Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Assist With Ugly Log


  • Please log in to reply
8 replies to this topic

#1 nosnhoj#3

nosnhoj#3

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:11:41 PM

Posted 03 May 2006 - 05:32 AM

Hello,

I am in the process of rejuvinating a friends PC and even though I have experience at HJT analysis and solutions, I am just too rusty to be confident on my recommendations. I would appreciate it if someone could help me out, I don't want to miss anything and return the PC with leftover malicious entries.

Issues:

Check Disk runs immediately on every startup, and at the welcome screen a warning appears saying that C:\$Secure is corrupt and unreadable.

Runs, slow, with pop-up ads when offline, they even try while PC is not even hooked up at all to the internet.

Many of the classic symptoms, redirection, ads, lots and lots of running processes, and so on.

What I have done:

I ran Spybot S&D, which found 180 objects, and let it remove what it found, but it couldn't remove it all so I let it run upon restart and it still didn't remove certain instances.

I removed a couple of known badguys from Add/Remove, but knew this would be useless unless I removed the bad reg entries.

Ran HJT and started the analysis, but some of the entries I just am not comfortable with.

Also, I am aware of the lack of security protection on this PC, and will be addressing that once I can get some clean logs. The PC is not hooked up to the internet right now. I am transferring the things I need via flash disk or cd-r.

Please ask if there is anything you need to know. Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 2:39:41 AM, on 5/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\system32\EDEAEDEDEDF5F4F.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\spytiqwuy.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\fqxz9h.exe
C:\WINDOWS\CheckS02.exe
C:\WINDOWS\win32071231550168.exe
C:\windows\mousepad11.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\win32093155016812.exe
C:\WINDOWS\sys030168123155.exe
C:\WINDOWS\ms041681231550.exe
C:\WINDOWS\ms030168123155.exe
C:\WINDOWS\sys101550168123.exe
C:\WINDOWS\win32082315501681.exe
C:\WINDOWS\sys025016812315.exe
C:\WINDOWS\ms056812315501.exe
C:\WINDOWS\win32068123155016.exe
C:\WINDOWS\ms068123155016.exe
C:\WINDOWS\sys015501681231.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ResChanger 2005\ResChanger2005.exe
C:\Program Files\EQBranch\EQBranch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qgjaw.exe
F2 - REG:system.ini: UserInit=userinit.exe,cbpeiss.exe
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000010} - C:\WINDOWS\DH.dll (file missing)
O2 - BHO: Yvakt Class - {2335EA94-74D6-46B4-BA93-8567DAC6CC9B} - C:\WINDOWS\system32\fpdrnznx.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: svchosts.cMapp_2F47968E9FBE - {D3150260-5753-454D-9923-26CF37C6FECC} - C:\WINDOWS\system32\{D3150260-5753-454D-9923-26CF37C6FECC}.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [1E1B1E1E1E2625212] EDEAEDEDEDF5F4F.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [kVdtBOn] "C:\WINDOWS\system32\spytiqwuy.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe
O4 - HKLM\..\Run: [win32071231550168] C:\WINDOWS\win32071231550168.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad11.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard11.exe
O4 - HKLM\..\Run: [w001ba33.dll] RUNDLL32.EXE w001ba33.dll,I2 0003623b0001ba33
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [win32093155016812] C:\WINDOWS\win32093155016812.exe
O4 - HKLM\..\Run: [sys030168123155] C:\WINDOWS\sys030168123155.exe
O4 - HKLM\..\Run: [ms041681231550] C:\WINDOWS\ms041681231550.exe
O4 - HKLM\..\Run: [ms030168123155] C:\WINDOWS\ms030168123155.exe
O4 - HKLM\..\Run: [sys101550168123] C:\WINDOWS\sys101550168123.exe
O4 - HKLM\..\Run: [win32082315501681] C:\WINDOWS\win32082315501681.exe
O4 - HKLM\..\Run: [sys025016812315] C:\WINDOWS\sys025016812315.exe
O4 - HKLM\..\Run: [ms056812315501] C:\WINDOWS\ms056812315501.exe
O4 - HKLM\..\Run: [win32068123155016] C:\WINDOWS\win32068123155016.exe
O4 - HKLM\..\Run: [ms068123155016] C:\WINDOWS\ms068123155016.exe
O4 - HKLM\..\Run: [expload.exe] C:\WINDOWS\system32\expload.exe
O4 - HKLM\..\Run: [sys015501681231] C:\WINDOWS\sys015501681231.exe
O4 - HKLM\..\Run: [is11] C:\WINDOWS\system32\is11
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [EQBranch] "C:\Program Files\EQBranch\EQBranch.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm337YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {7B1EE13A-FE1E-48B0-AC2C-8ACC5E3BB7CB} - C:\WINDOWS\system32\fpdrnznx.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\fp0q03d5e.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe




Once again, thanks,

nos :thumbsup:
When I'm right, I'm right....
And when I'm wrong, I could have been right....
So I'm still right, cause I could have been wrong.

