Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Hijack Logs


  • This topic is locked This topic is locked
4 replies to this topic

#1 DigitalFool

DigitalFool

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 03 February 2006 - 10:53 PM

System Boot takes forever - 3 spyware programs continue to locate new malware every reboot - Norton has ceased to be effective - what does this show? Thanks all!

Logfile of HijackThis v1.99.1
Scan saved at 9:39:29 PM, on 2/3/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\WINDOWS\System32\veritas.exe
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Microsoft Works\WkDetect.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\PROGRA~1\REGIST~1\regclean.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
c:\winsysban5.exe
C:\WINDOWS\System32\rundll32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {E60877C7-E659-B387-28E7-B59E8C3804B5} - C:\WINDOWS\System32\xtqn.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Len Zielinski\Application Data\Mozilla\Profiles\default\xfbq0hif.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Len Zielinski\Application Data\Mozilla\Profiles\default\xfbq0hif.slt\prefs.js)
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll
O2 - BHO: (no name) - {E60877C7-E659-B387-28E7-B59E8C3804B5} - C:\WINDOWS\System32\xtqn.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\Run: [gimmygames] c:\\gimmygames.exe
O4 - HKLM\..\Run: [winsysban] c:\\winsysban5.exe
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe
O4 - HKLM\..\RunServices: [WINDRUN] taskgmrs.exe
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [WINDRUN] taskgmrs.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\regclean.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZB
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Support - {E1A2FEA9-23F5-473D-8B4F-21A3CB43D3AD} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .xml: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} - http://esupport.aol.com/help/engine/aolcinst.cab
O16 - DPF: {F534E6F2-4293-4461-A868-B06AE215A0BA} (rlprint) - http://rppres2.renlearn.com/PR89/SharedApp...ads/rlprint.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: winsaj32 - C:\WINDOWS\SYSTEM32\winsaj32.dll
O21 - SSODL: EEBJECBG - {6355787B-6A16-3C92-5FE8-3377164B52BC} - C:\WINDOWS\System32\Gfphcokb.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:24 PM

Posted 04 February 2006 - 09:56 AM

Hello,

Any reason why your windows isn't up to date? You don't have even ServicePack1 installed!
Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems.
Please visit http://www.microsoft.com/windowsxp/downloa...p1/network.mspx and update to Service Pack 1. Without this update, you're wide open to re-infection, and we're both just wasting our time.
When your system is clean afterwards, then update to SP2, because updating to SP2 CAN cause problems as long as you are infected.

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Go to start > controlpanel > software > add/remove programs and uninstall next programs:

NewDotNet (New.net)
Registry Cleaner
<= In most cases Registry Cleaner is getting installed without really asking, but as an alert in a popup, telling you you need it, spamming you with it. It is also a trial, so if you didn't pay for it, uninstall it.

Reboot after uninstalling!!! Important!!

* Please set your system to show all files; please see here if you're unsure how to do this.

* Please download ATF Cleaner by Atribune to your desktop.
Do not use it yet.

Please download Ewido anti-malware ; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {E60877C7-E659-B387-28E7-B59E8C3804B5} - C:\WINDOWS\System32\xtqn.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll
O2 - BHO: (no name) - {E60877C7-E659-B387-28E7-B59E8C3804B5} - C:\WINDOWS\System32\xtqn.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\Run: [gimmygames] c:\\gimmygames.exe
O4 - HKLM\..\Run: [winsysban] c:\\winsysban5.exe
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe
O4 - HKLM\..\RunServices: [WINDRUN] taskgmrs.exe
O4 - HKCU\..\Run: [WINDRUN] taskgmrs.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\regclean.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZB
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O20 - Winlogon Notify: winsaj32 - C:\WINDOWS\SYSTEM32\winsaj32.dll
O21 - SSODL: EEBJECBG - {6355787B-6A16-3C92-5FE8-3377164B52BC} - C:\WINDOWS\System32\Gfphcokb.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\System32\veritas.exe
C:\Program Files\Common Files\VCClient <== folder
c:\winsysban5.exe
c:\gimmygames.exe
C:\WINDOWS\SYSTEM32\winsaj32.dll <== it could be possible you can't find or can't delete this one, just let me know afterwards.

