Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Have Some Big Malware Or Virus On My Computer


  • This topic is locked This topic is locked
7 replies to this topic

#1 DP349

DP349

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 30 May 2006 - 06:22 PM

Hello,

I have had this problem for a while and have just been dealing with it. However, the problem is getting worst and worst. I believe I have something similar to the Smitfraud virus. However, I also have 2 startup items checked in my msconfig named 2797a06, with a 2797a06.exe file in my system32 folder. I have googled and yahood the file with absolutely no results. Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:04:03 PM, on 5/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\DAVIDP~1\LOCALS~1\Temp\h91746.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\atmclk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\system32\hp100.tmp
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [2797a06.exe] C:\WINDOWS\system32\2797a06.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [2797a06.exe] C:\Documents and Settings\David Pawlik\Local Settings\Application Data\2797a06.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129075881562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129075867921
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe



Any help would greatly be appreciated. I am not sure what to do. I of course have deleted the 2797a06.exe from the system32 in safe mode but it came back. Also I have been running Spybot S&D and Adaware SE with no prevail.

All Help/Input Appreciated.

Thanks

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:17 PM

Posted 31 May 2006 - 02:09 PM

Hello and Welcome to the Forum. :thumbsup:



Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

This tool is Only for Windows XP and Windows 2000

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore your antivirus may alert you about this. Please allow it.

In your next post, please include
  • smitfraudfix log
  • new hijackthis log
Note: report is saved at C:\ C:\rapport.txt

#3 DP349

DP349
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 31 May 2006 - 03:06 PM

Thanks for getting back to me so soon,

Here is the Smitfraud log:
SmitFraudFix v2.53

Scan done at 16:00:38.60, Wed 05/31/2006
Run from C:\smitfraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\


C:\WINDOWS

C:\WINDOWS\keyboard??.exe FOUND !
C:\WINDOWS\newname??.exe FOUND !

C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp???.tmp FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\hvnwm.dll FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\oqipt.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\twain32.dll FOUND !
C:\WINDOWS\system32\1024\ FOUND !

C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\David Pawlik\Application Data


Start Menu


C:\DOCUME~1\DAVIDP~1\FAVORI~1

C:\DOCUME~1\DAVIDP~1\FAVORI~1\Antivirus Test Online.url FOUND !

Desktop


C:\Program Files

C:\Program Files\Security Toolbar\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\WINDOWS\\system32\\ad.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"="Twain"

[HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
@="C:\WINDOWS\system32\twain32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
@="C:\WINDOWS\system32\twain32.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{5bc82bdb-bc03-4671-9a78-3ef2b68449de}"="advisability"

[HKEY_CLASSES_ROOT\CLSID\{5bc82bdb-bc03-4671-9a78-3ef2b68449de}\InProcServer32]
@="C:\WINDOWS\system32\oqipt.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{5bc82bdb-bc03-4671-9a78-3ef2b68449de}\InProcServer32]
@="C:\WINDOWS\system32\oqipt.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{62eb0924-19d2-4226-b4b9-8ad1f70904c1}"="bronchovascular"

[HKEY_CLASSES_ROOT\CLSID\{62eb0924-19d2-4226-b4b9-8ad1f70904c1}\InProcServer32]
@="C:\WINDOWS\system32\hvnwm.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{62eb0924-19d2-4226-b4b9-8ad1f70904c1}\InProcServer32]
@="C:\WINDOWS\system32\hvnwm.dll"


Scanning wininet.dll infection


End



And, Here is the HJT New Log:
Logfile of HijackThis v1.99.1
Scan saved at 4:01:52 PM, on 5/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\2797a06.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\1024\ld4245.tmp
C:\WINDOWS\system32\atmclk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.73\gdnUS2218.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100.tmp
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\system32\hp100.tmp
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [2797a06.exe] C:\WINDOWS\system32\2797a06.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [2797a06.exe] C:\Documents and Settings\David Pawlik\Local Settings\Application Data\2797a06.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129075881562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129075867921
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


Thank you and hopefully we can get rid of this thing soon...It's driving me nuts.

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:17 PM

Posted 31 May 2006 - 03:09 PM

Hi again :thumbsup:

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download the trial version of Ewido anti-malware 3.5 from here:
http://www.ewido.net/en/download/
  • Install Ewido anti-malware.
  • When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
  • When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
  • The program will prompt you to update. Click the Ok button.
  • The program will now go to the main screen.
You will need to update Ewido to the latest definition files.
  • On the left-hand side of the main screen click the Update Button.
  • Click on Start.
The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.
  • Click on Scanner
  • Click on Settings
    • Under How to scan all boxes should be checked
    • Under Unwanted Software all boxes should be checked
    • Under What to scan select Scan every file
    • Click on Ok
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
  • Click Save Report button
  • Save the report to your Desktop
Close Ewido and Reboot in Normal Mode.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

Please post:
  • c:\rapport.txt
  • Ewido log
  • A new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off.

