Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With About:blank Trojan And Other Fun Stuff...


  • This topic is locked This topic is locked
7 replies to this topic

#1 KevinRapp

KevinRapp

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 30 November 2005 - 12:17 AM

Hi, guys. My computer got infected with the about:blank trojan and some other viruses, I think. Hopefully someone can give me some help with this. Here's my log...

Logfile of HijackThis v1.99.1
Scan saved at 12:10:04 AM, on 11/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\drwyv.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\drwyv.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\drwyv.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\drwyv.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\drwyv.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\drwyv.dll/sp.html#17702
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\drwyv.dll/sp.html#17702
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C8D1A46C-E60D-2C7C-7E2D-84A7A266EF23} - C:\WINDOWS\system32\ipzp.dll
O2 - BHO: Class - {DFE25EAE-2CAC-3874-88A1-DF482EFF758C} - C:\WINDOWS\system32\msnl.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [E7.tmp] C:\DOCUME~1\KEvin\LOCALS~1\Temp\E7.tmp.exe
O4 - HKLM\..\Run: [E8.tmp] C:\DOCUME~1\KEvin\LOCALS~1\Temp\E8.tmp.exe
O4 - HKLM\..\Run: [E8.tmp.exe] C:\DOCUME~1\KEvin\LOCALS~1\Temp\E8.tmp.exe
O4 - HKLM\..\Run: [E7.tmp.exe] C:\DOCUME~1\KEvin\LOCALS~1\Temp\E7.tmp.exe
O4 - HKLM\..\Run: [sysuj.exe] C:\WINDOWS\system32\sysuj.exe
O4 - HKLM\..\Run: [apihw.exe] C:\WINDOWS\apihw.exe
O4 - HKLM\..\RunOnce: [msbi.exe] C:\WINDOWS\system32\msbi.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\javawy.exe (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Alias Wavefront Help Server (AWHelpServer) - Unknown owner - C:\Program Files\AliasWavefront\Maya5.0\docs\Wrapper.exe" -s "C:\Program Files\AliasWavefront\Maya5.0\docs/Wrapper.conf (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

BC AdBot (Login to Remove)

 


#2 P i p e r

P i p e r

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 30 November 2005 - 02:08 AM

Hi KevinRapp and welcome to Bleeping Computer.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread (Options > track this topic) so that you are notified when you receive a reply.

Please be patient with me during this time.

#3 P i p e r

P i p e r

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 30 November 2005 - 03:14 AM

Thanks for waiting patiently.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.


Download HSfix. Do not run it yet.

Download CWShredder and run it. Click Check for Update. Then exit.

Download About Buster and unzip it to a folder on your Desktop. Run the program and click OK. Click Update > Check For Update then exit About Buster once the update is complete.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.


If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet.


Download Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido


Please download Cleanup! or use this (Alternate Link) if the main link does not work and install it.
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.

Open Cleanup!. Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!

Check the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Uncheck the following :
  • Scan local drives for temporary files


Click OK, Press the CleanUp! button to start the program. When prompted to reboot, click Yes.


Reboot into Safe Mode. (As soon as it starts booting up again, continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.)


Unzip HSfix.zip & double-click on HSfix.reg. Answer Yes when prompted to merge into the registry.



Click Start->Run - type SERVICES.MSC & then click on the OK button
  • Locate the service - Network Security Service (NSS) ( 11F#`I)
  • Stop the service by using the Stop button.
  • Change the Startup type to Disabled & then click on the OK button
  • Then start HiJackThis & go to Config > Misc.Tools > Delete an NT service...
  • In the popup box that appears, type in NSS and click on the OK button
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

Viewpoint



Open Hijack This and click on Scan. Check the following entries. (Make sure you do not miss any.)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\drwyv.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\drwyv.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\drwyv.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\drwyv.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\drwyv.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\drwyv.dll/sp.html#17702
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\drwyv.dll/sp.html#17702
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {C8D1A46C-E60D-2C7C-7E2D-84A7A266EF23} - C:\WINDOWS\system32\ipzp.dll
O2 - BHO: Class - {DFE25EAE-2CAC-3874-88A1-DF482EFF758C} - C:\WINDOWS\system32\msnl.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [E7.tmp] C:\DOCUME~1\KEvin\LOCALS~1\Temp\E7.tmp.exe
O4 - HKLM\..\Run: [E8.tmp] C:\DOCUME~1\KEvin\LOCALS~1\Temp\E8.tmp.exe
O4 - HKLM\..\Run: [E8.tmp.exe] C:\DOCUME~1\KEvin\LOCALS~1\Temp\E8.tmp.exe
O4 - HKLM\..\Run: [E7.tmp.exe] C:\DOCUME~1\KEvin\LOCALS~1\Temp\E7.tmp.exe
O4 - HKLM\..\Run: [sysuj.exe] C:\WINDOWS\system32\sysuj.exe
O4 - HKLM\..\Run: [apihw.exe] C:\WINDOWS\apihw.exe
O4 - HKLM\..\RunOnce: [msbi.exe] C:\WINDOWS\system32\msbi.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\javawy.exe (file missing)

