Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Something...do Not Know How To Remove


  • This topic is locked This topic is locked
7 replies to this topic

#1 club824

club824

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 19 February 2006 - 06:55 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:51:13 PM, on 2/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\shell386.exe
C:\WINDOWS\system32\symsvcsa.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\osaupd.exe
C:\WINDOWS\TEMP\179739.tmp
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\wupdmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe
C:\Documents and Settings\Barry\Desktop\stng260.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rrqcq.dll/sp.html#77035
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\system32\upd281.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: winapi32.MyBHO - {86A0607D-6126-45AE-8A29-46C181AFF4D6} - C:\WINDOWS\system32\winapi32.dll
O2 - BHO: (no name) - {8702d9e1-890b-4bf2-a233-fa44e582b2de} - (no file)
O2 - BHO: (no name) - {9EAC0102-5E61-2312-BC2D-000000000000} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-716d74632608} - (no file)
O2 - BHO: (no name) - {d53b810f-6219-11d4-95b6-0040950375e7} - (no file)
O2 - BHO: (no name) - {dd6f50c0-9f8f-a41c-291e-7b3fb818ef18} - (no file)
O2 - BHO: (no name) - {f21bd77e-0cce-c6cd-4f85-aa3b7895988e} - (no file)
O2 - BHO: (no name) - {ff731508-cd28-e0b0-3e85-0cf55fde9fba} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [alij] C:\WINDOWS\system32\run346.exe dummy
O4 - HKLM\..\Run: [ipvw.exe] C:\WINDOWS\ipvw.exe
O4 - HKLM\..\Run: [117.tmp] C:\DOCUME~1\Barry\LOCALS~1\Temp\117.tmp.exe
O4 - HKLM\..\Run: [118.tmp] C:\DOCUME~1\Barry\LOCALS~1\Temp\118.tmp.exe
O4 - HKLM\..\Run: [117.tmp.exe] C:\DOCUME~1\Barry\LOCALS~1\Temp\117.tmp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [javard.exe] C:\WINDOWS\javard.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [cme] #WINSYS#\cme.exe
O4 - HKLM\..\Run: [cmeupd] #WINSYS#\cmeupd.exe
O4 - HKLM\..\Run: [gmt] #WINSYS#\gmt.exe
O4 - HKLM\..\Run: [Dynamic Desktop Media] #WINSYS#\sysu.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\system32\upd281.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\symsvcsa.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\system32\upd281.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Ahjoje32.dll (file missing)
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:23 AM

Posted 20 February 2006 - 04:57 AM

Hello,

This is a really nasty log. :thumbsup:

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Please set your system to show all files; please see here if you're unsure how to do this.

* Please download ATF Cleaner by Atribune to your desktop.
Do not use it yet.