#5 DP349

DP349
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 31 May 2006 - 05:39 PM

Here are the three logs requested

The Smitfraud Report:

SmitFraudFix v2.53

Scan done at 16:36:11.18, Wed 05/31/2006
Run from C:\smitfraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"="Twain"

[HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
@="C:\WINDOWS\system32\twain32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
@="C:\WINDOWS\system32\twain32.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{5bc82bdb-bc03-4671-9a78-3ef2b68449de}"="advisability"

[HKEY_CLASSES_ROOT\CLSID\{5bc82bdb-bc03-4671-9a78-3ef2b68449de}\InProcServer32]
@="C:\WINDOWS\system32\oqipt.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{5bc82bdb-bc03-4671-9a78-3ef2b68449de}\InProcServer32]
@="C:\WINDOWS\system32\oqipt.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{62eb0924-19d2-4226-b4b9-8ad1f70904c1}"="bronchovascular"

[HKEY_CLASSES_ROOT\CLSID\{62eb0924-19d2-4226-b4b9-8ad1f70904c1}\InProcServer32]
@="C:\WINDOWS\system32\hvnwm.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{62eb0924-19d2-4226-b4b9-8ad1f70904c1}\InProcServer32]
@="C:\WINDOWS\system32\hvnwm.dll"


Killing process


Deleting infected files

C:\WINDOWS\keyboard??.exe Deleted
C:\WINDOWS\newname??.exe Deleted
C:\WINDOWS\system32\atmclk.exe Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp???.tmp Deleted
C:\WINDOWS\system32\hvnwm.dll Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\oqipt.dll Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\twain32.dll Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\DAVIDP~1\FAVORI~1\Antivirus Test Online.url Deleted
C:\Program Files\Security Toolbar\ Deleted

Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\twain32.dll -> Missing File

C:\WINDOWS\system32\oqipt.dll -> Missing File

C:\WINDOWS\system32\hvnwm.dll -> Missing File


Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

The Ewido Report:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:31:28 PM, 5/31/2006
+ Report-Checksum: 6505B69C

