclick cookie
3:47 PM: tommy@fastclick[2].txt (ID = 2651)
3:47 PM: Found Spy Cookie: gator cookie
3:47 PM: tommy@gator[1].txt (ID = 2722)
3:47 PM: Found Spy Cookie: questionmarket cookie
3:47 PM: tommy@questionmarket[1].txt (ID = 3217)
3:47 PM: Found Spy Cookie: realmedia cookie
3:47 PM: tommy@realmedia[1].txt (ID = 3235)
3:47 PM: Found Spy Cookie: servedby advertising cookie
3:47 PM: tommy@servedby.advertising[1].txt (ID = 3335)
3:47 PM: Found Spy Cookie: trafficmp cookie
3:47 PM: tommy@trafficmp[1].txt (ID = 3581)
3:47 PM: Found Spy Cookie: zedo cookie
3:47 PM: tommy@zedo[2].txt (ID = 3762)
3:47 PM: owner@2o7[1].txt (ID = 1957)
3:47 PM: Found Spy Cookie: websponsors cookie
3:47 PM: owner@a.websponsors[2].txt (ID = 3665)
3:47 PM: Found Spy Cookie: about cookie
3:47 PM: owner@about[1].txt (ID = 2037)
3:47 PM: owner@ad.yieldmanager[1].txt (ID = 3751)
3:47 PM: Found Spy Cookie: adknowledge cookie
3:47 PM: owner@adknowledge[1].txt (ID = 2072)
3:47 PM: Found Spy Cookie: hbmediapro cookie
3:47 PM: owner@adopt.hbmediapro[2].txt (ID = 2768)
3:47 PM: Found Spy Cookie: specificclick.com cookie
3:47 PM: owner@adopt.specificclick[1].txt (ID = 3400)
3:47 PM: owner@adrevolver[1].txt (ID = 2088)
3:47 PM: owner@adrevolver[2].txt (ID = 2088)
3:47 PM: Found Spy Cookie: addynamix cookie
3:47 PM: owner@ads.addynamix[1].txt (ID = 2062)
3:47 PM: owner@ads.pointroll[1].txt (ID = 3148)
3:47 PM: owner@ads.pointroll[3].txt (ID = 3148)
3:47 PM: owner@advertising[2].txt (ID = 2175)
3:47 PM: owner@advertising[3].txt (ID = 2175)
3:47 PM: Found Spy Cookie: apmebf cookie
3:47 PM: owner@apmebf[2].txt (ID = 2229)
3:47 PM: Found Spy Cookie: falkag cookie
3:47 PM: owner@as-eu.falkag[2].txt (ID = 2650)
3:47 PM: owner@as-us.falkag[1].txt (ID = 2650)
3:47 PM: owner@as1.falkag[2].txt (ID = 2650)
3:47 PM: Found Spy Cookie: ask cookie
3:47 PM: owner@ask[1].txt (ID = 2245)
3:47 PM: owner@atdmt[2].txt (ID = 2253)
3:47 PM: Found Spy Cookie: belnk cookie
3:47 PM: owner@ath.belnk[1].txt (ID = 2293)
3:47 PM: owner@atwola[1].txt (ID = 2255)
3:47 PM: Found Spy Cookie: bannerspace cookie
3:47 PM: owner@bannerspace[1].txt (ID = 2284)
3:47 PM: Found Spy Cookie: banner cookie
3:47 PM: owner@banner[2].txt (ID = 2276)
3:47 PM: owner@belnk[2].txt (ID = 2292)
3:47 PM: Found Spy Cookie: bluestreak cookie
3:47 PM: owner@bluestreak[2].txt (ID = 2314)
3:47 PM: Found Spy Cookie: casalemedia cookie
3:47 PM: owner@casalemedia[1].txt (ID = 2354)
3:47 PM: owner@centrport[1].txt (ID = 2374)
3:47 PM: Found Spy Cookie: clickbank cookie
3:47 PM: owner@clickbank[2].txt (ID = 2398)
3:47 PM: Found Spy Cookie: coremetrics cookie
3:47 PM: owner@data.coremetrics[1].txt (ID = 2472)
3:47 PM: Found Spy Cookie: go.com cookie
3:47 PM: owner@disneyshopping.go[2].txt (ID = 2729)
3:47 PM: owner@dist.belnk[1].txt (ID = 2293)
3:47 PM: Found Spy Cookie: ru4 cookie
3:47 PM: owner@edge.ru4[1].txt (ID = 3269)
3:47 PM: owner@entrepreneur.122.2o7[1].txt (ID = 1958)
3:47 PM: owner@fastclick[1].txt (ID = 2651)
3:47 PM: owner@fastclick[2].txt (ID = 2651)
3:47 PM: owner@fastclick[3].txt (ID = 2651)
3:47 PM: owner@go[2].txt (ID = 2728)
3:47 PM: Found Spy Cookie: clickandtrack cookie
3:47 PM: owner@hits.clickandtrack[2].txt (ID = 2397)