Please download Ewido anti-malware ; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rrqcq.dll/sp.html#77035
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\system32\upd281.exe
O2 - BHO: winapi32.MyBHO - {86A0607D-6126-45AE-8A29-46C181AFF4D6} - C:\WINDOWS\system32\winapi32.dll
O2 - BHO: (no name) - {8702d9e1-890b-4bf2-a233-fa44e582b2de} - (no file)
O2 - BHO: (no name) - {9EAC0102-5E61-2312-BC2D-000000000000} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-716d74632608} - (no file)
O2 - BHO: (no name) - {d53b810f-6219-11d4-95b6-0040950375e7} - (no file)
O2 - BHO: (no name) - {dd6f50c0-9f8f-a41c-291e-7b3fb818ef18} - (no file)
O2 - BHO: (no name) - {f21bd77e-0cce-c6cd-4f85-aa3b7895988e} - (no file)
O2 - BHO: (no name) - {ff731508-cd28-e0b0-3e85-0cf55fde9fba} - (no file)
O4 - HKLM\..\Run: [alij] C:\WINDOWS\system32\run346.exe dummy
O4 - HKLM\..\Run: [ipvw.exe] C:\WINDOWS\ipvw.exe
O4 - HKLM\..\Run: [117.tmp] C:\DOCUME~1\Barry\LOCALS~1\Temp\117.tmp.exe
O4 - HKLM\..\Run: [118.tmp] C:\DOCUME~1\Barry\LOCALS~1\Temp\118.tmp.exe
O4 - HKLM\..\Run: [117.tmp.exe] C:\DOCUME~1\Barry\LOCALS~1\Temp\117.tmp.exe
O4 - HKLM\..\Run: [javard.exe] C:\WINDOWS\javard.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [cme] #WINSYS#\cme.exe
O4 - HKLM\..\Run: [cmeupd] #WINSYS#\cmeupd.exe
O4 - HKLM\..\Run: [gmt] #WINSYS#\gmt.exe
O4 - HKLM\..\Run: [Dynamic Desktop Media] #WINSYS#\sysu.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\system32\upd281.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\symsvcsa.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\system32\upd281.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Ahjoje32.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\ntpnt.exe
c:\Program Files\RazeSpyware <== folder
c:\WINDOWS\adw.htm
C:\WINDOWS\temp.000.exe
c:\Documents and Settings\Barry\Start Menu\Programs\RazeSpyware
c:\Documents and Settings\Barry\Desktop\RazeSpyware.lnk
c:\WINDOWS\system32\intxt.exe
c:\WINDOWS\system32\mswinb32.dll
c:\WINDOWS\system32\mswinb32.exe
c:\WINDOWS\system32\mswinup32.dll
C:\WINDOWS\system32\mswinf32.dll
C:\WINDOWS\system32\mswinf32.exe
c:\WINDOWS\system32\mswinxml.dll
c:\WINDOWS\system32\r.exe
c:\WINDOWS\system32\shell386.exe
c:\WINDOWS\system32\winapi32.dll
c:\WINDOWS\system32\winlfl32.dll
C:\WINDOWS\system32\symsvcsa.exe
C:\WINDOWS\osaupd.exe
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\system32\upd281.exe
C:\WINDOWS\system32\run346.exe
C:\WINDOWS\ipvw.exe
C:\WINDOWS\javard.exe
C:\WINDOWS\SYSTEM32\msupdate32.dll

* Still in safe mode Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

* Open Ewido anti-malware
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

* Reboot your system back to normal mode.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply
together a fresh HijackThis log and the ewido-log so I can take another look.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 club824

club824
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 21 February 2006 - 10:58 PM

First, thank you so much for your help. I followed your instructions and was able to perform all except for the following:

I didn't see these entries when I reopened HJT:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone,
should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone,
should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should
be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone,
should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone,
should be Internet Zone

Also, my Internet Explorer was giving me an error and would not run.

Here are my logs per your request:

Logfile of HijackThis v1.99.1
Scan saved at 7:47:58 PM, on 2/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\WINDOWS\inet20005\services.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\inet20005\mm5.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\WINDOWS\TEMP\167123.tmp
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: run=C:\WINDOWS\inet20005\services.exe
O2 - BHO: (no name) - {1e1b2879-88ff-11d3-8d96-d7acac95951a} - (no

file)
O2 - BHO: (no name) - {2bc43670-c0bd-4794-bb11-f60f3e001dc5} - (no

file)
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} -

C:\WINDOWS\inet20005\3.01.00.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9819c369-5f62-4d37-9a42-44043a742c1e} - (no

file)
O2 - BHO: (no name) - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - (no

file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655}

- c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -

C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program

Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI

Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program

Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program

Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media

Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH

Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask]

"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe]

c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program

Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common

Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH

Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe

Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe

/autorun
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program

Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual

Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [cmesys] #WINSYS#\cmesys.exe
O4 - HKLM\..\Run: [gator] #WINSYS#\gator.exe
O4 - HKLM\..\Run: [Cydoor] #WINSYS#\cd_load.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client

Foundation\CFD.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20005\services.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN

Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft

Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell

Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20005\services.exe
O4 - Startup: asheriff.lnk = C:\Program

Files\AdwareSheriff\asheriff.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program

Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program

Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program

Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating

System Class) -

http://download.mcafee.com/molbin/shared/m...4,0,0,83/mcinsc

tl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class)

-

http://download.mcafee.com/molbin/shared/m...,0,0,20/mcgdmgr

.cab
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program

Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online,

Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc -

c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. -

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc -

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) -

McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) -

America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner -

C:\WINDOWS\System32\WLTRYSVC.EXE


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:17:06 AM, 2/21/2006
+ Report-Checksum: 2AD4ED97

