Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo


  • This topic is locked This topic is locked
9 replies to this topic

#1 jgilberAZ

jgilberAZ

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 12 November 2005 - 01:25 AM

I have followed the steps in: " How To Remove Winfixer / Virtumonde / Msevents / Trojan.vundo.b " on this site to no avail. I am on a laptop if that makes any difference (ie, I cannot simply "unplug" it.

Here's my HJT Log (xxwts.dll is the problem).
----------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:11:47 PM, on 11/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\xxwts.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Desktop Authority GUI] "C:\Program Files\DesktopAuthority\ragui.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\TM\Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://tsweb.insight.com/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9E472D58-F10C-11CF-B7A9-0020AFD6A362} (NeRemoteDoc Class) - https://vault.netvoyage.com/neweb2/neWebCl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hq.insight.com
O17 - HKLM\Software\..\Telephony: DomainName = hq.insight.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hq.insight.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hq.insight.com
O20 - Winlogon Notify: xxwts - C:\WINDOWS\System32\xxwts.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Desktop Authority Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\RaMaint.exe
O23 - Service: Desktop Authority Service (DesktopAuthority) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\TM\Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\TM\Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\TM\Client\tmlisten.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


-----------
Here's the FixVundo log:

Symantec Trojan.Vundo Removal Tool 1.4.0
The process "IEXPLORE.EXE" might be affected by the threat. It has been suspended.
The process "IEXPLORE.EXE" might be affected by the threat. It has been terminated.

C:\System Volume Information: (not scanned)
registry: HKEY_CLASSES_ROOT\MSEvents.MSEvents (key deleted)
registry: HKEY_CLASSES_ROOT\MSEvents.MSEvents.1 (key deleted)


Trojan.Vundo has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 48082
The number of deleted files: 0
The number of viral processes terminated: 1
The number of viral processes suspended: 1
The number of viral threads terminated: 0
The number of registry entries fixed: 2

------------------------
Here's the VGB.txt file:


[11/11/2005, 22:55:22] - Starting Process...
[11/11/2005, 22:55:22] - Looking for Browser Helper Object [MSEvents Object]
[11/11/2005, 22:55:22] - 1: {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - MSEvents Object
[11/11/2005, 22:55:22] - Found MSEvents Object!
[11/11/2005, 22:55:22] - File location: C:\WINDOWS\System32\xxwts.dll
[11/11/2005, 22:55:22] - Attempting to kill C:\WINDOWS\System32\xxwts.dll
[11/11/2005, 22:55:22] - Terminating Process: RUNDLL32.EXE
[11/11/2005, 22:55:22] - Terminating Process: IEXPLORE.EXE
[11/11/2005, 22:55:22] - Disabling Automatic Shell Restart
[11/11/2005, 22:55:22] - Terminating Process: EXPLORER.EXE
[11/11/2005, 22:55:22] - Suspending the NT Session Manager System Service
[11/11/2005, 22:55:22] - Terminating Windows NT Logon/Logoff Manager
[11/11/2005, 22:55:22] - Re-enabling Automatic Shell Restart
[11/11/2005, 22:55:23] - Renaming C:\WINDOWS\System32\xxwts.dll -> C:\WINDOWS\System32\xxwts.dll.vir
[11/11/2005, 22:55:23] - File rename was unsucessful. Rename operation sent to SMSS for next reboot.
[11/11/2005, 22:55:23] - Removing Registry references to {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A}
[11/11/2005, 22:55:23] - Adding Internet Explorer Protection (Kill ActiveX) for {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A}
[11/11/2005, 22:55:23] - Removing Winlogon Notify Entry: xxwts
[11/11/2005, 22:55:23] - BHO list has been changed! Starting over...
[11/11/2005, 22:55:23] - 1: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/11/2005, 22:55:23] - Finished searching for [MSEvents Object]
[11/11/2005, 22:55:23] - Finishing up...
[11/11/2005, 22:55:23] - Enabling Automatic Reboot on STOP Error.
[11/11/2005, 22:55:23] - Attempting to Restart via STOP error (Blue Screen!)

----------

Please help. I am fairly computer literate (unix system administrator), and can usually fix these things following directions I find online. This one, though, is stubborn.

Thanks in advance,
Jeff

BC AdBot (Login to Remove)

 


#2 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:02:52 AM

Posted 12 November 2005 - 02:00 PM

Hi & Welcome to Bleeping Computer

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....