BC AdBot (Login to Remove)

 


#2 Glaswegian

Glaswegian

    Defender of the Haggis


  • Malware Response Team
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow
  • Local time:07:41 AM

Posted 03 May 2006 - 05:27 PM

Hi nosnhoj#3.

I’m willing to have a go at this. I think the phrase I’m looking for rhymes with ‘clucking bell’!! Looks like you have everything except Vundo. Let’s try this first.


Please create a uninstall list:
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Open Uninstall Manager"
  • Click on the button "Save list"
  • Copy and past the List from the notebook onto your post



Please download Brute Force Uninstaller to your desktop. (rightclick on this link and choose save as, if using IE save target as)
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk" (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
  • Download qoofix.bat (rightclick on this link and choose save as, if using IE save target as)
  • Place qoofix.bat in your C:\BFU - folder. (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
  • The PC will restart.



Go back to the BFU folder and click on BFU.exe

Now click the Web button as shown here:
Posted Image

Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/alcanshorty.bfu
  • Execute the script by clicking the Execute button.
  • When it finishes running, click the Save button for a copy of the log
  • Post the log created by the script when you have completed the fix
If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html





Please Download Look2Me-Destroyer and save the file to your desktop.

* Print out these instructions and close ALL windows before continuing.
* Double-click Look2Me-Destroyer.exe to run it.
* Put a check next to "Run this program as a task".
* You will receive a message saying "Look2Me-Destroyer will close and re-open in approximately 10 seconds". Click OK.
* When Look2Me-Destroyer re-opens, click the "Scan for L2M button", your desktop icons will disappear, this is normal.
* Once it's done scanning, click the "Remove L2M button".
* You will receive a "Done Scanning message", click OK.
* When completed, you will receive this message: "Done removing infected files! Look2Me-Destroyer will now shutdown your computer", click OK.
* Your computer will then shutdown.
* Turn your computer back on.
* Please post the contents of C:\Look2Me-Destroyer.txt at the end of this fix.

If you receive a runtime error '339' please download MSWINSCK.OCX and place it in your C:\Windows\System32 Directory.


I therefore need the following in your next post:

Uninstall list
BFU Log
Look2Me Destroyer.txt
HijackThis Log

Iain
Win XP Pro / Win 7 Pro
Posted Image

#3 nosnhoj#3

nosnhoj#3
  • Topic Starter

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:11:41 PM

Posted 03 May 2006 - 09:59 PM

Hello,

Thanks for your time, and yes you have it right, there isn't much this PC isn't infected with. I will be sure to educate the owner. As for the overall performance of the PC, here are the symptoms after the fix attempt.

1) Still runs check disk automatically, I know how to fix this, but I will wait to make sure of the cause first.

2) Upon restarting after applying the qooFix.bat autofix, the system froze at the Welcome screen.

3) There was an error when trying to retrieve the Brute Force log. Active Desktop was disabled and the screen turned white. There was however a button to continue, which I pushed and was able to save the log, but I have a feeling that it is incomplete. I was unsure of the error, so I will post what I have , and wait for your suggestions.

4) Finished the rest of the process, and upon startup recieved a message claiming the system has no Paging File, or it is to small. The system has 640MB RAM installed, with the default size of virtual memory allocated.

5) Also, once I reached the desktop, there was a RUNDLL "Error loading w001ba33.dll the specified module could not be found" message.

Here are the logs in the order you requested.

