Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remove Errorsaf And Others


  • Please log in to reply
3 replies to this topic

#1 polle

polle

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 22 April 2006 - 08:18 AM

Logfile of HijackThis v1.99.1
Scan saved at 15:02:42, on 22-04-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\CA\eTrust Antivirus\InoRpc.exe
C:\Programmer\CA\eTrust Antivirus\InoRT.exe
C:\Programmer\CA\eTrust Antivirus\InoTask.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\Programmer\Home Cinema\PowerCinema\PCMService.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programmer\Java\j2re1.4.2_05\bin\jusched.exe
C:\Programmer\D-Tools\daemon.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programmer\Picasa2\PicasaMediaDetector.exe
C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Programmer\Internet Explorer\iexplore.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Programmer\Opera\Opera.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali A/S - Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmer\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Programmer\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {669A0019-9384-8DB9-F60D-60E9CA0102D8} - C:\DOCUME~1\Runeh\APPLIC~1\ADMINB~1\Aim idle.exe (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
O3 - Toolbar: TDC Online - {DC3B5271-4E49-41F4-A920-DDE9D755E214} - C:\WINDOWS\TDCOnline.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmer\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programmer\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmer\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Programmer\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [Show amen] C:\DOCUME~1\Runeh\APPLIC~1\COPYME~1\SIXTHEACHLOG.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmer\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
O8 - Extra context menu item: Download using FlashGet - C:\Programmer\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html
O8 - Extra context menu item: Subscribe in Desktop Sidebar - res://C:\Programmer\Desktop Sidebar\sbhelp.dll/menuhandler.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Programmer\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Programmer\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmer\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmer\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: TDC Online - {DC3B5271-4E49-41F4-A920-DDE9D755E214} - C:\WINDOWS\TDCOnline.dll
O9 - Extra 'Tools' menuitem: TDC Online - {DC3B5271-4E49-41F4-A920-DDE9D755E214} - C:\WINDOWS\TDCOnline.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/da/big/1.1....g/GoogleNav.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145648862140
O16 - DPF: {7AEBACC1-D7E4-4360-B520-6DA4C565B42C} (UploaderCtrl Class) - http://foto.tdconline.dk/upload-classes/Uploader.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37710.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Sa...G/e-Safekey.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp04.photoprintit.de/microsite/100...geUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AA9AF4B-6240-40BD-9452-B38C0C9E3D1B}: NameServer = 193.162.153.164 194.239.134.83
O17 - HKLM\System\CS1\Services\Tcpip\..\{1AA9AF4B-6240-40BD-9452-B38C0C9E3D1B}: NameServer = 193.162.153.164 194.239.134.83
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:46 PM

Posted 22 April 2006 - 08:30 AM

Hi polle!

Welcome to BleepingComputer. I need a bit more infomation before we can start to tackle your infection.

Download and unzip to one folder: (create a folder for all the files - example : C:\lop and extract the files from the archive into that folder)
http://metallica.geekstogo.com/findlop.zip
Inside the folder locate findlop.bat
Doubleclick it and it will create the file C:\findlop.txt
Find that file and copy the content into your next post.

Please set your system to show all files; please see here if you're unsure how to do this.

How to get a Startup List log using HJT
  • Open HijackThis
  • Click on Config
  • Click on Misc tools
  • Click on Generate start up log
  • Click the Yes button A NotePad window will appear with a log.
  • Close HijackThis.
  • Copy and paste the contents of NotePad here in your reply.
Can you then let me what the full folder name is for the following:
C:\DOCUME~1\Runeh\APPLIC~1\COPYME~1 <--Windows abbeviates long file/folder names. This folder's name begins with COPYME and will sound like random words strung together. Can you let me know what the full folder name is please. Don't delete it yet.

So please pst back with both logs and a new Hijackthis log.
David

Edited by D-Trojanator, 22 April 2006 - 08:31 AM.