Please remember to close all other windows, including browsers then click Fix checked.



Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist:

C:\WINDOWS\drwyv.dll
C:\WINDOWS\apihw.exe
C:\WINDOWS\system32\ipzp.dll
C:\WINDOWS\system32\msnl.dll
C:\Program Files\Viewpoint\
C:\WINDOWS\system32\sysuj.exe
C:\WINDOWS\system32\msbi.exe
C:\WINDOWS\system32\javawy.exe




Run CWShredder. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Run About Buster and click OK. Click Start > OK and then follow the prompts to scan (Choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. ONLY save the log file and post it here if About Buster does not fix all the problems.


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido


Reboot your system in Normal Mode.



Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  • Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  • Click Scan Now
  • Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



Please post the following logs:
About Buster log
smitfiles.txt
Ewido's log
Panda's report


#4 KevinRapp

KevinRapp
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 30 November 2005 - 04:05 PM

Here's the three logs. I didn't have anything to report from AboutBuster.

Thanks so much for your help!

smitRem log file
version 2.7
by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 11/30/2005
The current time is: 12:06:15.56

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

SpySheriff


~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

desktop.html


~~~ Drive root ~~~

winstall.exe

~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :thumbsup:


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:12:21 PM, 11/30/2005
+ Report-Checksum: 13321C63

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/istactivex.dll -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/istactivex.dll\\.Owner -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/istactivex.dll\\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-2607563192-2191215538-910116058-1007\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-2607563192-2191215538-910116058-1007\Software\XBTB00429\Toolbar -> Adware.CramToolbar : Cleaned with backup
[2128] C:\WINDOWS\apixt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050603-160218-297.dll -> Spyware.Winsta : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy\Includes\Hosts.sbs -> Trojan.Qhost.ew : Cleaned with backup
C:\WINDOWS\addwb32.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\apiwy.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\apixt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Blue Lace 16.bmp:qdkrp -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\cdPlayer.ini:dqaqgc -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\crbi.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\crjo.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\crwd32.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\d3ge32.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx -> TrojanDropper.Agent.or : Cleaned with backup
C:\WINDOWS\Greenstone.bmp:cmsevw -> Adware.SearchPage : Cleaned with backup
C:\WINDOWS\ieiq.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\ienn32.dll -> TrojanDownloader.WinShow.bg : Cleaned with backup
C:\WINDOWS\ienn32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipsz.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\javanv.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\javaor.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\KB825119.LOG:jfstw -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\KB825119.LOG:ndbkv -> TrojanDownloader.WinShow.bg : Cleaned with backup
C:\WINDOWS\KB889293-IE6SP1-20041111.235619.log:yfmvr -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\MSMQINST.LOG:ksixza -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\nsw.log:csbduk -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\ntlu.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\oatou.dll -> Adware.SearchPage : Cleaned with backup
C:\WINDOWS\ORUN32.INI:fivxdv -> TrojanDownloader.WinShow.bg : Cleaned with backup
C:\WINDOWS\Q327979.LOG:xjndff -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Q811789.LOG:tpznhg -> Adware.SearchPage : Cleaned with backup