HijackThis Uninstall_list

Ad-Aware SE Personal
Adobe Reader 6.0.1
Broadcom Management Programs
Call of Duty® 2
Conexant SmartHSFi V.9x 56K DF PCI Modem
CoolMon
Dell Digital Jukebox Driver
Dell Solution Center
Dell Support 5.0.0 (766)
Eugene / Springfield - Florence Dex Electronic Directory
Hallmark Card Studio
HijackThis 1.99.1
HP Photo & Imaging 3.1
HP PSC & OfficeJet 3.0
Intel® Extreme Graphics Driver
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 4
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
KODAK EASYSHARE Gallery Upload ActiveX Control
Learn2 Player (Uninstall Only)
LimeWire 4.10.3
Macromedia Flash Player 8
MathPlayer
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Picture It! Express 9
Modem Helper
MSN
MSN Encarta Plus Support Files
MSN Messenger 7.5
MSN Music Assistant
MSN Toolbar
Multi Virus Cleaner 2006
Musicmatch® Jukebox
NVIDIA Drivers
Quicklinks
QuickTime
Qwest QuickCare
RealPlayer
ResChanger 2005
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Shockwave
Skype 2.0
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Sony USB Driver
SpeechRedist
Spybot - Search & Destroy 1.4
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WordPerfect Office 11
Zboard ™ Software
ZoneAlarm


/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/


BFU Log


BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 6:54:42 PM, on 5/3/2006

Option Unload Explorer: Yes
Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)
Failed: ServiceStop Network Monitor (service not found)
Failed: ServiceStop cmdService (service not found)
Failed: ServiceDisable Network Monitor (service not found)
Failed: ServiceDisable cmdService (service not found)
Failed: ServiceDelete Network Monitor (service not found)
Failed: ServiceDelete cmdService (service not found)
Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (key not found)
Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (key not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetwork (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|ms-update (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetworking (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|virtual-ie (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|MS DATABASE (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|xp (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|winlog (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|wmplayer (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|tetriz3 (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CQ4d6 (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|SystemTools (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|eventwvr (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FolderDelete C:\Program Files\outlook (folder not found)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
Script completed.


/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/



Look2Me-Log



Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 5/3/2006 7:01:10 PM

Infected! C:\WINDOWS\system32\fp0q03d5e.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2742\A0275966.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2742\A0275979.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2742\A0276983.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2742\A0277018.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2742\A0277044.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281061.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281065.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281083.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281087.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281111.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281115.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281132.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281143.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281152.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281164.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0282155.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0282170.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0282177.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0284181.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0286182.dll
Infected! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0288176.dll
Infected! C:\WINDOWS\SYSTEM32\dnlo0133e.dll
Infected! C:\WINDOWS\SYSTEM32\enjul1191.dll
Infected! C:\WINDOWS\SYSTEM32\g6jo0g13e6.dll
Infected! C:\WINDOWS\SYSTEM32\gp4ul3h91.dll
Infected! C:\WINDOWS\SYSTEM32\gpp4l37q1.dll
Infected! C:\WINDOWS\SYSTEM32\hrl0053me.dll
Infected! C:\WINDOWS\SYSTEM32\i8nm0i51e8.dll
Infected! C:\WINDOWS\SYSTEM32\j4n20e5oeh.dll
Infected! C:\WINDOWS\SYSTEM32\jtn4075qe.dll
Infected! C:\WINDOWS\SYSTEM32\jtnu0759e.dll
Infected! C:\WINDOWS\SYSTEM32\kt02l7do1.dll
Infected! C:\WINDOWS\SYSTEM32\lv2m09f1e.dll
Infected! C:\WINDOWS\SYSTEM32\n62u0gf9e62.dll
Infected! C:\WINDOWS\SYSTEM32\s088lalu1dq8.dll