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{D6F7942A-2903-FD22-A0E5-7716B284A428} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Replace.HBO -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Replace.HBO\CLSID -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Replace.HBO\CurVer -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Replace.HBO.1 -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Tubby.ToolBandObj -> Adware.CasinoPalazzo : Cleaned with backup
HKLM\SOFTWARE\Classes\Tubby.ToolBandObj.1 -> Adware.CasinoPalazzo : Cleaned with backup
HKLM\SOFTWARE\Cydoor -> Adware.Cydoor : Cleaned with backup
HKLM\SOFTWARE\Gator.com -> Adware.Gator : Cleaned with backup
HKU\.DEFAULT\Software\Cydoor -> Adware.Cydoor : Cleaned with backup
HKU\.DEFAULT\Software\Cydoor Services -> Adware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1815438395-1053465774-2183507685-1007\Software\Cydoor -> Adware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1815438395-1053465774-2183507685-1007\Software\Cydoor Services -> Adware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1815438395-1053465774-2183507685-1007\Software\Microsoft\Internet Explorer\Keywords -> Adware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-1815438395-1053465774-2183507685-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-1815438395-1053465774-2183507685-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DD6F50C0-9F8F-A41C-291E-7B3FB818EF18} -> Adware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-1815438395-1053465774-2183507685-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F21BD77E-0CCE-C6CD-4F85-AA3B7895988E} -> Adware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-1815438395-1053465774-2183507685-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FF731508-CD28-E0B0-3E85-0CF55FDE9FBA} -> Adware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-18\Software\Cydoor -> Adware.Cydoor : Cleaned with backup
HKU\S-1-5-18\Software\Cydoor Services -> Adware.Cydoor : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wupdmgr.exe -> Downloader.Small.ckc : Cleaned with backup
C:\Documents and Settings\Barry\Application Data\WinHound.com -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\Barry\Application Data\WinHound.com\WinHound -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\Barry\Application Data\WinHound.com\WinHound\Autorun -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\Barry\Application Data\WinHound.com\WinHound\Autorun\HKCURun -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\Barry\Application Data\WinHound.com\WinHound\Autorun\HKCURun\RunOnce -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\Barry\Application Data\WinHound.com\WinHound\Autorun\HKCURun\RunOnceEx -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\Barry\Application Data\WinHound.com\WinHound\Autorun\HKLMRun -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\Barry\Application Data\WinHound.com\WinHound\Autorun\HKLMRun\RunOnce -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\Barry\Application Data\WinHound.com\WinHound\Autorun\HKLMRun\RunOnceEx -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\Barry\Application Data\WinHound.com\WinHound\Autorun\StartMenuAllUsers -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\Barry\Application Data\WinHound.com\WinHound\Autorun\StartMenuCurrentUser -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\Barry\Application Data\WinHound.com\WinHound\BrowserObjects -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\Barry\Local Settings\Temporary Internet Files\Content.IE5\8D27GP2F\prepare[1].htm -> Not-A-Virus.Exploit.JS.CVE20051790.a : Cleaned with backup
C:\Documents and Settings\Barry\Local Settings\Temporary Internet Files\Content.IE5\A98FUPE5\prepare[1].htm -> Not-A-Virus.Exploit.JS.CVE20051790.a : Cleaned with backup
C:\Documents and Settings\Barry\Local Settings\Temporary Internet Files\Content.IE5\SP8Z8FS3\loader187[2].exe -> Trojan.Small.ev : Cleaned with backup
C:\Documents and Settings\Barry\Local Settings\Temporary Internet Files\Content.IE5\SP8Z8FS3\prepare[1].htm -> Not-A-Virus.Exploit.JS.CVE20051790.a : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Evelyn\Application Data\Mozilla\Firefox\Profiles\ld2w48ld.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Evelyn\Application Data\Mozilla\Firefox\Profiles\ld2w48ld.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Evelyn\Application Data\Mozilla\Firefox\Profiles\ld2w48ld.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Guest\1file.tmp -> Downloader.Small.buy : Cleaned with backup
C:\Documents and Settings\Guest\4file.tmp -> Dropper.Small.ale : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@abetterinternet[1].txt -> TrackingCookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@ads.euniverseads[2].txt -> TrackingCookie.Euniverseads : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@www2.enigmasoftwaregroup[1].txt -> TrackingCookie.Enigmasoftwaregroup : Cleaned with backup
C:\ld.exe -> Downloader.Small.cke : Cleaned with backup
C:\Program Files\SpyFalcon -> Adware.SpyFalcon : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP154\A0055053.dll -> Hijacker.StartPage.ix : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP154\A0055142.exe -> Downloader.Delf.us : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP157\A0055336.exe -> Downloader.Small.vu : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP157\A0055387.dll -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP157\A0056364.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP157\A0056366.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP157\A0056369.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP157\A0056379.PIF:vqlpx -> Downloader.WinShow.bg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP157\A0057396.exe -> Downloader.Small.cat : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP157\A0057404.PIF:hotrd -> Downloader.WinShow.bg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP157\A0057404.PIF:vqlpx -> Downloader.WinShow.bg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP158\A0057430.PIF:hotrd -> Downloader.WinShow.bg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP158\A0057430.PIF:vqlpx -> Downloader.WinShow.bg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP158\A0057453.dll -> Backdoor.Padodor : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP158\A0058419.PIF:hotrd -> Downloader.WinShow.bg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP158\A0058419.PIF:vqlpx -> Downloader.WinShow.bg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP158\A0058653.PIF:hotrd -> Downloader.WinShow.bg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP158\A0058653.PIF:soair -> Downloader.WinShow.bg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP158\A0058653.PIF:vqlpx -> Downloader.WinShow.bg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP158\A0058690.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0058804.exe -> Proxy.Lager.af : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0058806.exe -> Proxy.Lager.af : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0058808.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0058902.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0058904.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0058927.tlb -> Downloader.Zlob.gn : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0058930.exe -> Downloader.Delf.aco : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0059351.tlb -> Downloader.Zlob.gn : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0059354.exe -> Downloader.Delf.aco : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0059404.exe -> Adware.SpyFalcon : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0059459.tlb -> Downloader.Zlob.gn : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0060607.