* Still in safe mode Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

* Open Ewido anti-malware
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

* Reboot your system back to normal mode.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Download and Save blacklight to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first!
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply together with the Panda scan report in your next reply
together a fresh HijackThis log and the ewido-log so I can take another look.

Extra addition, also perform next:

Open notepad and copy and paste next bold from the quotebox in it:

regedit /e peek1.txt "HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa"
regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole"
regedit /e peek3.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
regedit /e peek4.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ole"
type peek1.txt >> look.txt
type peek2.txt >> look.txt
type peek3.txt >> look.txt
type peek4.txt >> look.txt
del peek*.txt
start notepad look.txt


Save this as look.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick look.bat and a log will open. Post these contents also in your next reply. If the logs don't fit in one post, use two posts instead.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 DigitalFool

DigitalFool
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 05 February 2006 - 03:12 PM

Here are the additional logs from the scans - however since doing the below, the profile has become corrupted and I had to create a new user, I still get two errors when logging into windows which include Windows can't find wpie4x86.inf and wmp10.inf.
I have tried to resolve the profile issue with no such luck (including copying profile contents to new user).

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:38:07 PM, 2/4/2006
+ Report-Checksum: E78B541C

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
C:\cygwid.exe -> Downloader.Small.bmx : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Len Zielinski\Application Data\Mozilla\Profiles\default\xfbq0hif.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Len Zielinski\Application Data\Mozilla\Profiles\default\xfbq0hif.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Len Zielinski\Application Data\Mozilla\Profiles\default\xfbq0hif.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Len Zielinski\Application Data\Mozilla\Profiles\default\xfbq0hif.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Len Zielinski\Application Data\Mozilla\Profiles\default\xfbq0hif.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Len Zielinski\Application Data\Mozilla\Profiles\default\xfbq0hif.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Len Zielinski\Application Data\Mozilla\Profiles\default\xfbq0hif.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Len Zielinski\Application Data\Mozilla\Profiles\default\xfbq0hif.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Len Zielinski\Application Data\Mozilla\Profiles\default\xfbq0hif.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Len Zielinski\Application Data\Mozilla\Profiles\default\xfbq0hif.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Len Zielinski\Application Data\Mozilla\Profiles\default\xfbq0hif.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Len Zielinski\Application Data\Mozilla\Profiles\default\xfbq0hif.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Len Zielinski\Application Data\Mozilla\Profiles\default\xfbq0hif.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Len Zielinski\Application Data\Mozilla\Profiles\default\xfbq0hif.slt\NewCache\ABA39690d01 -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Len Zielinski\Cookies\len zielinski@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Len Zielinski\Cookies\len zielinski@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Len Zielinski\Local Settings\Temporary Internet Files\Content.IE5\8AE53BH5\gimmygames[1].exe -> Downloader.VB.vr : Cleaned with backup
C:\Documents and Settings\Len Zielinski\Local Settings\Temporary Internet Files\Content.IE5\8AE53BH5\inst_0004[1].exe -> Downloader.Small.cam : Cleaned with backup
C:\Documents and Settings\Len Zielinski\Local Settings\Temporary Internet Files\Content.IE5\AZKS1HSO\myupdates[1].exe -> Downloader.Adload.l : Cleaned with backup