  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:


  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\xxwts.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\System32\stwxx.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\xxwts.dll
    O20 - Winlogon Notify: xxwts - C:\WINDOWS\System32\xxwts.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
Mat2



Posted Image

#3 jgilberAZ

jgilberAZ
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 12 November 2005 - 08:43 PM

Here are the results of the steps:

ActiveScan Log
-----------------

Incident Status Location

Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaGatewayX.dll
Adware:Adware/Exact.SearchBar No disinfected C:\WINDOWS\Downloaded Program Files\installer_MARKETING14.exe
Adware:Adware/WinAD No disinfected C:\WINDOWS\Downloaded Program Files\MediaAccX.dll
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
Adware:Adware/WinAD No disinfected C:\WINDOWS\Downloaded Program Files\MediaPassX.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\Downloaded Program Files\v3.dll
Adware:adware/savenow No disinfected C:\WINDOWS\system32\baur5s9q.dat
---------------
HJT Log
---------------
Logfile of HijackThis v1.99.1
Scan saved at 6:32:16 PM, on 11/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\DesktopAuthority\RaMaint.exe
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\TM\Client\ntrtscan.exe
C:\Program Files\TM\Client\OfcPfwSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TM\Client\tmlisten.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\TEMP\NK4EB7.EXE
C:\WINDOWS\Explorer.EXE
c:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\DesktopAuthority\ragui.exe
C:\Program Files\TM\Client\pccntmon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TM\Client\pccntupd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\xxwts.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Desktop Authority GUI] "C:\Program Files\DesktopAuthority\ragui.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\TM\Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://tsweb.insight.com/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9E472D58-F10C-11CF-B7A9-0020AFD6A362} (NeRemoteDoc Class) - https://vault.netvoyage.com/neweb2/neWebCl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hq.insight.com
O17 - HKLM\Software\..\Telephony: DomainName = hq.insight.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hq.insight.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hq.insight.com
O20 - Winlogon Notify: xxwts - C:\WINDOWS\System32\xxwts.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Desktop Authority Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\RaMaint.exe
O23 - Service: Desktop Authority Service (DesktopAuthority) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\TM\Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\TM\Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\TM\Client\tmlisten.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

----------------
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\System32\xxwts.dll

The second filepath entered was C:\WINDOWS\System32\stwxx.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 148 'smss.exe'
Error 0x6 : The handle is invalid.


Killing PID 628 'explorer.exe'
Killing PID 628 'explorer.exe'


Killing PID 224 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

Could not delete C:\WINDOWS\System32\xxwts.dll.
C:\WINDOWS\System32\stwxx.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------



THANKS!

- Jeff

#4 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:02:52 AM

Posted 13 November 2005 - 04:29 AM

Hi & thanks for the logs.

It appears that the Vundo.b trogan did not go on the first round of the fixing, so we need to run it again. So here is the the instructions below:

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....


  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:


  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\xxwts.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\System32\stwxx.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\xxwts.dll
    O20 - Winlogon Notify: xxwts - C:\WINDOWS\System32\xxwts.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
Mat2



Posted Image

#5 jgilberAZ

jgilberAZ
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 13 November 2005 - 09:50 PM

Here's the logs.

------------
vundofix
------------
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\System32\xxwts.dll

The second filepath entered was C:\WINDOWS\System32\stwxx.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 148 'smss.exe'
Error 0x6 : The handle is invalid.


Error, Cannot find a process with an image name of explorer.exe


Killing PID 224 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

Could not delete C:\WINDOWS\System32\xxwts.dll.
C:\WINDOWS\System32\stwxx.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------


-------
HJT
-------
Logfile of HijackThis v1.99.1
Scan saved at 5:27:24 PM, on 11/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\DesktopAuthority\RaMaint.exe
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\TM\Client\ntrtscan.exe
C:\Program Files\TM\Client\OfcPfwSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TM\Client\tmlisten.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\TEMP\KR11E9.EXE
c:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\DesktopAuthority\ragui.exe
C:\Program Files\TM\Client\pccntmon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\TM\Client\pccntupd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\xxwts.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Desktop Authority GUI] "C:\Program Files\DesktopAuthority\ragui.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\TM\Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://tsweb.insight.com/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9E472D58-F10C-11CF-B7A9-0020AFD6A362} (NeRemoteDoc Class) - https://vault.netvoyage.com/neweb2/neWebCl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hq.insight.com
O17 - HKLM\Software\..\Telephony: DomainName = hq.insight.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hq.insight.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hq.insight.com
O20 - Winlogon Notify: xxwts - C:\WINDOWS\System32\xxwts.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Desktop Authority Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\RaMaint.exe
O23 - Service: Desktop Authority Service (DesktopAuthority) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\TM\Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\TM\Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\TM\Client\tmlisten.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--------------
ActiveScan
--------------