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0060874.exe -> Downloader.Delf.aco : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0060876.exe -> Hijacker.Spywad.l : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0060878.dll -> Not-A-Virus.Hoax.Win32.Renos.bg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0060880.exe -> Proxy.Lager.f : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0060885.tlb -> Downloader.Zlob.gn : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0060886.exe -> Downloader.Zlob.gn : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0060888.exe -> Downloader.Zlob.gn : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0060891.exe -> Not-A-Virus.Hoax.Win32.Renos.av : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0060943.exe -> Downloader.Delf.aco : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP159\A0060977.exe -> Downloader.Delf.aco : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP160\A0061103.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP160\A0061106.exe -> Downloader.Delf.aco : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP160\A0062089.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP160\A0062094.exe -> Downloader.Delf.aco : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP160\A0062132.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP160\A0062164.exe -> Downloader.Delf.aco : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP160\A0063137.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP160\A0063166.exe -> Downloader.Delf.aco : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP160\snapshot\MFEX-1.DAT -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP161\snapshot\MFEX-1.DAT -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP162\A0065140.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP162\A0065164.exe -> Downloader.Delf.aco : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP162\A0065398.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP162\A0066650.exe -> Downloader.CWS.r : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP162\A0066713.exe -> Downloader.Small.ckc : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP162\A0066750.exe -> Downloader.CWS.r : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP162\A0066830.exe -> Downloader.CWS.r : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP162\snapshot\MFEX-1.DAT -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP163\A0066840.exe -> Downloader.CWS.r : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP163\A0066911.exe -> Downloader.Small.ckc : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP163\A0067002.exe -> Downloader.Small.ckc : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP163\A0067200.exe -> Downloader.Small.ckc : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP163\A0067209.exe -> Adware.CashDeluxe : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP163\A0067218.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP163\A0067219.exe -> Downloader.CWS.r : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP163\A0067221.dll -> Downloader.Agent.abe : Cleaned with backup
C:\WINDOWS\inet20005\3.01.00.dll -> Adware.Ihbo : Cleaned with backup
C:\WINDOWS\inet20005\alg.exe -> Worm.Delf.i : Cleaned with backup
C:\WINDOWS\inet20005\services.exe -> Downloader.CWS.r : Cleaned with backup
C:\WINDOWS\KB890923.log:bqzda -> Downloader.WinShow.bg : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr116.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr159.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr181.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr185.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr216.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr231.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr307.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr315.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr316.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr32.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr326.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr33.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr330.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr338.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr346.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr389.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr408.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr412.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr442.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr477.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr492.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr531.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr542.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr565.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr595.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr609.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr622.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr629.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr630.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr644.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr729.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr835.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr839.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr846.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr888.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr902.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr917.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr93.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldr976.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcvf.dll -> Downloader.WinShow.bg : Cleaned with backup
C:\WINDOWS\SYSTEM32\mspostsp.exe -> Trojan.Inject.i : Cleaned with backup
C:\WINDOWS\SYSTEM32\Nheopkha.exe -> Backdoor.Padodor.ax : Cleaned with backup
C:\WINDOWS\SYSTEM32\private.exe -> Downloader.Delf.aco : Cleaned with backup
C:\WINDOWS\SYSTEM32\sp.exe -> Not-A-Virus.Hoax.Win32.Renos.av : Cleaned with backup
C:\WINDOWS\SYSTEM32\upd155.exe -> Downloader.Delf.aco : Cleaned with backup
C:\WINDOWS\SYSTEM32\upd197.exe -> Not-A-Virus.Hoax.Win32.Renos.az : Cleaned with backup
C:\WINDOWS\SYSTEM32\upd208.exe -> Downloader.Agent.zx : Cleaned with backup
C:\WINDOWS\SYSTEM32\upd321.exe -> Downloader.Delf.aco : Cleaned with backup
C:\WINDOWS\SYSTEM32\upd639.exe -> Downloader.Small.bpz : Cleaned with backup
C:\WINDOWS\SYSTEM32\upd710.exe -> Not-A-Virus.Hoax.Win32.Renos.az : Cleaned with backup
C:\WINDOWS\SYSTEM32\upd717.exe -> Downloader.Delf.aco : Cleaned with backup
C:\WINDOWS\SYSTEM32\upd801.exe -> Backdoor.Haxdoor.gr : Cleaned with backup
C:\WINDOWS\SYSTEM32\upd836.exe -> Downloader.Small.bpz : Cleaned with backup
C:\WINDOWS\SYSTEM32\upd894.exe -> Downloader.Agent.zx : Cleaned with backup
C:\WINDOWS\SYSTEM32\upd896.exe -> Not-A-Virus.Hoax.Win32.Renos.az : Cleaned with backup
C:\WINDOWS\SYSTEM32\winctrl16.exe -> Downloader.Delf.us : Cleaned with backup
C:\WINDOWS\SYSTEM32\winctrl64.exe -> Downloader.Small.awa : Cleaned with backup
C:\WINDOWS\uninstDsk.exe -> Trojan.Small.ev : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:hotrd -> Downloader.WinShow.bg : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:soair -> Downloader.WinShow.bg : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:vqlpx -> Downloader.WinShow.bg : Cleaned with backup