C:\Documents and Settings\Len Zielinski\Local Settings\Temporary Internet Files\Content.IE5\AZKS1HSO\ucmoreiex[1].exe/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
C:\Documents and Settings\Len Zielinski\Local Settings\Temporary Internet Files\Content.IE5\AZKS1HSO\ucmoreiex[1].exe/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup
C:\Documents and Settings\Len Zielinski\Local Settings\Temporary Internet Files\Content.IE5\IKR4JK7A\installerus[1].exe -> Downloader.Qoologic.at : Cleaned with backup
C:\Documents and Settings\Len Zielinski\Local Settings\Temporary Internet Files\Content.IE5\IKR4JK7A\ltndload[1].dll -> Adware.Sud : Cleaned with backup
C:\Documents and Settings\Len Zielinski\Local Settings\Temporary Internet Files\Content.IE5\IKR4JK7A\winsysban5[1].exe -> Hijacker.VB.kc : Cleaned with backup
C:\Documents and Settings\Len Zielinski\Local Settings\Temporary Internet Files\Content.IE5\OL42C8KG\drsmartload[1].exe -> Downloader.VB.ri : Cleaned with backup
C:\Documents and Settings\Len Zielinski\Local Settings\Temporary Internet Files\Content.IE5\OL42C8KG\NNSCAA638[1].EXE -> Spyware.NewDotNet : Cleaned with backup
C:\installerus.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\inst_0004.exe -> Downloader.Small.cam : Cleaned with backup
C:\NNSCAA638.EXE -> Spyware.NewDotNet : Cleaned with backup
C:\Program Files\Yazzle Sudoku\Sudoku.exe -> Dropper.VB.kk : Cleaned with backup
C:\RECYCLER\S-1-5-21-4217759621-645757453-568730901-1006\Dc2.exe -> Downloader.VB.vr : Cleaned with backup
C:\RECYCLER\S-1-5-21-4217759621-645757453-568730901-1006\Dc3.exe/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
C:\RECYCLER\S-1-5-21-4217759621-645757453-568730901-1006\Dc3.exe/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup
C:\unzipped\hijackthis\backups\backup-20060201-212231-507.dll -> Adware.E2Give : Cleaned with backup
C:\unzipped\hijackthis\backups\backup-20060201-212231-855.dll -> Adware.Suggestor : Cleaned with backup
C:\unzipped\hijackthis\backups\backup-20060201-212232-945.dll -> Adware.NewDotNet : Cleaned with backup
C:\unzipped\hijackthis\backups\backup-20060201-212241-746.dll -> Adware.Mirar : Cleaned with backup
C:\unzipped\hijackthis\backups\backup-20060202-060945-511.dll -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\eee2.exe -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\elos.exe/eee2.exe -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\gimmygames.exe -> Downloader.VB.vr : Cleaned with backup
C:\WINDOWS\idlemg.exe -> Downloader.Small.buy : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2R6161Q5\whCC-GIANT[1].exe/WhAgent.exe -> Spyware.WebHancer : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2R6161Q5\xxxxxxxx[1] -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2R6161Q5\xxxxxxxx[2] -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2R6161Q5\xxxxxxx[1] -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2R6161Q5\xxxxxxx[2] -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2R6161Q5\xxxxxxx[3] -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WBG9IJAR\xxxxxxxx[1] -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WBG9IJAR\xxxxxxxx[2] -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WBG9IJAR\xxxxxxxx[3] -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WBG9IJAR\xxxxxxx[1] -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WBG9IJAR\xxxxxxx[2] -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WRALKBSB\eeedo[1].exe/eee2.exe -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WRALKBSB\xxxxxxxx[1] -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WRALKBSB\xxxxxxxx[2] -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WRALKBSB\xxxxxxxx[3] -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WRALKBSB\xxxxxxxx[4] -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WRALKBSB\xxxxxxxx[5] -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WRALKBSB\xxxxxxxx[6] -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WRALKBSB\xxxxxxxx[7] -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WRALKBSB\xxxxxxx[1] -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\drivers\ndisrd.sys -> Downloader.Small.AQI : Cleaned with backup
C:\WINDOWS\system32\f3pssavr.scr -> Spyware.MyWebSearch : Cleaned with backup
C:\WINDOWS\system32\Finbkkak.exe -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\titno.exe -> Adware.MDH : Cleaned with backup
C:\WINDOWS\system32\winola32.dll -> Trojan.Agent.og : Cleaned with backup