C:\WINDOWS\sdkyd.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\SETUPACT.LOG:bkhilb -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Sti_Trace.log:wxpzsv -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apidl.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlby.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3ov.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\SYSTEM32\epx30104.exe -> TrojanDownloader.Lastad.h : Cleaned with backup
C:\WINDOWS\SYSTEM32\ielx.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\SYSTEM32\javazs32.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcmt32.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\SYSTEM32\msbi.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntjd.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysxu32.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\T30DebugLogFile.txt:mryril -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\VBADDIN.INI:fsrwkn -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\waotz.dll -> Adware.SearchPage : Cleaned with backup
C:\WINDOWS\winka.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\Zapotec.bmp:sznkbj -> TrojanDownloader.WinShow.bg : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:ajvnsa -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:askqgs -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:eejbsg -> TrojanDownloader.WinShow.bg : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:fbzht -> TrojanDownloader.WinShow.bg : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:ggrcrb -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:hiliqy -> TrojanDownloader.WinShow.bg : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:hrslmh -> TrojanDownloader.WinShow.bg : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:jzbll -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:kpildz -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:kzfpvt -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:ldrwy -> TrojanDownloader.WinShow.bg : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:nfywpq -> TrojanDownloader.WinShow.bg : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:twpnxf -> Adware.SearchPage : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:wfuouq -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:yxytp -> TrojanDownloader.WinShow.bg : Cleaned with backup


::Report End





Incident Status Location

Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\KEvin\Application Data\Sskcwrd.dll
Spyware:spyware/betterinet Not disinfected C:\WINDOWS\INF\banner.inf
Adware:adware/searchaid Not disinfected Windows Registry
Virus:Trj/Downloader.AEE Not disinfected C:\Program Files\HijackThis\backups\backup-20050602-005316-314.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\banner.inf
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\SYSTEM32\nthc32.exe

#5 P i p e r

P i p e r

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 30 November 2005 - 11:31 PM

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.


Reboot into Safe Mode.


Double click on HijackThis.exe to run it.
  • Go to Config > Misc Tools
  • click the button labelled "Open ADSSpy"
  • Checkmark/tick - "Ignore Safe System Info Streams"
  • Click the "Scan" button
  • When it has finished scanning, checkmark/tick all that it found
  • Click the "Save Log" button
  • Click the "remove selected" button
Delete the following Files indicated in RED:

C:\Documents and Settings\KEvin\Application Data\Sskcwrd.dll
C:\WINDOWS\INF\banner.inf
C:\WINDOWS\SYSTEM32\nthc32.exe



Reboot your system in Normal Mode.



Please download Trend Micro Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.

Reboot your computer.

Repeat the same procedure above using the TrendMicro tool. In place of the TrendMicro icon will be a text file called "Antispyware.log." Please double-click that log and copy the entire contents and paste them here. Post the log from the second scan/clean, NOT the first, as this will contain what’s left in the system.


Perform an online scan with Internet Explorer with Kaspersky WebScanner

Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky. Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan


Please post TrendMicro's log, Kaspersky's log, and a new HijackThis log so we can check if your system is clean.

Edited by P i p e r, 30 November 2005 - 11:34 PM.


#6 KevinRapp

KevinRapp
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 01 December 2005 - 05:33 AM

Thank you, thank you, thank you! The computer's already running faster and smoother!

Here are my logs...

Started Scanning
Internet Cookies
Found 'questionmarket.com' in 'Internet Explorer Cache'