#3 polle

polle
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 22 April 2006 - 10:12 AM

Ok
Here is the result fot findlop.txt




[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'AB4BEBC791806143.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\runeh\applic~1\copyme~1\long skip math.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Runeh'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 04/19/2006 21:00:00
NextRun: 04/22/2006 17:00:00
StartError: 0x80070002
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/27/1996
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job '{1BF1EF69-67D1-440C-89DB-108D596C261B}_RUNE_Runeh.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\system32\mobsync.exe'
Parameters: ' /Schedule="{1BF1EF69-67D1-440C-89DB-108D596C261B}_RUNE_Runeh"'
WorkingDirectory: ''
Comment: ''
Creator: 'SyncMgrInternalCreatorName'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 01/04/2006 20:58:00
NextRun: 04/22/2006 20:58:00
StartError: SCHED_E_ACCOUNT_INFORMATION_NOT_SET
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 03/20/2005
EndDate: 00/00/0000
StartTime: 20:58
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0




Startuplist are like this


StartupList report, 22-04-2006, 16:55:07
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\CA\eTrust Antivirus\InoRpc.exe
C:\Programmer\CA\eTrust Antivirus\InoRT.exe
C:\Programmer\CA\eTrust Antivirus\InoTask.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\Programmer\Home Cinema\PowerCinema\PCMService.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programmer\Java\j2re1.4.2_05\bin\jusched.exe
C:\Programmer\D-Tools\daemon.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programmer\Picasa2\PicasaMediaDetector.exe
C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Opera\Opera.exe
C:\Program Files\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menuen Start\Programmer\Start]
Logitech Desktop Messenger.lnk = C:\Programmer\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ATIPTA = C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
Realtime Monitor = C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
CHotkey = mHotkey.exe
ledpointer = CNYHKey.exe
PCMService = "C:\Programmer\Home Cinema\PowerCinema\PCMService.exe"
Microsoft Works Update Detection = C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
SunJavaUpdateSched = C:\Programmer\Java\j2re1.4.2_05\bin\jusched.exe
DAEMON Tools-1033 = "C:\Programmer\D-Tools\daemon.exe" -lang 1033
Picasa Media Detector = C:\Programmer\Picasa2\PicasaMediaDetector.exe
Zone Labs Client = C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
SP2 Connection Patcher = "C:\Programmer\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
Show amen = C:\DOCUME~1\Runeh\APPLIC~1\COPYME~1\SIXTHEACHLOG.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssbezier.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Programmer\Yahoo!\Companion\Installs\cpn\yt.dll - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
(no name) - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Programmer\Desktop Sidebar\sbhelp.dll - {45AD732C-2CE2-4666-B366-B2214AD57A49}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\DOCUME~1\Runeh\APPLIC~1\ADMINB~1\Aim idle.exe (file missing) - {669A0019-9384-8DB9-F60D-60E9CA0102D8}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AB4BEBC791806143.job
{1BF1EF69-67D1-440C-89DB-108D596C261B}_RUNE_Runeh.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[BDSCANONLINE Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\oscan8.ocx
CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab

[Google Activate]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\googlenav.dll
CODEBASE = http://toolbar.google.com/data/da/big/1.1....g/GoogleNav.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdat...b?1145648862140

[UploaderCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Uploader.dll
CODEBASE = http://foto.tdconline.dk/upload-classes/Uploader.cab

[ICSScanner Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ICSScan.dll
CODEBASE = http://download.zonelabs.com/bin/promotion...canner37710.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8039.1957407407

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

[e-Safekey]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\e-Safekey.dll
CODEBASE = https://netbank.bgbank.dk/html/activex/e-Sa...G/e-Safekey.cab

[IP-Uploader Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader_3.ocx
CODEBASE = http://asp04.photoprintit.de/microsite/100...geUploader3.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\Runeh\LOKALE~1\Temp\A~NSISu_.exe||C:\Programmer\ewido\security suite\shellhook.dll


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7.971 bytes
Report generated in 0,047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