::Report End

PANDA SCAN

Incident Status Location

Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Len Zielinski\Cookies\len zielinski@adopt.hbmediapro[2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Len Zielinski\Cookies\len zielinski@banners.searchingbooth[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Len Zielinski\Cookies\len zielinski@stats1.reliablestats[1].txt
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Len Zielinski\Local Settings\Temporary Internet Files\Content.IE5\AZKS1HSO\!update-3395[1].0000
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\Len Zielinski\Local Settings\Temporary Internet Files\Content.IE5\AZKS1HSO\mat[1].exe
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\TEMP.YOUR-YN89P666BJ.003\Cookies\len zielinski@doubleclick[1].txt
Adware:adware/dollarrevenue Not disinfected C:\drsmartload225a.exe
Adware:Adware/Maxifiles Not disinfected C:\mc-110-12-0000125.exe
Adware:Adware/PurityScan Not disinfected C:\Program Files\Yazzle Sudoku\uninstaller.exe
Adware:Adware/DollarRevenue Not disinfected C:\RECYCLER\S-1-5-21-4217759621-645757453-568730901-500\Dc17.exe
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-4217759621-645757453-568730901-500\Dc23.exe
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-4217759621-645757453-568730901-500\Dc23.exe[whAgent.inf]
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-4217759621-645757453-568730901-500\Dc23.exe[WhAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-4217759621-645757453-568730901-500\Dc23.exe[whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-4217759621-645757453-568730901-500\Dc23.exe[WhSurvey.exe]
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-4217759621-645757453-568730901-500\Dc23.exe[Webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-4217759621-645757453-568730901-500\Dc23.exe[whiehlpr.dll]
Adware:Adware/PurityScan Not disinfected C:\unzipped\hijackthis\backups\backup-20060201-212232-649.dll
Adware:Adware/PurityScan Not disinfected C:\unzipped\hijackthis\backups\backup-20060204-191338-428.dll
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GRML4DEX\mat[1].exe
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WRALKBSB\launcher[1].exe
Adware:adware program Not disinfected C:\WINDOWS\system32\data.~
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\i
Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\wallpap.exe

BLACKLIGHT- no log generated as it found no problems


Logfile of HijackThis v1.99.1
Scan saved at 2:02:16 PM, on 2/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Len Zielinski NEW\Local Settings\Temp\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .xml: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139101410671
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} - http://esupport.aol.com/help/engine/aolcinst.cab
O16 - DPF: {F534E6F2-4293-4461-A868-B06AE215A0BA} (rlprint) - http://rppres2.renlearn.com/PR89/SharedApp...ads/rlprint.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="N"
"WINDRUN"="taskgmrs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
00
"LsaPid"=dword:00000320
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000001
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"WINDRUN"="taskgmrs.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:93,77,67,15,40,d9,b2,18,f2,73,fa,aa,47,97,a3,70,39,34,37,62,38,\
62,34,31,00,00,00,00,01,00,00,00,bc,01,00,00,c0,01,00,00,40,ca,06,00,5b,a5,\
bf,71,04,00,00,00,10,00,00,00,00,00,00,00,af,55,17,eb

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:80,97,53,36,f8,3d,c1,7d,4b

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:c2,98,4c,6c,2e,a0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:7a,d2,5e,d1,27,46,29,d7,14,0c,73,7e,1a,03,7f,38

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:4c,f0,54,85,e6,9e,c1,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,60,6b,4e,dd,27,c1,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,60,6b,4e,dd,27,c1,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,60,6b,4e,dd,27,c1,01
"Type"=dword:00000031

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:24 PM

Posted 05 February 2006 - 03:45 PM

Hello,

Not sure what you have been doing to cause that corrupted user profile though..
Also, the errors at startup, looks like an incomplete trial to update to windows Media Player 10 and other parts of windows update? I actually asked you to update to Service Pack 1 for now...
After your system is clean, update to Service Pack 2, this should get rid of the errors at startup.

Your Hijackthislog looks clean, just set a new startpage again.

Uninstall Yazzle Sudoku from add/remove Programs

Delete next files:

C:\drsmartload225a.exe
C:\mc-110-12-0000125.exe
C:\Program Files\Yazzle Sudoku <== folder
C:\WINDOWS\system32\data.~
C:\WINDOWS\wallpap.exe

Use ATF Cleaner again.

Open notepad and copy and paste next bold from the quotebox in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"
"WINDRUN"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000
"WINDRUN"=-


Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

As a sidenote, you were dealing with some real nasty malware over here. I can't guarantee we cleaned this all, because something may be still hidden here and to be honest, I wouldn't trust this system anymore, especially since it was/is still unpatched and not updated at all!!
A good advise I would give is also to change all your passwords.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:24 PM

Posted 12 February 2006 - 05:42 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users