Incident Status Location

Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaGatewayX.dll
Adware:Adware/Exact.SearchBar No disinfected C:\WINDOWS\Downloaded Program Files\installer_MARKETING14.exe
Adware:Adware/WinAD No disinfected C:\WINDOWS\Downloaded Program Files\MediaAccX.dll
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
Adware:Adware/WinAD No disinfected C:\WINDOWS\Downloaded Program Files\MediaPassX.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\Downloaded Program Files\v3.dll
Adware:adware/savenow No disinfected C:\WINDOWS\system32\baur5s9q.dat
---------------------


It's still there. In fact, I got another popup when I was composing my response.

Am I doomed?

- Jeff

#6 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:02:52 AM

Posted 14 November 2005 - 05:17 AM

Hi

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Read this instructions carefully and feel free to ask if you're unsure about something

===============

1. Restart your computer. As your computer restarts, repeatedly press the F8 key on your keyboard until the Windows Advanced Options menu appears.
2. Use the arrow key to select Safe Mode, and then press ENTER.
3. Use an arrow key to select an operating system and press ENTER.
4. When prompted whether you want your Windows to run in safe mode, click Yes.


===============

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u xxwts.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\xxwts.dll

O20 - Winlogon Notify: xxwts - C:\WINDOWS\System32\xxwts.dll


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

C:\WINDOWS\System32\xxwts.dll

-

Note that some of these file(s) may or may not be present.

===============

Restart windows back into normal mode and continue with the following:


Please download Ewido Security Suite, it is a free version of the program.
  • Install ewido security suite
  • When installing the program, under "Additonal Options" uncheck...
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should now be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files:
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
          (the status bar at the bottom will display "Update successful")
  • Close Ewido Security Suite
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates
 
Once the updates are installed, do the following:
  • Reboot computer into "Safe Mode" using the "F8" method...
    • As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears
    • Use the arrow keys to select the Safe Mode menu item
  • Once in Safe Mode start Ewido Security Suite
  • Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
  • Click on Complete System Scan, the scan will now begin.
  • While the scan is in progress you will be promted to clean files, click OK.
  • When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
  • Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
  • Click Save Report.
  • Now save the report .txt file to your desktop.
  • Close Ewido Security Suite
==============

Post back a new log along with the ewido log as well, and let me know how everything goes.
Mat2



Posted Image

#7 jgilberAZ

jgilberAZ
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 14 November 2005 - 10:01 PM

I followed the steps as suggested.

After the regsvr32 command, I got the popup saying it was successful. But, when I went to remove the file, it failed with "file is opened by another program" or something very similar to that.

I went ahead and ran the rest of the steps.

The ewido log said it removed xxwts.dll, but it was still there afterwards.

That's what everything I've done does . . . it says it removes the file, but it always re-appears.

Also, I get no desktop in safe mode. I have to start all apps using task manager.

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:02:58 PM, on 11/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\DesktopAuthority\RaMaint.exe
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\TM\Client\ntrtscan.exe
C:\Program Files\TM\Client\OfcPfwSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TM\Client\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\TEMP\XCF050.EXE
c:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\DesktopAuthority\ragui.exe
C:\Program Files\TM\Client\pccntmon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\TM\Client\pccntupd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\xxwts.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Desktop Authority GUI] "C:\Program Files\DesktopAuthority\ragui.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\TM\Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://tsweb.insight.com/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9E472D58-F10C-11CF-B7A9-0020AFD6A362} (NeRemoteDoc Class) - https://vault.netvoyage.com/neweb2/neWebCl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hq.insight.com
O17 - HKLM\Software\..\Telephony: DomainName = hq.insight.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hq.insight.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hq.insight.com
O20 - Winlogon Notify: xxwts - C:\WINDOWS\System32\xxwts.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Desktop Authority Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\RaMaint.exe
O23 - Service: Desktop Authority Service (DesktopAuthority) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\TM\Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\TM\Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\TM\Client\tmlisten.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Here's the ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:45:31 PM, 11/14/2005
+ Report-Checksum: 60ABED53