AND A NEW HJ List are


Logfile of HijackThis v1.99.1
Scan saved at 17:10:08, on 22-04-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\CA\eTrust Antivirus\InoRpc.exe
C:\Programmer\CA\eTrust Antivirus\InoRT.exe
C:\Programmer\CA\eTrust Antivirus\InoTask.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\Programmer\Home Cinema\PowerCinema\PCMService.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programmer\Java\j2re1.4.2_05\bin\jusched.exe
C:\Programmer\D-Tools\daemon.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programmer\Picasa2\PicasaMediaDetector.exe
C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Opera\Opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali A/S - Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmer\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Programmer\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {669A0019-9384-8DB9-F60D-60E9CA0102D8} - C:\DOCUME~1\Runeh\APPLIC~1\ADMINB~1\Aim idle.exe (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
O3 - Toolbar: TDC Online - {DC3B5271-4E49-41F4-A920-DDE9D755E214} - C:\WINDOWS\TDCOnline.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmer\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programmer\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmer\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Programmer\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [Show amen] C:\DOCUME~1\Runeh\APPLIC~1\COPYME~1\SIXTHEACHLOG.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmer\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
O8 - Extra context menu item: Download using FlashGet - C:\Programmer\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html
O8 - Extra context menu item: Subscribe in Desktop Sidebar - res://C:\Programmer\Desktop Sidebar\sbhelp.dll/menuhandler.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Programmer\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Programmer\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmer\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmer\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: TDC Online - {DC3B5271-4E49-41F4-A920-DDE9D755E214} - C:\WINDOWS\TDCOnline.dll
O9 - Extra 'Tools' menuitem: TDC Online - {DC3B5271-4E49-41F4-A920-DDE9D755E214} - C:\WINDOWS\TDCOnline.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/da/big/1.1....g/GoogleNav.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145648862140
O16 - DPF: {7AEBACC1-D7E4-4360-B520-6DA4C565B42C} (UploaderCtrl Class) - http://foto.tdconline.dk/upload-classes/Uploader.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37710.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Sa...G/e-Safekey.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp04.photoprintit.de/microsite/100...geUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AA9AF4B-6240-40BD-9452-B38C0C9E3D1B}: NameServer = 193.162.153.164 194.239.134.83
O17 - HKLM\System\CS1\Services\Tcpip\..\{1AA9AF4B-6240-40BD-9452-B38C0C9E3D1B}: NameServer = 193.162.153.164 194.239.134.83
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:46 PM

Posted 22 April 2006 - 01:14 PM

Hi polle!

*It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! :thumbsup:

* Please set your system to show all files; please see here if you're unsure how to do this.

* Please download Ewido anti-malware ; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

* Please download ATF Cleaner by Atribune.
Don't run it yet.

* Open notepad and copy and paste next in it:

@echo off
cd C:\WINDOWS\Tasks
attrib -r -s -h AB4BEBC791806143.job
del AB4BEBC791806143.job
exit

Save this as look.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick look.bat and copy the contents of the text file that opens back here.

* Reboot into SAFE MODE
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

* Double-click ATF Cleaner to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {669A0019-9384-8DB9-F60D-60E9CA0102D8} - C:\Documents and Settings\Runeh\Application Data\ADMINB~1\Aim idle.exe (file missing)
O4 - HKCU\..\Run: [Show amen] C:\DOCUME~1\Runeh\APPLIC~1\COPYME~1\SIXTHEACHLOG.exe


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Documents and Settings\Runeh\Application Data\COPYME~1 <--Windows abbeviates long file/folder names. This folder's name begins with COPYME and will sound like random words strung together. If there is more than one folder beginning with those letters, don't delete but write down the exact names and post them back here.

* Open Ewido anti-malware
Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

* Please reboot back to normal mode and please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post a new Hijackthis log, the ewido log and the active scan log in your next reply, along with a new findlop log.
David

Edited by D-Trojanator, 22 April 2006 - 01:15 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users