Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Help Please!


  • This topic is locked This topic is locked
15 replies to this topic

#1 kingofbling

kingofbling

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 08 April 2006 - 04:08 AM

Hi, Please could somecheck my logfile and help me out with it, i've tried deleting surfsidekick3 witht the instruction on this site but it wint budge! many thanks!

Logfile of HijackThis v1.99.1
Scan saved at 10:03:14, on 08/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\csrs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\windows\mousepad9.exe
C:\Program Files\Network\ipnetwork.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\DOCUME~1\Max\LOCALS~1\Temp\cinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\Documents and Settings\Max\Desktop\Tools and stuff\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.co.uk
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8DE1211C-C1AF-E55F-A310-C95E616769E3} - C:\WINDOWS\system32\gytw.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: csrs - C:\WINDOWS\SYSTEM32\csrs.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\kjddv.dll (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\wXssl.dll (file missing)
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\fylemgmt.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWF4\command.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe






Thanks!

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:11 PM

Posted 08 April 2006 - 07:54 AM

This is a nasty log.

Go to start > run and copy and paste next command in the field:

"C:\Program Files\SurfSideKick 3\Ssk.exe" /u

A new window will open and ask you to enter a code. You'll find that code in the same window.
Enter it and reboot when asked! Important!

I see you were dealing with look2me as well. Not sure if settings are restored, so we have to run the fix anyway.

Please perform next in the right order:

* Download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script ( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

* Download and Save blacklight to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply together with the contents of the Panda scan report and the contents of Look2Me-Destroyer.txt present on your desktop and a new HiJackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 kingofbling

kingofbling
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 12 April 2006 - 03:43 PM

Hi, many thanks for the help, however, i seem to be pop-up and pretty much virus-free due to downloading ad-aware. I appreciate the help greatly, but i have tried the methods you listed and got a little stuck regarding the look2me destroyer- it didnt open again after saying the 1 minute close and open thing. Im happy with my computers performance now but thanks anyway for the help.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:11 PM

Posted 12 April 2006 - 03:49 PM

Hello,

Well if look2me destroyer didn't work, reboot and run it again.
But I really need the logs I asked you though, because popups were not your only concern here. Your system is/was terribly infected and I am sure adaware can't deal with all.

So please post the logs I asked you.. this is with a reason, trust me. Every single leftover can cause a total reinfection.. that's why.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 kingofbling

kingofbling
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 13 April 2006 - 03:29 AM

Hi, i'm sure you know more than me about this so i've tried again! However, when i type the - "C:\Program Files\SurfSideKick 3\Ssk.exe" /u into the run bar i get the image below...

Posted Image

And, again there is problems with the look2me destroyer.. ive tried and rebooted at least 7 time but it just wont work. I end up closing it in task manager as its not responding. Shall i go ahead and try the other stuff first or is it important to do in a certain order. Many thanks

Edited by kingofbling, 13 April 2006 - 03:31 AM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:11 PM

Posted 13 April 2006 - 06:14 AM

yes, go ahead and perform the other steps.
By the way, look2me destroyer is not supposed to open after reboot.. maybe that is confusing. It is supposed to reopen once you've checked the 'run as a task'.
Anyway, we'll see afterwards where we stand. We can still deal with it in other ways. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 kingofbling

kingofbling
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 13 April 2006 - 07:40 AM

Hi, these are the logs i managed to get- 1. hijackthis, 2. the fbsl.xxxx thing and 3. panda scan

1. Logfile of HijackThis v1.99.1
Scan saved at 13:32:27, on 13/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Max\Desktop\Tools and stuff\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.co.uk
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8DE1211C-C1AF-E55F-A310-C95E616769E3} - C:\WINDOWS\system32\gytw.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_118349] C:\WINDOWS\system32\ActiveScan\pavdr.exe 118349
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: csrs - C:\WINDOWS\SYSTEM32\csrs.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\kjddv.dll (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\wXssl.dll (file missing)
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\fylemgmt.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWF4\command.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe



2. 04/13/06 13:29:49 [Info]: BlackLight Engine 1.0.35 initialized
04/13/06 13:29:49 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/13/06 13:29:49 [Note]: 7019 4
04/13/06 13:29:49 [Note]: 7005 0
04/13/06 13:29:55 [Note]: 7006 0
04/13/06 13:29:55 [Note]: 7011 440
04/13/06 13:29:55 [Note]: 7026 0
04/13/06 13:29:55 [Note]: 7026 0
04/13/06 13:29:55 [Note]: FSRAW library version 1.7.1015
04/13/06 13:30:53 [Note]: 7007 0


3.
Incident Status Location

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Max\Application Data\Mozilla\Firefox\Profiles\v2ctvfpl.default\cookies.txt[]
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Max\Application Data\Sskcwrd.dll
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Max\Cookies\max@doubleclick[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Max\Cookies\max@tribalfusion[1].txt
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Max\Local Settings\Temp\!update.exe
Adware:adware/dyfuca Not disinfected C:\Documents and Settings\Max\Local Settings\Temp\cfout.txt
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\Max\Local Settings\Temp\i12.tmp
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\Max\Local Settings\Temp\i2.tmp
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\Max\Local Settings\Temp\i20.tmp
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\Max\Local Settings\Temp\i27.tmp
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\Max\Local Settings\Temp\iC.tmp
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Documents and Settings\Max\Local Settings\Temp\RarSFX2\rinst.exe
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Documents and Settings\Max\Local Settings\Temp\RarSFX3\rinst.exe
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Documents and Settings\Max\Local Settings\Temp\RarSFX4\rinst.exe
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Documents and Settings\Max\Local Settings\Temp\RarSFX5\rinst.exe
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Documents and Settings\Max\Local Settings\Temp\RarSFX6\rinst.exe
Adware:Adware/nCase Not disinfected C:\Documents and Settings\Max\Local Settings\Temp\res1.tmp
Potentially unwanted tool:Application/Psshutdown.A Not disinfected C:\Documents and Settings\Max\Local Settings\Temp\shutdown.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\Max\Local Settings\Temp\u3.tmp
Potentially unwanted tool:Application/Pskill.H Not disinfected C:\Documents and Settings\Max\Local Settings\Temp\upd.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Max\My Documents\S?mantec\alg.exe
Adware:adware/dollarrevenue Not disinfected C:\drsmartload1.exe
Adware:Adware/DollarRevenue Not disinfected C:\drsmartload45a.exe
Adware:Adware/Look2Me Not disinfected C:\Installer.exe
Adware:Adware/ISearch Not disinfected C:\MTE3NDI6ODoxNg.exe
Adware:Adware/Sqwire Not disinfected C:\stub_113_4_0_4_0.exe
Adware:Adware/nCase Not disinfected C:\temp\180SAInstaller.exe
Adware:Adware/PurityScan Not disinfected C:\Veracruz.exe
Adware:Adware/WebHancer Not disinfected C:\WHCC2.exe
Adware:Adware/WebHancer Not disinfected C:\WHCC2.exe[whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\WHCC2.exe[whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\WHCC2.exe[whSurvey.exe]
Adware:Adware/WebHancer Not disinfected C:\WHCC2.exe[webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\WHCC2.exe[whiehlpr.dll]
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\gimmygames10a.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\gimmygames9.exe
Spyware:Spyware/DCToolbar Not disinfected C:\WINDOWS\keyboard5.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\keyboard6.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\keyboard9.exe
Virus:Trj/Clicker.PC Disinfected C:\WINDOWS\mousepad4.exe
Virus:Trj/Clicker.OZ Disinfected C:\WINDOWS\mousepad5.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\mousepad6.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\mousepad9.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\newname5.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\newname6.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\newname9.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\WINDOWS\SS1001.exe
Adware:adware/superspider Not disinfected C:\WINDOWS\system32\a.exe
Virus:Trj/Keylog.BR Disinfected C:\WINDOWS\system32\bpk.exe
Potentially unwanted tool:Application/Ardamax Not disinfected C:\WINDOWS\system32\CKM.007
Potentially unwanted tool:Application/Ardamax Not disinfected C:\WINDOWS\system32\CKM.exe
Virus:Trj/Rovaf.A Disinfected C:\WINDOWS\system32\csrs.dll
Virus:Trj/Rovaf.A Disinfected C:\WINDOWS\system32\csrs.exe
Virus:Trj/Downloader.AYV Disinfected C:\WINDOWS\system32\expload.exe
Virus:Trj/Downloader.AYV Disinfected C:\WINDOWS\system32\pre1.exe
Virus:Trj/Keylog.BR Disinfected C:\WINDOWS\system32\RS2SCRIPTS.exe
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\WINDOWS\system32\SCAR updater.exe
Potentially unwanted tool:Application/PerfectKeylog.B Not disinfected C:\WINDOWS\system32\SCAR updaterhk.dll
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\WINDOWS\system32\SCAR updaterr.exe
Virus:Trj/Downloader.ILI Disinfected C:\WINDOWS\system32\w00193de.dll
Adware:Adware/CommAd Not disinfected C:\WINDOWS\TWF4\nqIb.vbs
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\uninstall_nmon.vbs
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\WINDOWS\updater\nicksupdater.exe
Potentially unwanted tool:Application/PerfectKeylog.B Not disinfected C:\WINDOWS\updater\nicksupdaterhk.dll
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\WINDOWS\updater\nicksupdaterr.exe
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\WINDOWS\updater\rinst.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\winsysban10.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\winsysupd10.exe
Virus:Trj/Zapchast.BI Disinfected C:\winupd.bat
Think this is what you were after.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:11 PM