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2742\A0275966.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2742\A0275966.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2742\A0275979.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2742\A0275979.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2742\A0276983.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2742\A0276983.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2742\A0277018.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2742\A0277018.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2742\A0277044.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2742\A0277044.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281061.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281061.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281065.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281065.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281083.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281083.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281087.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281087.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281111.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281111.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281115.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281115.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281132.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281132.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281143.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281143.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281152.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281152.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281164.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0281164.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0282155.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2746\A0282155.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0282170.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0282170.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0282177.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0282177.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0284181.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0284181.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0286182.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0286182.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0288176.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0288176.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\dnlo0133e.dll
C:\WINDOWS\SYSTEM32\dnlo0133e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\enjul1191.dll
C:\WINDOWS\SYSTEM32\enjul1191.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\g6jo0g13e6.dll
C:\WINDOWS\SYSTEM32\g6jo0g13e6.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\gp4ul3h91.dll
C:\WINDOWS\SYSTEM32\gp4ul3h91.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\gpp4l37q1.dll
C:\WINDOWS\SYSTEM32\gpp4l37q1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\hrl0053me.dll
C:\WINDOWS\SYSTEM32\hrl0053me.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\i8nm0i51e8.dll
C:\WINDOWS\SYSTEM32\i8nm0i51e8.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\j4n20e5oeh.dll
C:\WINDOWS\SYSTEM32\j4n20e5oeh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\jtn4075qe.dll
C:\WINDOWS\SYSTEM32\jtn4075qe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\jtnu0759e.dll
C:\WINDOWS\SYSTEM32\jtnu0759e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\kt02l7do1.dll
C:\WINDOWS\SYSTEM32\kt02l7do1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\lv2m09f1e.dll
C:\WINDOWS\SYSTEM32\lv2m09f1e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\n62u0gf9e62.dll
C:\WINDOWS\SYSTEM32\n62u0gf9e62.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\s088lalu1dq8.dll
C:\WINDOWS\SYSTEM32\s088lalu1dq8.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{714D26F8-4FF9-402A-BD3E-61FC58FB4DD0}"
HKCR\Clsid\{714D26F8-4FF9-402A-BD3E-61FC58FB4DD0}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6A5D0B1C-0711-4964-968A-1B5F45835CE8}"
HKCR\Clsid\{6A5D0B1C-0711-4964-968A-1B5F45835CE8}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded



/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/



HijackThis Log


Logfile of HijackThis v1.99.1
Scan saved at 7:10:47 PM, on 5/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\system32\EDEAEDEDEDF5F4F.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\spytiqwuy.exe
C:\WINDOWS\system32\fqxz9h.exe
C:\WINDOWS\win32071231550168.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\win32093155016812.exe
C:\WINDOWS\sys030168123155.exe
C:\WINDOWS\ms041681231550.exe
C:\WINDOWS\ms030168123155.exe
C:\WINDOWS\sys101550168123.exe
C:\WINDOWS\win32082315501681.exe
C:\WINDOWS\sys025016812315.exe
C:\WINDOWS\ms056812315501.exe
C:\WINDOWS\win32068123155016.exe
C:\WINDOWS\ms068123155016.exe
C:\WINDOWS\sys015501681231.exe
C:\Program Files\EQBranch\EQBranch.exe
C:\SIERRA\CardStudio\PLNRnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000010} - C:\WINDOWS\DH.dll (file missing)
O2 - BHO: Yvakt Class - {2335EA94-74D6-46B4-BA93-8567DAC6CC9B} - C:\WINDOWS\system32\fpdrnznx.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: svchosts.cMapp_2F47968E9FBE - {D3150260-5753-454D-9923-26CF37C6FECC} - C:\WINDOWS\system32\{D3150260-5753-454D-9923-26CF37C6FECC}.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [1E1B1E1E1E2625212] EDEAEDEDEDF5F4F.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [kVdtBOn] "C:\WINDOWS\system32\spytiqwuy.exe"
O4 - HKLM\..\Run: [win32071231550168] C:\WINDOWS\win32071231550168.exe
O4 - HKLM\..\Run: [w001ba33.dll] RUNDLL32.EXE w001ba33.dll,I2 0003623b0001ba33
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [win32093155016812] C:\WINDOWS\win32093155016812.exe
O4 - HKLM\..\Run: [sys030168123155] C:\WINDOWS\sys030168123155.exe
O4 - HKLM\..\Run: [ms041681231550] C:\WINDOWS\ms041681231550.exe
O4 - HKLM\..\Run: [ms030168123155] C:\WINDOWS\ms030168123155.exe
O4 - HKLM\..\Run: [sys101550168123] C:\WINDOWS\sys101550168123.exe
O4 - HKLM\..\Run: [win32082315501681] C:\WINDOWS\win32082315501681.exe
O4 - HKLM\..\Run: [sys025016812315] C:\WINDOWS\sys025016812315.exe
O4 - HKLM\..\Run: [ms056812315501] C:\WINDOWS\ms056812315501.exe
O4 - HKLM\..\Run: [win32068123155016] C:\WINDOWS\win32068123155016.exe
O4 - HKLM\..\Run: [ms068123155016] C:\WINDOWS\ms068123155016.exe
O4 - HKLM\..\Run: [sys015501681231] C:\WINDOWS\sys015501681231.exe
O4 - HKLM\..\Run: [is11] C:\WINDOWS\system32\is11
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EQBranch] "C:\Program Files\EQBranch\EQBranch.exe"
O4 - Startup: CoolMon.lnk = C:\Program Files\CoolMon\CoolMon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm337YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {7B1EE13A-FE1E-48B0-AC2C-8ACC5E3BB7CB} - C:\WINDOWS\system32\fpdrnznx.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe



/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
END OF LOGS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/



I appreciate your help, and await further instruction.


nos :thumbsup:
When I'm right, I'm right....
And when I'm wrong, I could have been right....
So I'm still right, cause I could have been wrong.

#4 Glaswegian

Glaswegian

    Defender of the Haggis


  • Malware Response Team
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow
  • Local time:07:41 AM

Posted 04 May 2006 - 05:27 PM

Hi again

That helped a great deal – well done

OK, I know you mentioned the lack of protection and also the lack of internet connection, but we need to get something on this system now or both our efforts will be wasted. Plus you will need to connect to the net to complete this fix.

Here are links to an Anti Virus – it’s free, and can therefore be uninstalled later. Download and put it on this system now.

AVG


You would also be well advised to uninstall Limewire. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information


On to the rest then……..

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers when you are following the procedures below.


If there is anything you don't understand, please ask BEFORE proceeding with the fixes.


Please ensure that you follow the instructions in the order I have them listed.


Java Update
Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
  • If it is not visible, click on 'Switch to Classic View' in the left pane of the Control Panel or 'Other Control Panel Options'
  • Please find the Update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
    http://www.java.com/en/download/manual.jsp
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under the Advanced Tab, click <Applet> tag support and select the browser(s) you are using.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    • Downloaded Applets
    • Downloaded Applications
    • Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
Show Hidden Files
Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the Hide protected operating system files option.



Downloads
Please download Cleanup! or use this Alternate Link if the main link does not work and install it. You will use this later.


Download Ewido Anti-Malware
  • Install Ewido Anti-Malware
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
When you have finished updating, EXIT Ewido.


Download CWShredder and run it. Click Check for Update. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.


Run CleanUp!
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW!

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!
Check the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
  • Click on the “Temporary Files” tab and uncheck the box for “Scan drives for file matching” if it’s checked.
Click OK, Press the CleanUp! button to start the program and reboot when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.



Reboot
Reboot your system in Safe Mode.
  • Restart the computer. The computer begins processing a set of instructions known as BIOS.
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
  • Instead of Windows loading as normal, a menu should appear
  • Use the arrow key to highlight Safe Mode and press Enter.
Uninstall Programmes
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if present):

Viewpoint Media Player or anything by Viewpoint



HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000010} - C:\WINDOWS\DH.dll (file missing)
O2 - BHO: Yvakt Class - {2335EA94-74D6-46B4-BA93-8567DAC6CC9B} - C:\WINDOWS\system32\fpdrnznx.dll
O2 - BHO: svchosts.cMapp_2F47968E9FBE - {D3150260-5753-454D-9923-26CF37C6FECC} - C:\WINDOWS\system32\{D3150260-5753-454D-9923-26CF37C6FECC}.dll
O4 - HKLM\..\Run: [1E1B1E1E1E2625212] EDEAEDEDEDF5F4F.exe
O4 - HKLM\..\Run: [kVdtBOn] "C:\WINDOWS\system32\spytiqwuy.exe"
O4 - HKLM\..\Run: [win32071231550168] C:\WINDOWS\win32071231550168.exe
O4 - HKLM\..\Run: [w001ba33.dll] RUNDLL32.EXE w001ba33.dll,I2 0003623b0001ba33
O4 - HKLM\..\Run: [win32093155016812] C:\WINDOWS\win32093155016812.exe
O4 - HKLM\..\Run: [sys030168123155] C:\WINDOWS\sys030168123155.exe
O4 - HKLM\..\Run: [ms041681231550] C:\WINDOWS\ms041681231550.exe
O4 - HKLM\..\Run: [ms030168123155] C:\WINDOWS\ms030168123155.exe
O4 - HKLM\..\Run: [sys101550168123] C:\WINDOWS\sys101550168123.exe
O4 - HKLM\..\Run: [win32082315501681] C:\WINDOWS\win32082315501681.exe
O4 - HKLM\..\Run: [sys025016812315] C:\WINDOWS\sys025016812315.exe
O4 - HKLM\..\Run: [ms056812315501] C:\WINDOWS\ms056812315501.exe
O4 - HKLM\..\Run: [win32068123155016] C:\WINDOWS\win32068123155016.exe
O4 - HKLM\..\Run: [ms068123155016] C:\WINDOWS\ms068123155016.exe
O4 - HKLM\..\Run: [sys015501681231] C:\WINDOWS\sys015501681231.exe
O4 - HKLM\..\Run: [is11] C:\WINDOWS\system32\is11
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm337YYUS
O18 - Filter: text/html - {7B1EE13A-FE1E-48B0-AC2C-8ACC5E3BB7CB} - C:\WINDOWS\system32\fpdrnznx.dll