::Report End

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:23 AM

Posted 22 February 2006 - 03:31 AM

Hello,

First of all:
The current formatting of your log makes it difficult to read, so in notepad:
On top, click Format >uncheck Word Wrap

Your system is still badly infected though, so we have to give this another round. I see you got other malware as well, mainly backdoors, so a good advice here is..... don't use your computer for the moment to perform anything else than following my steps. Disconnect from the internet as much as possible. Only connect to post your logs, because your passwords are getting sent all over the internet right now as long as your system is infected. And the other malware still present will download even more malware again and again.
It is also really important you tell me if you can't delete some files.

Concerning your IE that won't start.... as long as you have malware present on your system, we can't restore this yet. We have to deal with malware first.
Can you tell me what error you are exactly getting when opening Internet Explorer?

Anyway... let's give this another round...

Go to start > controlpanel > software and uninstall adwaresheriff

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

F3 - REG:win.ini: run=C:\WINDOWS\inet20005\services.exe
O2 - BHO: (no name) - {1e1b2879-88ff-11d3-8d96-d7acac95951a} - (no file)
O2 - BHO: (no name) - {2bc43670-c0bd-4794-bb11-f60f3e001dc5} - (no file)
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20005\3.01.00.dll
O2 - BHO: (no name) - {9819c369-5f62-4d37-9a42-44043a742c1e} - (no file)
O2 - BHO: (no name) - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - (no file)
O4 - HKLM\..\Run: [cmesys] #WINSYS#\cmesys.exe
O4 - HKLM\..\Run: [gator] #WINSYS#\gator.exe
O4 - HKLM\..\Run: [Cydoor] #WINSYS#\cd_load.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20005\services.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20005\services.exe
O4 - Startup: asheriff.lnk = C:\Program Files\AdwareSheriff\asheriff.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Reboot in SAFE MODE

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\inet20005 <== folder
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\WINDOWS\TEMP\167123.tmp
C:\Program Files\AdwareSheriff <== folder

Run ATF Cleaner again in safe mode.