Posted 13 April 2006 - 07:46 AM

Hello,

You forgot an important step though, that's why I need a new Panda log afterwards.

You forgot to perform next step, or at least not in the right way how I asked you:

* Download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: IPB Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script ( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


So please perform this again, and doublecheck/make sure alcanshorty.bfu is present in the BFU-folder!

You also forgot to perform this step:

Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Click the "Delete Cookies" button
* Next to it, Click the "Delete Files" button
* When prompted, place a check in: "Delete all offline content", click OK

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu on the left side of the Options window.
* Click the Clear button located to the right of each option (History, Cookies, Cache).
* Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

* Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.


I can't stress enough how important this is, because your system is still terribly infected.
So please perform above!

Then, download and use next uninstaller:

http://www.purityscan.com/ps_uninstaller.exe

Reboot afterwards!

When done, scan again with Panda and post the log in your next reply together with a new hijackthislog.

Edited to post an extra instruction.

Edited by miekiemoes, 13 April 2006 - 07:49 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 kingofbling

kingofbling
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 13 April 2006 - 08:31 AM

Have definately done as listed in your last post- here are logs

Logfile of HijackThis v1.99.1
Scan saved at 14:29:13, on 13/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Max\Desktop\Tools and stuff\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.co.uk
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8DE1211C-C1AF-E55F-A310-C95E616769E3} - C:\WINDOWS\system32\gytw.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: csrs - csrs.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\kjddv.dll (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\wXssl.dll (file missing)
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\fylemgmt.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe





Panda-

Incident Status Location

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Max\Application Data\Mozilla\Firefox\Profiles\v2ctvfpl.default\cookies.txt[]
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Max\Application Data\Sskcwrd.dll
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Max\Cookies\max@doubleclick[1].txt
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Max\Desktop\Tools and stuff\ps_uninstaller.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Max\My Documents\S?mantec\alg.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\WINDOWS\SS1001.exe
Adware:adware/superspider Not disinfected C:\WINDOWS\system32\a.exe
Potentially unwanted tool:Application/Ardamax Not disinfected C:\WINDOWS\system32\CKM.007
Potentially unwanted tool:Application/Ardamax Not disinfected C:\WINDOWS\system32\CKM.exe
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\WINDOWS\system32\SCAR updater.exe
Potentially unwanted tool:Application/PerfectKeylog.B Not disinfected C:\WINDOWS\system32\SCAR updaterhk.dll
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\WINDOWS\system32\SCAR updaterr.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\TWF4\nqIb.vbs
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\WINDOWS\updater\nicksupdater.exe
Potentially unwanted tool:Application/PerfectKeylog.B Not disinfected C:\WINDOWS\updater\nicksupdaterhk.dll
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\WINDOWS\updater\nicksupdaterr.exe
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\WINDOWS\updater\rinst.exe

Edited as posted hijack log again instead of panda log.