Found 'ads.pointroll.com' in 'Internet Explorer Cache'
Found 'media.adrevolver.com' in 'Internet Explorer Cache'
Found 'atdmt.com' in 'Internet Explorer Cache'
Found 'valueclick.com' in 'Internet Explorer Cache'
Found 'media.adrevolver.com' in 'Internet Explorer Cache'
Found 'as-us.falkag.net' in 'Internet Explorer Cache'
Found 'media.adrevolver.com' in 'Internet Explorer Cache'
Found 'adknowledge.com' in 'Internet Explorer Cache'
Found 'z1.adserver.com' in 'Internet Explorer Cache'
Found '2o7.net' in 'Internet Explorer Cache'
Found 'centrport.net' in 'Internet Explorer Cache'
Found 'bravenet.com' in 'Internet Explorer Cache'
Found 'realmedia.com' in 'Internet Explorer Cache'
Found 'mediaplex.com' in 'Internet Explorer Cache'
Found 'citi.bridgetrack.com' in 'Internet Explorer Cache'
Found 'advertising.com' in 'Internet Explorer Cache'
Found 'casalemedia.com' in 'Internet Explorer Cache'
Found 'atwola.com' in 'Internet Explorer Cache'
Found 'fastclick.net' in 'Internet Explorer Cache'
Found 'adopt.specificclick.net' in 'Internet Explorer Cache'
Found 'tradedoubler.com' in 'Internet Explorer Cache'
Found 'media.adrevolver.com' in 'Internet Explorer Cache'
Found 'ad.yieldmanager.com' in 'Internet Explorer Cache'
Found 'ads.addynamix.com' in 'Internet Explorer Cache'
Found 'ads.addynamix.com' in 'Internet Explorer Cache'
Found 'doubleclick.net' in 'Internet Explorer Cache'
Found 'media.adrevolver.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Started Scanning
Internet Cookies
Found 'questionmarket.com' in 'Internet Explorer Cache'
Found 'ads.pointroll.com' in 'Internet Explorer Cache'
Found 'media.adrevolver.com' in 'Internet Explorer Cache'
Found 'atdmt.com' in 'Internet Explorer Cache'
Found 'valueclick.com' in 'Internet Explorer Cache'
Found 'media.adrevolver.com' in 'Internet Explorer Cache'
Found 'as-us.falkag.net' in 'Internet Explorer Cache'
Found 'media.adrevolver.com' in 'Internet Explorer Cache'
Found 'adknowledge.com' in 'Internet Explorer Cache'
Found 'z1.adserver.com' in 'Internet Explorer Cache'
Found '2o7.net' in 'Internet Explorer Cache'
Found 'centrport.net' in 'Internet Explorer Cache'
Found 'bravenet.com' in 'Internet Explorer Cache'
Found 'realmedia.com' in 'Internet Explorer Cache'
Found 'mediaplex.com' in 'Internet Explorer Cache'
Found 'citi.bridgetrack.com' in 'Internet Explorer Cache'
Found 'advertising.com' in 'Internet Explorer Cache'
Found 'casalemedia.com' in 'Internet Explorer Cache'
Found 'atwola.com' in 'Internet Explorer Cache'
Found 'fastclick.net' in 'Internet Explorer Cache'
Found 'adopt.specificclick.net' in 'Internet Explorer Cache'
Found 'tradedoubler.com' in 'Internet Explorer Cache'
Found 'media.adrevolver.com' in 'Internet Explorer Cache'
Found 'ad.yieldmanager.com' in 'Internet Explorer Cache'
Found 'ads.addynamix.com' in 'Internet Explorer Cache'
Found 'ads.addynamix.com' in 'Internet Explorer Cache'
Found 'doubleclick.net' in 'Internet Explorer Cache'
Found 'media.adrevolver.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found '' in 'SOFTWARE\Classes\TypeLib\{BA2462E1-33A1-481F-B8F6-2F0E2680B01A}\1.0\HELPDIR'
Found '' in 'SOFTWARE\Classes\TypeLib\{BA2462E1-33A1-481F-B8F6-2F0E2680B01A}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{BA2462E1-33A1-481F-B8F6-2F0E2680B01A}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{BA2462E1-33A1-481F-B8F6-2F0E2680B01A}\1.0'
Found '' in 'SOFTWARE\Classes\FlashTalk.ClientInterface\CurVer'
Found '' in 'SOFTWARE\Classes\FlashTalk.ClientInterface\CLSID'
Found '' in 'SOFTWARE\Classes\FlashTalk.ClientInterface.1\CLSID'
Found '' in 'SOFTWARE\Classes\FlashTalk.ClientInterface.1'
Found '' in 'SOFTWARE\Classes\FlashTalk.ClientInterface'
Found '' in 'SOFTWARE\Classes\CLSID\{12F443D3-FE69-41D0-B383-BACB9F824E9F}\VersionIndependentProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{12F443D3-FE69-41D0-B383-BACB9F824E9F}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{12F443D3-FE69-41D0-B383-BACB9F824E9F}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{12F443D3-FE69-41D0-B383-BACB9F824E9F}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{12F443D3-FE69-41D0-B383-BACB9F824E9F}'
Found '' in 'SOFTWARE\Classes\EPXACTIVEX.EPXActiveXCtrl.1'
Found '' in 'CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5}'
Found '' in 'SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5}'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run'
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Finished Cleaning




