Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Iworm_attck_v122.02a


  • This topic is locked This topic is locked
7 replies to this topic

#1 gjthorn

gjthorn

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 01 May 2006 - 09:48 PM

Am getting a flashing triangle in the system tray with message reading "Urgent System Message: Virus! Your computer is infected with the last version of internet trojan (iworm_attck_v122.02a). It is highly recommended that you install antivirus software. Click the icon for more information." Some variants of this message appear but this is the most common. These appear every 15 seconds. Popups advertising spyware cleaners and adult services also appear regularly.

Have taken all preparatory steps you requested before posting a log and the virus persists. Following is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:40:18 PM, on 5/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software

Updater.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/defaul....yahoo.com/ext/

search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = localhost
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} -

C:\WINDOWS\system32\hpA79A.tmp
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common

Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5

\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common

Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2

\printray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software

Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program

Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1

\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06

\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -

atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Felix II] C:\Program Files\ScreenMates\Felix II\Felix2.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1

\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe"

-quiet
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne

Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google

Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: SoftStuff Wallpaper Changer.lnk = C:\Softstuf\softstrt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0

\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program

Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak

EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\KODAK\KODAK

Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk =

C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk =

C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program

Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search -

http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1

\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %

windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no

file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} -

http://207.188.7.150/27393e66e13eda387516/netzip/RdxIE.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akamai.net/7/1540/52/200203....com/qt505/us/w

in/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -

http://207.188.7.150/146d10e7b0489da3e922/netzip/RdxIE6.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) -

http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) -

http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1

\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. -

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program

Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation

- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. -

C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak

Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner -

C:\WINDOWS\Nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Thanks,
Gary Thorn

BC AdBot (Login to Remove)

 


m

#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:28 PM

Posted 02 May 2006 - 08:56 AM

Hello Gary,

It is important you don't miss a step and perform everything in the right order!!

1. Download roguescanfix.exe to your desktop.
Doubleclick roguescanfix.exe to install.
This will create a new folder on your desktop called roguescanfix.
Do not use this yet!

2. Run HijackThis and check the following entries:R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul....yahoo.com/ext/ search/search.html
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpA79A.tmp
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} - http://207.188.7.150/27393e66e13eda387516/netzip/RdxIE.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/146d10e7b0489da3e922/netzip/RdxIE6.cab
O18 - Filter: text/html - (no CLSID) - (no file)

Close all open windows EXCEPT HIJACKTHIS and click Fix Checked. Close HijackThis.

3. Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
4. Open the roguescanfix folder and click: Run.bat
This tool needs internet connection so it can download an additional file to let the tool work properly.
If your firewall gives an alert, allow it instead of blocking it.
Let the tool perform its job.
The icons will disappear temporarely from your desktop, and reappear. This is normal.
Wait until the message Completed script execution is displayed, and click OK.
Click Exit to close down bfu.
Finally: click OK to start the Spyfalcon and/or Spywarequake uninstaller, and click uninstall.
WARNING: You will be asked to reboot your computer. Wait until the uninstallers did their job before clicking YES.

5. Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

6. Post the contents of the Panda scan report in your next reply along with a new HijackThis Log,
by using Add Reply.

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 gjthorn

gjthorn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 03 May 2006 - 05:58 AM

Thanks so much for your assistance!

The Panda scan showed 25 incidences of spyware and 5 other unwanted tools still residing on my system.

Panda log:


Incident Status Location

Adware:adware/emediacodec Not disinfected C:\Documents and Settings\All Users\Desktop\Online Security Guide.url
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt[.advertising.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\idqlq7mn.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\idqlq7mn.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\idqlq7mn.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\idqlq7mn.default\cookies.txt[.ath.belnk.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\idqlq7mn.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\idqlq7mn.default\cookies.txt[.belnk.com/]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\idqlq7mn.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\idqlq7mn.default\cookies.txt[.dist.belnk.com/]
Spyware:Cookie/Hypercount Not disinfected C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\idqlq7mn.default\cookies.txt[.hypercount.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\idqlq7mn.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\idqlq7mn.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\idqlq7mn.default\cookies.txt[.tickle.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\idqlq7mn.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\idqlq7mn.default\cookies.txt[hc2.humanclick.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\idqlq7mn.default\cookies.txt[hc2.humanclick.com/hc/74656227]
Spyware:Cookie/Freestats Not disinfected C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\idqlq7mn.default\cookies.txt[kingfotzo.freestats.com/]
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\idqlq7mn.default\cookies.txt[www48.seeq.com/]
Adware:adware/securityerror Not disinfected C:\Documents and Settings\cqm\Favorites\Antivirus Test Online.url
Potentially unwanted tool:Application/Zango Not disinfected C:\Program Files\Mozilla Firefox\plugins\npclntax.dll
Potentially unwanted tool:Application/Need2Find Not disinfected C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll
Potentially unwanted tool:Application/Need2Find Not disinfected C:\Program Files\Need2Find\bar\1.bin\N2PLUGIN.DLL
Potentially unwanted tool:Application/Need2Find Not disinfected C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
Potentially unwanted tool:Application/Need2Find Not disinfected C:\Program Files\Need2Find\bar\1.bin\NPND2FN.DLL
Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32m.sys
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\SYSTEM32\ld900B.tmp
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\SYSTEM32\regperf.exe


New HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:54:59 AM, on 5/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Felix II] C:\Program Files\ScreenMates\Felix II\Felix2.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: SoftStuff Wallpaper Changer.lnk = C:\Softstuf\softstrt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Thanks,
Gary

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:28 PM

Posted 04 May 2006 - 04:16 AM

Hello Gary,

Let's do some more cleaning up:

1. Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Don't use it yet.
DO NOT RUN IT YET!

2. Please update Ewido anti-malware:
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Close ewido. DO NOT RUN IT YET.
3. Boot into Safe Mode:
Restart your computer and tap F8 before WinXP starts to load and choose Safe Mode.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter.

4. Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; I need that log afterwards.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

5. Run Ewido anti-malware:
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
    • NOTE: During some scans with ewido it is finding cases of false positives.
      # This means you will need to step through the process of cleaning files one-by-one.
      # If ewido detects a file you KNOW to be legitimate, select none as the action.
      # DO NOT select "Perform action on all infections"
      # If you are unsure of any entry found select none for now.
  • When the scan finishes, click on "Save Report". This will create a text file. Save it to your Desktop.
6. Restart your computer in Normal Mode.

7. Please post the contents of C:\rapport.txt and a new HijackThis log,
as well as the log from ewido.

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 gjthorn

gjthorn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 05 May 2006 - 07:21 AM

Hello BMThor,

Thanks for your continued assistance.

rapport.txt:

SmitFraudFix v2.39

Scan done at 22:46:41.45, Thu 05/04/2006
Run from C:\Documents and Settings\cqm\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

Killing process


Deleting infected files

C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\cqm\FAVORI~1\Antivirus Test Online.url Deleted
C:\Program Files\Security Toolbar\ Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

End


ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:43:45 AM, 5/5/2006
+ Report-Checksum: CB90C752

+ Scan result:

:mozilla.8:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.12:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.25:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.26:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.27:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.28:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.29:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.30:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.31:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.36:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.38:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.39:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.42:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.43:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.44:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.45:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.55:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.56:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.75:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.76:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.78:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.79:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.80:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.81:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.82:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.89:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.93:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.94:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.102:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.103:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.104:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.115:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.116:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.117:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.118:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.119:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.120:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.121:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.122:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.123:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.124:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.127:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.129:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.130:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.131:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.132:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.133:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.134:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.135:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.136:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.137:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.196:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.197:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.198:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.199:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.200:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.201:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.240:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup
:mozilla.248:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.249:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.250:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.258:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.259:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.263:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.264:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.266:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.267:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.273:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.287:C:\Documents and Settings\cqm\Application Data\Mozilla\Firefox\Profiles\3wytl7ia.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup


::Report End


hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:44:45 AM, on 5/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Felix II] C:\Program Files\ScreenMates\Felix II\Felix2.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: SoftStuff Wallpaper Changer.lnk = C:\Softstuf\softstrt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


Thanks,
Gary

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:28 PM

Posted 06 May 2006 - 08:47 AM

Hello Gary,

Your log looks clean now :thumbsup:

Any more problems?

-----------------

Below I have included some recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously ; these few simple steps can stave off the vast majority of spyware problems.

1. Please navigate to http://windowsupdate.microsoft.com/ on a regular basis and download all the "critical updates" for Windows, including the latest version of Internet Explorer.
This can patch many of the security holes through which attackers can gain access to your computer.

2. In order to protect yourself better against spyware, you should consider installing and running some of the following free programs:Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

IE/Spyad
Places over 5000 dubious websites and domains in your IE's restricted zone.
Make sure to keep your antispyware programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed
Hopefully this should take care of your problems!

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 gjthorn

gjthorn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 06 May 2006 - 09:45 AM

No more problems.

Thanks so much for all your help! What a wonderful service you provide!

Gary

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:28 PM

Posted 07 May 2006 - 05:38 AM

Glad we could help, Gary :thumbsup:

Since your problem is solved, this topic will be closed.

If you need this topic reopened, please email the moderating team -
be sure to include the address of the thread and the name you posted under.


BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users