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{C0EF89EE-EEC7-4535-A041-F1EBF79560A7} -> Spyware.CashBack : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C0EF89EE-EEC7-4535-A041-F1EBF79560A7}\TypeLib\\ -> Spyware.CashBack : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{52CACFDF-9170-46A9-AE2E-E594D324C72A} -> Spyware.CashBack : Cleaned with backup
HKLM\SOFTWARE\Classes\WEBInstaller.CExecute -> Spyware.CashBack : Cleaned with backup
HKLM\SOFTWARE\Classes\WEBInstaller.CExecute\CLSID -> Spyware.CashBack : Cleaned with backup
HKLM\SOFTWARE\Classes\WEBInstaller.CExecute\CLSID\\ -> Spyware.CashBack : Cleaned with backup
HKLM\SOFTWARE\Classes\WEBInstaller.CExecute\CurVer -> Spyware.CashBack : Cleaned with backup
HKLM\SOFTWARE\Classes\WEBInstaller.CExecute.1 -> Spyware.CashBack : Cleaned with backup
HKLM\SOFTWARE\Classes\WEBInstaller.CExecute.1\CLSID\\ -> Spyware.CashBack : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DS3.dll\\.Owner -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DS3.dll\\{DDFFA75A-E81D-4454-89FC-B9FD0631E726} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx\\.Owner -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/mfc42.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/msvcrt.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/olepro32.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@as-eu.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@as1.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjkycjdzcbp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@free.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@linkbuddies[2].txt -> Spyware.Cookie.Linkbuddies : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@premiumnetworkrocks.valuead[2].txt -> Spyware.Cookie.Valuead : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@programs.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@spylog[1].txt -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@stat.onestat[2].txt -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@web4.realtracker[2].txt -> Spyware.Cookie.Realtracker : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051113-171843-130.dll -> Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051114-183228-387.dll -> Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051114-183532-121.dll -> Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0TMNSL2R\drsmartload_js[1].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2DQHWN8T\prompt[1].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MXWXODIH\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\jgilbert\Cookies\jgilbert@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gsa_1413.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gsa_1416.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gsa_1435.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\installer_MARKETING14.exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaPassX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\v3.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\mtuninst.exe -> Spyware.MediaTickets : Cleaned with backup
C:\WINDOWS\system32\oins.exe -> Spyware.MediaTickets : Cleaned with backup
C:\WINDOWS\system32\urspq.dll -> Spyware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\xxwts.dll -> Spyware.Virtumonde : Cleaned with backup


::Report End


-- Awaiting further instructions --

Thanks for your help,
Jeff

#8 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:02:52 AM

Posted 15 November 2005 - 04:37 AM

Hi

Copy this advise to a Notepad file. Save it to your desktop.

Disable Ewido:

Please disable Ewido, as it may interfere with the fix.

To disable Ewido:

From the system tray:
  • Right-click the system tray icon and uncheck real time protection.

    or From within Ewido -
  • Under 'Your security status', if the real time protection is active, deactivate it by clicking 'real time protection' until the status says 'inactive'.

Once your log is clean you can re-enable Ewido.

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up.  Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\xxwts.dll

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button.  Click "Yes" at the Delete on Reboot prompt.  Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Next

Download CCleaner from here to clean temp files from your computer.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted.  (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.
Next

- Please download Ad-Aware SE Personal from here
- Install it and check for updates
- Close Ad-Aware

- Download Ad-Aware's VX2 Cleaner plugin from here
- Make sure Ad-Aware SE Personal is closed then install the VX2 Cleaner
- Start Ad-Aware SE Personal
- Click Add-Ons
- Double-click VX2 Cleaner
- Click OK to start the cleaner tool
- If nothing is found click OK and exit the program.

Next Run HJT. Do a scan then place a check mark against the following:

O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\xxwts.dll
O20 - Winlogon Notify: xxwts - C:\WINDOWS\System32\xxwts.dll


Press 'Fix Check'. then Press 'Yes'
Mat2



Posted Image

#9 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:02:52 AM

Posted 30 November 2005 - 02:58 PM

Hi

I am contacting you to see if you still require the help, as i have not heard anything from you.

If you do still need help, please can you Copy/Paste a new HJT Log, back here in this thread.


Do Not Start a New Topic


Regards
Mat2



Posted Image

#10 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:02:52 AM

Posted 12 December 2005 - 04:19 PM

Due to lack of response from the poster, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Mat2



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users