-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, December 01, 2005 05:28:28
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 1/12/2005
Kaspersky Anti-Virus database records: 152765
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 106404
Number of viruses found: 14
Number of infected objects: 26
Number of suspicious objects: 0
Duration of the scan process: 3345 sec

Infected Object Name - Virus Name
C:\Program Files\Norton AntiVirus\Quarantine\05F6471B Infected: Trojan-Downloader.Win32.IstBar.gen
C:\Program Files\Norton AntiVirus\Quarantine\13AE410E/installer_VENDARE4.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\Program Files\Norton AntiVirus\Quarantine\13AE410E Infected: Trojan-Downloader.Win32.Adload.a
C:\Program Files\Norton AntiVirus\Quarantine\1B2711D6.exe Infected: Trojan-Downloader.Win32.Agent.am
C:\Program Files\Norton AntiVirus\Quarantine\1B2A3BD2.exe Infected: Trojan-Downloader.Win32.Agent.am
C:\Program Files\Norton AntiVirus\Quarantine\1C1826FD Infected: Trojan-Downloader.Win32.IstBar.ik
C:\Program Files\Norton AntiVirus\Quarantine\2A252830 Infected: Trojan-Downloader.Win32.IstBar.jq
C:\Program Files\Norton AntiVirus\Quarantine\2E415672 Infected: Trojan-Downloader.Win32.Dyfuca.gen
C:\Program Files\Norton AntiVirus\Quarantine\3561286E Infected: Trojan-Downloader.Win32.Dyfuca.ep
C:\Program Files\Norton AntiVirus\Quarantine\37C94490 Infected: Trojan-Downloader.Win32.Adload.a
C:\Program Files\Norton AntiVirus\Quarantine\42761151 Infected: Trojan-Downloader.Win32.Dyfuca.ep
C:\Program Files\Norton AntiVirus\Quarantine\428B067C/istactivex.dll Infected: Trojan-Downloader.Win32.IstBar.gen
C:\Program Files\Norton AntiVirus\Quarantine\428B067C Infected: Trojan-Downloader.Win32.IstBar.gen
C:\Program Files\Norton AntiVirus\Quarantine\42982E6E Infected: Trojan-Downloader.Win32.Adload.a
C:\Program Files\Norton AntiVirus\Quarantine\429F0267 Infected: Trojan-Downloader.Win32.IstBar.jq
C:\Program Files\Norton AntiVirus\Quarantine\42A55660 Infected: Trojan.Win32.Agent.cp
C:\Program Files\Norton AntiVirus\Quarantine\42A8005C Infected: Trojan-Downloader.Win32.IstBar.jm
C:\Program Files\Norton AntiVirus\Quarantine\435A008F Infected: Trojan-Downloader.Win32.IstBar.ij
C:\Program Files\Norton AntiVirus\Quarantine\4701611C Infected: Trojan-Dropper.Win32.Small.qn
C:\Program Files\Norton AntiVirus\Quarantine\5DAB37C5 Infected: Trojan.Win32.Agent.db
C:\Program Files\Norton AntiVirus\Quarantine\68FB0684 Infected: Trojan-Downloader.Win32.IstBar.gen
C:\Program Files\Norton AntiVirus\Quarantine\69FA567C Infected: Trojan-Downloader.Win32.Dyfuca.ep
C:\Program Files\Norton AntiVirus\Quarantine\7D912290 Infected: Trojan-Downloader.JS.IstBar.k
C:\Program Files\Norton AntiVirus\Quarantine\7ED67520 Infected: Trojan-Downloader.Win32.IstBar.jm
C:\WINDOWS\SYSTEM32\sdktp.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\winkv32.exe Infected: Trojan.Win32.Agent.bi

Scan process completed.









Logfile of HijackThis v1.99.1
Scan saved at 5:31:29 AM, on 12/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Class - {A1963F3B-3090-7909-8C1F-E3655DCD0684} - C:\WINDOWS\ienn32.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\apixt.exe" /s (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Alias Wavefront Help Server (AWHelpServer) - Unknown owner - C:\Program Files\AliasWavefront\Maya5.0\docs\Wrapper.exe" -s "C:\Program Files\AliasWavefront\Maya5.0\docs/Wrapper.conf (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#7 P i p e r

P i p e r

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 02 December 2005 - 03:15 AM

Please use Symantec's guide for emptying Norton AntiVirus's Quarantine.


Reboot into Safe Mode.


Open Hijack This and click on Scan. Check the following entries:

O2 - BHO: Class - {A1963F3B-3090-7909-8C1F-E3655DCD0684} - C:\WINDOWS\ienn32.dll (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\apixt.exe" /s (file missing)


Remember to close all other windows, including browsers then click Fix checked.



Delete the following Files indicated in RED if they still exist:

C:\WINDOWS\SYSTEM32\sdktp.exe
C:\WINDOWS\winkv32.exe



Open Cleanup! again.

Press the CleanUp! button to start the program. When prompted to reboot, click Yes.


Please post a fresh Hijack This log.

#8 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 31 December 2005 - 04:59 PM

* * * * * * * * *

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

* * * * * * * * *




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users