Then Run Ewido again.

Reboot back to normal mode and try the Online Panda scan again, because I really need that log.
Post it in your next reply together with a new hijackthislog and the log from Ewido.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 club824

club824
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 25 February 2006 - 01:57 AM

Thank you again for your help...
I could not delete adwaresheriff (directory not empty) and there is also an empty spyfalcon folder that I cannot delete, given the same error msg.

Good news, no error msg from IE, but Panda gave me some grimm news:


Incident Status Location

Virus:W32/Sality.O Not disinfected Operating system
Adware:adware/cydoor Not disinfected C:\WINDOWS\SYSTEM32\cd_clint.dll
Adware:adware/cws.aboutblank Not disinfected C:\WINDOWS\SYSTEM32\crme32.exe
Spyware:spyware/dynadesk Not disinfected C:\WINDOWS\SYSTEM32\ddmp.dll
Adware:adware/searchaid Not disinfected C:\WINDOWS\SYSTEM32\javanm.exe
Adware:adware/tubby Not disinfected C:\WINDOWS\SYSTEM32\mtc.dll
Adware:adware/admess Not disinfected C:\WINDOWS\SYSTEM32\tcpservice2.exe
Adware:adware/cws.yexe Not disinfected C:\messanger.ini
Adware:adware/startpage.na Not disinfected C:\WINDOWS\dpe.dll
Adware:adware/ncase Not disinfected C:\WINDOWS\msbb.exe
Adware:adware/alfacleaner Not disinfected Windows Registry
Virus:W32/Sality.O Not disinfected C:\DELL\ATAPI.EXE
Virus:W32/Sality.O Not disinfected C:\DELL\drivers\R58370\Setup.exe
Virus:W32/Sality.O Not disinfected C:\DELL\drivers\R61758\setup.exe
Virus:W32/Sality.O Not disinfected C:\DELL\drivers\R61758\stacconfig.exe
Virus:W32/Sality.O Not disinfected C:\DELL\drivers\R65557\Setup.exe
Virus:W32/Sality.O Not disinfected C:\DELL\drivers\R66674\BCMSMD2K.exe
Virus:W32/Sality.O Not disinfected C:\DELL\drivers\R66674\BCMSMhom.exe
Virus:W32/Sality.O Not disinfected C:\DELL\drivers\R66674\BCMSMLog.exe
Virus:W32/Sality.O Not disinfected C:\DELL\drivers\R66674\BCMSMMon.exe
Virus:W32/Sality.O Not disinfected C:\DELL\drivers\R66674\BCMSMMsg.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\407\WMITarget.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\411\WMITarget.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\415\WMITarget.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\419\WMITarget.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\426\WMITarget.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\428\WMITarget.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\430\WMITarget.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\445\WMITarget.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\446\WMITarget.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\489\DFolder.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\489\DNgen.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\489\DReg1.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\489\DSLog.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\489\GUI.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\489\progress.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\489\prstp.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\489\ssIS.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\489\startDSLog.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\489\Support.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\489\update21GUI.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\489\updtSup5.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\579\DellSupportW766.EXE
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\579\startDSLog.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\579\updtSupDS3.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\581\DellSupportW766.EXE
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\581\startDSLog.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\581\updtSupDS3.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\585\DellSupportW766.EXE
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\585\startDSLog.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\585\updtSupDS3.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\586\DellSupportW766.EXE
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\586\startDSLog.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\Dell\Alert\586\updtSupDS3.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\HTML\item_templ\coach\RunGdp.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\DellSupportODBK.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\DellSupportUtil.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\DellSommelierFix.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\Fix\DellSupportODBK.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\item_templ\coach\RunGdp.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\HTML\fix\DellSupportLauncher.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\HTML\item_templ\coach\RunGdp.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Desktop\smitRem\getsts.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Desktop\smitRem\Process.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Desktop\smitRem\pv.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Desktop\smitRem\swreg.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Desktop\stng260.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Local Settings\Temp\AAWTMP\C1719091\25A16A\Alert\bin\AllertEula.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Local Settings\Temp\AAWTMP\C1719091\25A16A\Alert\bin\CFiles.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Local Settings\Temp\AAWTMP\C1719091\25A16A\Alert\bin\DA_PASlog.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Local Settings\Temp\AAWTMP\C1719091\25A16A\Alert\bin\DBGLogger.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Local Settings\Temp\AAWTMP\C1719091\25A16A\Alert\bin\DrK.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Local Settings\Temp\AAWTMP\C1719091\25A16A\Alert\bin\ExpEval21.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Local Settings\Temp\AAWTMP\C1719091\25A16A\Alert\bin\rng.