Please remember to close all other windows, including browsers then click Fix checked.



File Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\Viewpoint
C:\WINDOWS\system32\fpdrnznx.dll
C:\WINDOWS\system32\{D3150260-5753-454D-9923-26CF37C6FECC}.dll
EDEAEDEDEDF5F4F.exe <- - Go to Start > Search to find this file
C:\WINDOWS\system32\spytiqwuy.exe
C:\WINDOWS\win32071231550168.exe
w001ba33.dll <- - Go to Start > Search to find this file
C:\WINDOWS\win32093155016812.exe
C:\WINDOWS\sys030168123155.exe
C:\WINDOWS\ms041681231550.exe
C:\WINDOWS\ms030168123155.exe
C:\WINDOWS\sys101550168123.exe
C:\WINDOWS\win32082315501681.exe
C:\WINDOWS\sys025016812315.exe
C:\WINDOWS\ms056812315501.exe
C:\WINDOWS\win32068123155016.exe
C:\WINDOWS\ms068123155016.exe
C:\WINDOWS\sys015501681231.exe
C:\WINDOWS\system32\is11



Run Ewido
Run Ewido with it's updated definitions (...it's important that all windows must be closed)
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with Ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If Ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save Report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

NOTE: Ewido scan will require at least an hour.



Reboot
Reboot your system in Normal Mode.



Online Scan

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner.

1. Click Check Now and a "pop up" window will appear. *Please ensure that your pop up blocker doesn't block it *
2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on See report then click Save report
*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan




Logs required
Ewido Log
Panda Log
HijackThis Log

Iain
Win XP Pro / Win 7 Pro
Posted Image

#5 nosnhoj#3

nosnhoj#3
  • Topic Starter

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:11:41 PM

Posted 05 May 2006 - 05:19 PM

Hello,

This response is lacking a few of the steps that you requested. I'll explain:

1) I tried to install AVG, before and after excecuting the fixes, and recieved the same results:

Local machine: installation failed
	Installation:
		Error: Action failed for directory Avg7Data: setting directory access rights....
			The file or directory is corrupted and unreadable.  (1392)

2) I did uninstall Limewire.

3) Connecting to the internet seems to be a problem. The owners were having this problem before bringing it to me. I tried to network it with my PC, Failed. I unhooked my PC from the modem, and installed my modems drivers, and set it up like you would normally set up an internet connection, it also failed. I had some activity for less than a couple seconds, which leads me to believe that it is physically being denied acces by something. I looked over all the settings and there doesn't appear to be anything that would cause this.

4) I tried to manually update the Java, but it failed with the same code as above.

5) Was able to remove all the listed entries.

6) Installed Ewido, but unable to update. The scan found and removed quit a bit however.

7) Without internet access unable to scan with Panda.

8) Check Disk is still running on startup, and I still get the same error messages at the welcome screen.

C:\$Secure........ is corrupted



It does seem to be running better with the repairs so far....but I know without a thorough cleaning this will not last long. Should I maybe try to install AVG via Safe Mode?

Here are the Ewido, and HJT logs, and I apologize for not being able to complete the instructions completely as directed.