3:47 PM: Found Spy Cookie: maxserving cookie
3:47 PM: owner@maxserving[1].txt (ID = 2966)
3:47 PM: Found Spy Cookie: nextag cookie
3:47 PM: owner@nextag[2].txt (ID = 5014)
3:47 PM: Found Spy Cookie: paypopup cookie
3:47 PM: owner@paypopup[2].txt (ID = 3119)
3:47 PM: owner@popunder.paypopup[2].txt (ID = 3120)
3:47 PM: Found Spy Cookie: qksrv cookie
3:47 PM: owner@qksrv[2].txt (ID = 3213)
3:47 PM: owner@questionmarket[2].txt (ID = 3217)
3:47 PM: owner@realmedia[2].txt (ID = 3235)
3:47 PM: Found Spy Cookie: revenue.net cookie
3:47 PM: owner@revenue[1].txt (ID = 3257)
3:47 PM: Found Spy Cookie: rn11 cookie
3:47 PM: owner@rn11[2].txt (ID = 3261)
3:47 PM: Found Spy Cookie: adjuggler cookie
3:47 PM: owner@rotator.dex.adjuggler[1].txt (ID = 2070)
3:47 PM: owner@sel.as-us.falkag[2].txt (ID = 2650)
3:47 PM: owner@servedby.advertising[1].txt (ID = 3335)
3:47 PM: Found Spy Cookie: targetnet cookie
3:47 PM: owner@targetnet[2].txt (ID = 3489)
3:47 PM: owner@thunderbolt.adjuggler[1].txt (ID = 2070)
3:47 PM: Found Spy Cookie: tradedoubler cookie
3:47 PM: owner@tradedoubler[2].txt (ID = 3575)
3:47 PM: owner@trafficmp[1].txt (ID = 3581)
3:47 PM: Found Spy Cookie: tribalfusion cookie
3:47 PM: owner@tribalfusion[1].txt (ID = 3589)
3:47 PM: Found Spy Cookie: affiliatefuel.com cookie
3:47 PM: owner@www.affiliatefuel[1].txt (ID = 2202)
3:47 PM: owner@yieldmanager[2].txt (ID = 3749)
3:47 PM: Found Spy Cookie: adserver cookie
3:47 PM: owner@z1.adserver[1].txt (ID = 2142)
3:47 PM: owner@zedo[2].txt (ID = 3762)
3:47 PM: Cookie Sweep Complete, Elapsed Time: 00:00:11
3:47 PM: Starting File Sweep
4:17 PM: Found Trojan Horse: trojan-downloader-conhook
4:17 PM: yayay.dll (ID = 164156)
4:18 PM: Found Adware: 180search assistant/zango
4:18 PM: res4ce.tmp (ID = 115248)
4:23 PM: File Sweep Complete, Elapsed Time: 00:35:37
4:23 PM: Full Sweep has completed. Elapsed time 00:42:27
4:23 PM: Traces Found: 126
4:24 PM: Removal process initiated
4:28 PM: Quarantining All Traces: trojan-downloader-conhook
4:28 PM: Quarantining All Traces: 180search assistant/zango
4:28 PM: Quarantining All Traces: virtumonde
4:28 PM: virtumonde is in use. It will be removed on reboot.
4:28 PM: C:\WINDOWS\system32\iiihh.dll is in use. It will be removed on reboot.
4:28 PM: Quarantining All Traces: 2o7.net cookie
4:28 PM: Quarantining All Traces: about cookie
4:28 PM: Quarantining All Traces: addynamix cookie
4:28 PM: Quarantining All Traces: adjuggler cookie
4:28 PM: Quarantining All Traces: adknowledge cookie
4:28 PM: Quarantining All Traces: adrevolver cookie
4:28 PM: Quarantining All Traces: adserver cookie
4:28 PM: Quarantining All Traces: advertising cookie
4:28 PM: Quarantining All Traces: affiliatefuel.com cookie
4:28 PM: Quarantining All Traces: apmebf cookie
4:28 PM: Quarantining All Traces: ask cookie
4:28 PM: Quarantining All Traces: atlas dmt cookie
4:28 PM: Quarantining All Traces: atwola cookie
4:28 PM: Quarantining All Traces: banner cookie
4:28 PM: Quarantining All Traces: bannerspace cookie
4:28 PM: Quarantining All Traces: belnk cookie
4:28 PM: Quarantining All Traces: bluestreak cookie
4:28 PM: Quarantining All Traces: casalemedia cookie