Edited by kingofbling, 13 April 2006 - 08:32 AM.


#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:11 PM

Posted 13 April 2006 - 08:52 AM

Hi,

Yes, now you have done what I asked you previously, because as you see, your Panda log is a lot shorter. :thumbsup:

Now let's deal with the leftovers:


* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: (no name) - {8DE1211C-C1AF-E55F-A310-C95E616769E3} - C:\WINDOWS\system32\gytw.dll (file missing)
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
<== it's a bad idea to have p2p programs run at startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE <== this is a resource hog
O20 - Winlogon Notify: csrs - csrs.dll (file missing)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\kjddv.dll (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\wXssl.dll (file missing)
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\fylemgmt.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

I see the Purityuninstaller didn't work here, but that's ok, we'll deal with it manually.
Please delete the Uninstaller ps_uninstaller.exe you downloaded and ran previously.

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Delete next files/folders:

C:\Documents and Settings\Max\Application Data\Sskcwrd.dll
C:\WINDOWS\SS1001.exe
C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\CKM.007
C:\WINDOWS\system32\CKM.exe
C:\WINDOWS\system32\SCAR updater.exe
C:\WINDOWS\system32\SCAR updaterhk.dll
C:\WINDOWS\system32\SCAR updaterr.exe
C:\WINDOWS\TWF4 <== folder
C:\WINDOWS\updater <== folder
C:\Documents and Settings\Max\My Documents\S?mantec <== this folder, will most probably be called Symantec and contains the file alg.exe (BE CAREFUL here! Don't delete any other Symantec folder present! Make sure you delete this one with this alg.exe!)

Please hide your hidden files and folders afterwards again, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

Empty your recylebin.

Reboot and post a new log in your next reply and tell me how things are running now.

Edited by miekiemoes, 13 April 2006 - 08:53 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:11 PM

Posted 13 April 2006 - 09:06 AM

Extra addition..

When I look at your previous hijackthislogs , I am pretty sure you disabled some entries in your startup using msconfig. Actually, these bad entries need to go and not disabled.
Don't enable them, but perform next so I can have a look at them and I'll give a fix afterwards to delete them.

Open notepad and copy and paste next bold in it:

regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"
type peek1.txt >> startup.txt
type peek2.txt >> startup.txt
del peek*.txt
start notepad startup.txt


Save this as look.bat , choose to save as *all files and place it on your desktop.
This is how the batch must look after you created it: Posted Image
Doubleclick on look.bat and post the contents of it in your next reply as well.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 kingofbling

kingofbling
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 13 April 2006 - 09:10 AM

Hi yet again... Here is the hijackthis log which i think is clean thanks to you. the look.bat opens up then comes up with a blank notepad document, no sure what should happen? Here's the log-

Logfile of HijackThis v1.99.1
Scan saved at 15:05:33, on 13/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Max\Desktop\Tools and stuff\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.co.uk
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:11 PM

Posted 13 April 2006 - 09:22 AM

the look.bat opens up then comes up with a blank notepad document, no sure what should happen?


Yes, can be possible that you didn't use msconfig to disable entries before, but rather checked and fixed them in hijackthis before.

Your hijackthislog looks clean again. :thumbsup:

Ok, now as a final step, I want you to update your Sun java, because this version you have installed is vulnerable.

Updating Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:http://www.java.com/en/download/manual.jsp
let me know in your next reply how things are running now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 kingofbling

kingofbling
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 13 April 2006 - 09:30 AM

Hi. The systems is running smoothly as it should be, no pop-ups etc etc. Thank you so much for helping and being patient (especially with someone with no idea how to do most things on a computer!).

Once again, Thank-you!

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:11 PM

Posted 13 April 2006 - 09:32 AM

You are welcome. :thumbsup:

Perform a full scan with an updated Adaware SE and/or Spybot S&D to get rid of some leftovers if still present.
If you don't have those programs yet, you can find the downloadlocations in my sig.

Please change all your passwords as well!!!

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

If you want to fight back the Malware Writers that have made your life a misery, please take a look here.

Happy surfing again! :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users