Ewido Log


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:57:30 AM, 5/5/2006
+ Report-Checksum: 9A9EFBD1

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-2912228176-389113-1081798612-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000010} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-2912228176-389113-1081798612-1007\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-2912228176-389113-1081798612-1007\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
C:\bintheredunthat\kuqiihb.exe -> Hijacker.VB.ij : Cleaned with backup
C:\Documents and Settings\Katie Palki\full.exe -> Dropper.Agent.hl : Cleaned with backup
C:\krw1dn.exe -> Downloader.Agent.afi : Cleaned with backup
C:\n.exe -> Downloader.Small.cdy : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\BE Network\bin\slidev.exe -> Adware.BargainBuddy : Cleaned with backup
C:\Program Files\Lavasoft\Ad-Aware SE Personal\full.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Program Files\MSN\MSNCoreFiles\full.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Program Files\MSN\MSNCoreFiles.BAK.{FEC69D39-ADBA-4928-98F0-3571AA97ABDF}\eins002.exe -> Downloader.Adload.k : Cleaned with backup
C:\Program Files\MSN\MSNCoreFiles.BAK.{FEC69D39-ADBA-4928-98F0-3571AA97ABDF}\megt1.exe -> Adware.DownloadWare : Cleaned with backup
C:\Program Files\Support.com\backup\Ne\newdotnet6_38.dll\229376_51a9f736b_/newdotnet6_38.dll -> Adware.NewDotNet : Error during cleaning
C:\RECYCLER\S-1-5-21-2912228176-389113-1081798612-1007\Dc10.exe -> Downloader.VB.tw : Cleaned with backup
C:\RECYCLER\S-1-5-21-2912228176-389113-1081798612-1007\Dc11.exe -> Downloader.VB.tw : Cleaned with backup
C:\RECYCLER\S-1-5-21-2912228176-389113-1081798612-1007\Dc12.exe -> Downloader.VB.tw : Cleaned with backup
C:\RECYCLER\S-1-5-21-2912228176-389113-1081798612-1007\Dc13.exe -> Downloader.VB.tw : Cleaned with backup
C:\RECYCLER\S-1-5-21-2912228176-389113-1081798612-1007\Dc14.exe -> Downloader.VB.tw : Cleaned with backup
C:\RECYCLER\S-1-5-21-2912228176-389113-1081798612-1007\Dc15.exe -> Downloader.VB.tw : Cleaned with backup
C:\RECYCLER\S-1-5-21-2912228176-389113-1081798612-1007\Dc16.exe -> Downloader.VB.tw : Cleaned with backup
C:\RECYCLER\S-1-5-21-2912228176-389113-1081798612-1007\Dc4.exe -> Adware.Suggestor : Cleaned with backup
C:\RECYCLER\S-1-5-21-2912228176-389113-1081798612-1007\Dc5.exe -> Downloader.VB.tw : Cleaned with backup
C:\RECYCLER\S-1-5-21-2912228176-389113-1081798612-1007\Dc6.exe -> Downloader.VB.tw : Cleaned with backup
C:\RECYCLER\S-1-5-21-2912228176-389113-1081798612-1007\Dc7.exe -> Downloader.VB.tw : Cleaned with backup
C:\RECYCLER\S-1-5-21-2912228176-389113-1081798612-1007\Dc8.exe -> Downloader.VB.tw : Cleaned with backup
C:\RECYCLER\S-1-5-21-2912228176-389113-1081798612-1007\Dc9.exe -> Downloader.VB.tw : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1897\A0258836.exe -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1897\A0258837.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1897\A0258838.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1897\A0258854.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2742\A0275988.DLL -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2742\A0277006.dll -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2742\A0277008.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2742\A0277015.dll -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0283182.DLL -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0285181.DLL -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0285189.exe -> Dropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0285190.exe -> Dropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0285191.dll -> Hijacker.Small.jf : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0285193.exe -> Dropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0285194.exe -> Dropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0285195.exe -> Dropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0285197.exe -> Downloader.Small.buy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0285198.exe -> Dropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0285199.exe -> Dropper.VB.kk : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0285204.exe -> Trojan.VB.tg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0285205.exe -> Trojan.VB.tg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0286170.exe -> Downloader.VB.tw : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2747\A0287181.DLL -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303189.exe -> Trojan.VB.tg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303202.exe -> Hijacker.VB.li : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303206.exe -> Adware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303207.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303208.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303209.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303210.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303211.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303212.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303213.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303214.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303215.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303216.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303217.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303218.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303219.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303220.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303221.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303222.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303223.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2776\A0303224.dll -> Adware.Look2Me : Cleaned with backup
C:\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\WINDOWS\DH.dll_tobedeleted -> Hijacker.Small.jf : Cleaned with backup
C:\WINDOWS\sbigjmmg.exe -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\sms112x.exe -> Downloader.VB.tw : Cleaned with backup
C:\WINDOWS\SYSTEM32\2.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\3.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\AlxRes.dll.bak -> Adware.AlexaBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\dgfnimke.dll -> Adware.Agent : Cleaned with backup
C:\WINDOWS\SYSTEM32\dkiadkkj.dll -> Adware.Agent : Cleaned with backup
C:\WINDOWS\SYSTEM32\E4E1E4E4E4ECEBE.exe -> Trojan.VB.aft : Cleaned with backup
C:\WINDOWS\SYSTEM32\expload.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\full.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\MTE2ODI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
C:\WINDOWS\SYSTEM32\OEE2NLS.DLL -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\pre2.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\q.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\q3.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\q5.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\winspy.exe -> Downloader.Small.ckq : Cleaned with backup
C:\WINDOWS\SYSTEM32\xxx2.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\z1.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\z3.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}.dll -> Trojan.VB.aft : Cleaned with backup
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\xtzgbzte.exe -> Adware.BookedSpace : Cleaned with backup