4:28 PM: Quarantining All Traces: centrport net cookie
4:28 PM: Quarantining All Traces: clickandtrack cookie
4:28 PM: Quarantining All Traces: clickbank cookie
4:28 PM: Quarantining All Traces: coremetrics cookie
4:28 PM: Quarantining All Traces: falkag cookie
4:28 PM: Quarantining All Traces: fastclick cookie
4:28 PM: Quarantining All Traces: gator cookie
4:28 PM: Quarantining All Traces: go.com cookie
4:28 PM: Quarantining All Traces: hbmediapro cookie
4:28 PM: Quarantining All Traces: maxserving cookie
4:28 PM: Quarantining All Traces: nextag cookie
4:28 PM: Quarantining All Traces: paypopup cookie
4:28 PM: Quarantining All Traces: pointroll cookie
4:28 PM: Quarantining All Traces: qksrv cookie
4:28 PM: Quarantining All Traces: questionmarket cookie
4:28 PM: Quarantining All Traces: realmedia cookie
4:28 PM: Quarantining All Traces: revenue.net cookie
4:28 PM: Quarantining All Traces: rn11 cookie
4:28 PM: Quarantining All Traces: ru4 cookie
4:28 PM: Quarantining All Traces: servedby advertising cookie
4:28 PM: Quarantining All Traces: specificclick.com cookie
4:28 PM: Quarantining All Traces: targetnet cookie
4:28 PM: Quarantining All Traces: tradedoubler cookie
4:28 PM: Quarantining All Traces: trafficmp cookie
4:28 PM: Quarantining All Traces: tribalfusion cookie
4:29 PM: Quarantining All Traces: websponsors cookie
4:29 PM: Quarantining All Traces: yieldmanager cookie
4:29 PM: Quarantining All Traces: zedo cookie
4:29 PM: Preparing to restart your computer. Please wait...
4:29 PM: Removal process completed. Elapsed time 00:04:50
********
3:37 PM: | Start of Session, Sunday, October 23, 2005 |
3:37 PM: Spy Sweeper started
3:39 PM: Your spyware definitions have been updated.
3:41 PM: | End of Session, Sunday, October 23, 2005 |


and here is the hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 4:54:26 PM, on 10/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EBWP6L83\hijackthis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\98mnv9mi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...34/sdcregie.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photoworks.com/pixami/BPImageEditor.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104538938780
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F0663B1-E0CF-49FE-A0C6-F31B998FE6D9}: NameServer = 205.188.146.145
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

Does everything look good now? I can definatly tell a difference on my computer!!

#4 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 24 October 2005 - 02:28 AM

Please locate & delete these files, if present:

C:\WINDOWS\system32\hhii.ini
C:\WINDOWS\system32\hhii.ini1
C:\WINDOWS\system32\hhii.bak
C:\WINDOWS\system32\hhii.bak1



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Then, perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  • Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  • Click Scan Now
  • Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Please post Panda's report & a fresh HJT log in your next reply

#5 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 10 November 2005 - 06:42 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users