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Local Settings\Temp\AAWTMP\C1719091\25A16A\bin\ClientApplicationFrameWork.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Local Settings\Temp\AAWTMP\C1719091\25A16A\bin\DellUpdateMsg.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Local Settings\Temp\AAWTMP\C1719091\25A16A\bin\DS_PASlog.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Local Settings\Temp\AAWTMP\C1719091\25A16A\bin\EnableDS.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Local Settings\Temp\AAWTMP\C1719091\25A16A\bin\ISCallingDLLFI.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Local Settings\Temp\AAWTMP\C1719091\25A16A\bin\ISOOBE.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Local Settings\Temp\AAWTMP\C1719091\25A16A\bin\ISRunOnceEXE.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Local Settings\Temp\AAWTMP\C1719091\25A16A\bin\Mregister.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Local Settings\Temp\AAWTMP\C1719091\25A16A\bin\ssIS.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Local Settings\Temp\AAWTMP\C1719091\25A16A\bin\Support.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Local Settings\Temp\AAWTMP\C1719091\25A16A\bin\UploadLog.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Barry\Local Settings\Temp\winpvvhj¥.exe
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Guest\Cookies\guest@ask[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Guest\Cookies\guest@banner[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Guest\Cookies\guest@go[2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Guest\Cookies\guest@rightmedia[2].txt
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Guest\Local Settings\Temp\drsmartload125a.exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\9RFJPX8E\drsmartload[1].exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\KRTRY2J9\eliteunstall[1].exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\KRTRY2J9\unstall[1].exe
Virus:W32/Sality.O Not disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\VY4VJDCL\drsmartload[1].exe
Virus:W32/Sality.O Not disinfected C:\DRIVERS\MODEM\BCMSMD2K.EXE
Virus:W32/Sality.O Not disinfected C:\DRIVERS\MODEM\BCMSMHOM.EXE
Virus:W32/Sality.O Not disinfected C:\DRIVERS\MODEM\BCMSMLOG.EXE
Virus:W32/Sality.O Not disinfected C:\DRIVERS\MODEM\BCMSMMON.EXE
Virus:W32/Sality.O Not disinfected C:\DRIVERS\MODEM\BCMSMMSG.EXE
Virus:W32/Sality.O Not disinfected C:\DRIVERS\MODEM\BCMSMU.EXE
Virus:W32/Sality.O Not disinfected C:\DRIVERS\MODEM\SETUP.EXE
Virus:W32/Sality.O Not disinfected C:\I386\ACCWIZ.EXE
Virus:W32/Sality.O Not disinfected C:\I386\AGENTSVR.EXE
Virus:W32/Sality.O Not disinfected C:\I386\AHUI.EXE
Virus:W32/Sality.O Not disinfected C:\I386\ALG.EXE
Virus:W32/Sality.O Not disinfected C:\I386\ARP.EXE
Virus:W32/Sality.O Not disinfected C:\I386\AT.EXE
Virus:W32/Sality.O Not disinfected C:\I386\ati2evxx.exe
Virus:W32/Sality.O Not disinfected C:\I386\Ati2mdxx.exe
Virus:W32/Sality.O Not disinfected C:\I386\ATMADM.EXE
Virus:W32/Sality.O Not disinfected C:\I386\ATTRIB.EXE
Virus:W32/Sality.O Not disinfected C:\I386\AUTOCHK.EXE
Virus:W32/Sality.O Not disinfected C:\I386\AUTOCONV.EXE
Virus:W32/Sality.O Not disinfected C:\I386\AUTOFMT.EXE
Virus:W32/Sality.O Not disinfected C:\I386\AUTOLFN.EXE
Virus:W32/Sality.O Not disinfected C:\I386\BacsTray.exe
Virus:W32/Sality.O Not disinfected C:\I386\BCMWLD2K.EXE
Virus:W32/Sality.O Not disinfected C:\I386\BCMWLTRY.EXE
Virus:W32/Sality.O Not disinfected C:\I386\BCMWLU00.EXE
Virus:W32/Sality.O Not disinfected C:\I386\BOOTOK.EXE
Virus:W32/Sality.O Not disinfected C:\I386\BOOTVRFY.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CACLS.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CALC.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CB32.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CHARMAP.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CHKDSK.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CHKNTFS.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CIDAEMON.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CISVC.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CKCNV.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CLICONFG.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CLIPBRD.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CLIPSRV.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CMD.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CMDL32.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CMMON32.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CMSTP.EXE
Virus:W32/Sality.O Not disinfected C:\I386\COMP.EXE
Virus:W32/Sality.O Not disinfected C:\I386\COMPACT.EXE
Virus:W32/Sality.O Not disinfected C:\I386\COMREPL.EXE
Virus:W32/Sality.O Not disinfected C:\I386\COMREREG.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CONF.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CONIME.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CONTROL.EXE
Virus:W32/Sality.O Not disinfected C:\I386\ControlSuite.exe
Virus:W32/Sality.O Not disinfected C:\I386\CONVERT.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CSCRIPT.EXE
Virus:W32/Sality.O Not disinfected C:\I386\CTFMON.EXE
Virus:W32/Sality.O Not disinfected C:\I386\DCOMCNFG.EXE
Virus:W32/Sality.O Not disinfected C:\I386\DDESHARE.EXE
Virus:W32/Sality.O Not disinfected C:\I386\DEFRAG.EXE
Virus:W32/Sality.O Not disinfected C:\I386\DFRGFAT.EXE
Virus:W32/Sality.O Not disinfected C:\I386\DFRGNTFS.EXE
Virus:W32/Sality.O Not disinfected C:\I386\DIANTZ.EXE
Virus:W32/Sality.O Not disinfected C:\I386\DISKPART.EXE
Virus:W32/Sality.O Not disinfected C:\I386\DISKPERF.EXE
Virus:W32/Sality.O Not disinfected C:\I386\DLIMPORT.EXE
Virus:W32/Sality.O Not disinfected C:\I386\DLLHOST.EXE
Virus:W32/Sality.O Not disinfected C:\I386\DLLHST3G.EXE
Virus:W32/Sality.O Not disinfected C:\I386\DMADMIN.EXE
Virus:W32/Sality.O Not disinfected C:\I386\DMREMOTE.EXE
Virus:W32/Sality.O Not disinfected C:\I386\DOSKEY.EXE
Virus:W32/Sality.O Not disinfected C:\I386\DPLAYSVR.EXE
Virus:W3