::Report End


/*********************************************************

**********************************************************/


HJT LOG


Logfile of HijackThis v1.99.1
Scan saved at 2:34:54 PM, on 5/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe



/******************************************************
End Of Logs
*******************************************************/


Thanks once again,

nos
When I'm right, I'm right....
And when I'm wrong, I could have been right....
So I'm still right, cause I could have been wrong.

#6 Glaswegian

Glaswegian

    Defender of the Haggis


  • Malware Response Team
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow
  • Local time:07:41 AM

Posted 06 May 2006 - 02:05 PM

Hi again

Well, the good news is the log is basically clean. But, I won’t be happy until we’ve run some online scans. Ewido cleaned out a good pile of junk, but there are bound to be some leftovers.

I would have said the C:\$Secure was something to do with .NET – does that ring any bells? I’m not particularly a Windows expert, but I think you should try a Repair Install – have a look for a guide here. Make sure you back up any critical data, if you have not already done so.

If that works, try one of the online scans and post any logs.
Iain
Win XP Pro / Win 7 Pro
Posted Image

#7 nosnhoj#3

nosnhoj#3
  • Topic Starter

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:11:41 PM

Posted 06 May 2006 - 02:37 PM

Hello,

Your help is greatly appreciated. I am gonna start the system repairs, and find out what the root of the problems are. I will post back no later than tommorow (May 7), wether I have solved the problem or not.

Once again, thank you, and keep up the good work.

nos :thumbsup:
When I'm right, I'm right....
And when I'm wrong, I could have been right....
So I'm still right, cause I could have been wrong.

#8 nosnhoj#3

nosnhoj#3
  • Topic Starter

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:11:41 PM

Posted 08 May 2006 - 06:22 PM

Hello,

Please excuse the tardiness, I had to take the day off yesterday. Anyway, I think I have found out the reason for the sysrem instability. Aparantly they had let a friend of theirs do some work on it and that is when they started having troubles. He had installed adaware and from the look of the settings, he ran a scan but didn't quaranteen the items found, just deleted them. This may be part of the problems.

The owners are bringing me the OS CD so I can do what is necessary to repair the damaged files or directories. Oddly enough, I have search immensly for the error the PC keeps displaying and havr only found a hand full of articles, that I don't see a relationship to. It boots fine besides the chkdsk autostart, which is not a good idea to disable until the problem is solved. The overall system performance is snappy, so I will just wait to get the disk from the owmers, and report back when I get the PC back on the internet. I would say no longer than 2 days.

Thanks,

nos :thumbsup:
When I'm right, I'm right....
And when I'm wrong, I could have been right....
So I'm still right, cause I could have been wrong.

#9 Glaswegian

Glaswegian

    Defender of the Haggis


  • Malware Response Team
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow
  • Local time:07:41 AM

Posted 09 May 2006 - 04:39 PM

Hi

Thanks for the update.

Sounds like a Repair would help restore the correct system files - I think that may be what's needed.

Assuming you can get everything going again, try one of the online scans and post back with the results. I'm sure there will be a few things that will turn up, minor, but I'd want to take care of them properly.

Everyone needs a day off now and again. :thumbsup:
Iain
Win XP Pro / Win 7 Pro
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users