#6 club824

club824
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 25 February 2006 - 02:00 AM

Hello,
Did you get all three complete reports? I'm new to this posting topics thing and I can't tell if it can get cutoff?!?! :thumbsup:

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:23 AM

Posted 25 February 2006 - 02:12 AM

Hmm, this doesn't look good though...

First of all, reboot your system in Safe mode and delete next files/folders:

C:\WINDOWS\SYSTEM32\cd_clint.dll
C:\WINDOWS\SYSTEM32\crme32.exe
C:\WINDOWS\SYSTEM32\ddmp.dll
C:\WINDOWS\SYSTEM32\javanm.exe
C:\WINDOWS\SYSTEM32\mtc.dll
C:\WINDOWS\SYSTEM32\tcpservice2.exe
C:\messanger.ini
C:\WINDOWS\dpe.dll
C:\WINDOWS\msbb.exe

Also delete the Adwaresheriff and the Spyfalcon folder in safe mode.

Looks like you are also dealing with a nasty virus which infected A LOT of legit files. So my question is here... Is your McAfee up to date? Because normally McAfee is able to disinfect those.
Please run a McAfee scan also in safe mode and let McAfee disinfect those files.... don't let McAfee delete them, but disinfect!!

After performing above steps, post a new hijackthislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:23 AM

Posted 04 March 2006 - 12:04 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users