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{20C9D850-244D-10E1-B3C1-20805E499D95} -> Adware.ContextuAd : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{20C9D850-244D-10E1-B3C1-20805E499D95} -> Adware.ContextuAd : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2296428D-C133-4928-B76A-A200FF409572} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-2453300517-3682455190-615048819-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F79FD28E-36EE-4989-AA61-9DD8E30A82FA} -> Trojan.Small : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{20C9D850-244D-10E1-B3C1-20805E499D95} -> Adware.ContextuAd : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2296428D-C133-4928-B76A-A200FF409572} -> Adware.Generic : Cleaned with backup
C:\Documents and Settings\David Pawlik\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv669.jar-72b8a91-5ca22886.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\'Voice Of Freedom' newspaper from the B.N.P. (March2006.pdf) Blair's Britain exposed..zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\747 Straight Up.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Advanced search.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Air America Radio - The Al Franken Show 041306 [mp3].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\American Idol S05E29 HDTV XviD-VSS [eztv].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Angels, UFO's, Bible Codes & Software, NWO, End Times.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Armin Van Buuren - A State Of Trance 2006 www meister org uk tt rar.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Asterix et les Vikings FRENCH CAM REPACK XviD-by MIKE4ITOMA avi.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Browse categories.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Bruce Springsteen-We Shall Overcome-The Seeger Sessions-2006-RNS.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Built To Spill - You In Reverse [2006].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Carpenters - The Singles (1969-1973) [APE Lossless].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Collection of papers on Anti Gravity Research (PDF 803 pages).zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Commander In Chief - 113 hdtv-lol [VTV][EZTV].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\CompTIA Certification training software by TestOUT.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Condemned Criminal Origins-RELOADED(bt-gm EFnet).zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Creative Suite 2 Premium + Serial.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\CSI S06E20 HDTV XviD-LOL [eztv].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\dcp 4-13-06.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\DivX Create Bundle 6 2 zip.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Everybody Hates Chris S01E18 HDTV XviD-LOL [eztv].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\FHM MAGAZINE.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Final Fantasy VIII Ultimania rar.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Fine Young Cannibals - The Finest.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Football Manager Handheld (EUR) (PSP).zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Football Manager Handheld PSP EUR.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\For Dummies Mac OS X Tiger Timesaving Techniques For Dummies Jun 2005 eBook-LinG.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Foxit PDF Editor v1 4 1531 Cracked-APO rar.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Frank Zappa - Sheik Yerbouti.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Holiday World Tycoon-PLEX.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Hostel[Unrated][2005]DvDrip AC3[Eng]-aXXo.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\ICE 2 EN.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Ice Age 2 TC XviD-Wrixle.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Ice Age 2 TS XviD-LAST avi.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Ice Age The Meltdown (2006) Prevail TS KVCD by Hockney(TUS Release).zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Internet Download Manager 5 02 10 zip.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Intervideo MP3+DVD XPack - [www slotorrent net].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\IRC chat.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Iron Warriors T72 Tank Command-iTWINSNEW + WEBSEED.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\John Wiley and Sons CSS Hacks and Filters Making Cascading Stylesheets Work May 2005 eBook-LinG.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Jurassic Park - Raptors.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\l'equipe du 13 04 2006 pdf.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\l'equipe du 14 04 2006 pdf.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Le Monde PDF 14 04 06 zip.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Microsoft Student Graphing Calculator 2006 - [www slotorrent net].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\MOTOGP [1] Full.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Naruto ch303 MQ Woush zip.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Natasha Mealey.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\National Geographic Wallpapers 2000 - 2006 rar.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\New Server Installed!.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\PC WORLD MAGAZINE MAY 2006.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Playboy - Lingerie Special Edition 2005 10-11.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Poets Of The Fall - Carnival Of Rust [2006] - [www slotorrent net].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Privacy policy.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\PS2 Dragon Quest VIII PAL MULTI5.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Radmin 2 2-3 0 exe.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\REALFLIGHT RC FLIGHT SIMULATOR G3-JGTiSO.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Ringtones zip.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Sandra Ramirez XposedSavvy HOT !! WOW.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Search Cloud.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Show all of today →.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Smallville 5x18 (HDTV-LOL)[VTV].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Smallville S05E18 HDTV XviD-LOL [eztv].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Smallville S05E18 HR HDTV AC3 5 1 XviD-NBS [eztv].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Supernatural S01E19 HDTV XviD-LOL [eztv].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\SwiftDisc Burning Wizard v1 95 - [www slotorrent net].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Taito Legends 2-RELOADED(bt-gm EFnet).zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\That 70s Show S08E15 PDTV XviD-LOL [eztv].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\The Gathering - Home [2006].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\The Matador 2005 DVDRiP XviD-HLS [www descargasweb net].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\The O C S03E21 HDTV XviD-LOL [eztv].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\The Simpsons The Complete Seventh Season CD 01(clcoelho).zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Top 250 Hits of the 90's.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Topaz Moment!™ 2.0-capture frames fr.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\TV Shows.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\UltraISO 8 0 0 1392 zip.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Upload a torrent.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\VA-Promo Only Country Radio May-2006-XXL.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\WebcamXP Pro 2006 v2 25 040-TE rar.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Windows XP Professional x64 Edition FR iso.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\World War II Color Pictures - [www slotorrent net].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Xilisoft DVD,MP3,AVI,WAV,PSP,Converter Software.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\Year 12 Mathematical Studies - Haese & Harris Publications Text Book pdf.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\[a f k ] The Melancholy of Haruhi Suzumiya - 01 avi.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\[DB] Naruto 180 Sub Portuguese Brazilian.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\[Kyuu] Air Gear - 02[45CCFC74] avi.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\[Lunar] Ouran High School Host Club - 02 [A15A6553] avi.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\[LuPerry com] dot hack Roots - 02 (704x396 xvid) [F2461870] mkv.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\[Nanashi]Eureka seveN - 35 [A3C983B8] avi.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\[Nyanko] Solty Rei - 24 [6F2C98DA] mkv.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\[PC-GAME-ENG] Neon Genesis Evangelion - Girlfriend Of Steel (Fan-Translated).zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\[Spanish Newspaper] El Pais PDF 14 04 2006.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\[TUS] The Hills Have Eyes [2006 - TS - WS - KVCD].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Complete\[yesy] Utawarerumono - 02 [7B45B4FD] avi.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Shared\<<URL & TORRENT>> World Of Warcraft CDKEY AND 60DAY CARD GEN WORKiNG Reloaded.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\David Pawlik\Shared\World Of Warcraft 60Day GAME CARD GEN WORKiNG EMPORiO FIXED.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\iexplore.exe -> Dropper.VB.mn : Cleaned with backup
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream.a : Cleaned with backup
C:\Program Files\outlook\outlook.exe -> Worm.VB.dw : Cleaned with backup
C:\Program Files\outlook\p.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Program Files\outlook\v.tmp -> Worm.VB.dw : Cleaned with backup
C:\Setup.exe -> Dropper.VB.mn : Cleaned with backup
C:\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.10\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.11\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.12\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.13\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.14\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.15\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.16\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.17\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.18\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.19\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.20\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.21\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.22\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.23\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.24\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.25\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.26\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.27\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.28\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.29\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.30\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.31\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.32\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.33\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.34\gdnUS2218.exe -> Downloader.Small.cxg : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\ms0584408184932006.exe -> Adware.Enbrow : Cleaned with backup
C:\WINDOWS\sys039384408184.exe -> Downloader.VB.tw : Cleaned with backup
C:\WINDOWS\SYSC00.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\system32\OLD970.tmp -> Downloader.VB.abh : Cleaned with backup
C:\WINDOWS\system32\rar.exe -> Dropper.VB.mn : Cleaned with backup
C:\WINDOWS\system32\winlog.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup


::Report End

And I will Post The New HJT Report on the next Reply.

#6 DP349

DP349
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 31 May 2006 - 05:44 PM

Here is my new HJT Report:

Logfile of HijackThis v1.99.1
Scan saved at 6:37:59 PM, on 5/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\2797a06.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100.tmp (file missing)
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [2797a06.exe] C:\WINDOWS\system32\2797a06.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [2797a06.exe] C:\Documents and Settings\David Pawlik\Local Settings\Application Data\2797a06.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129075881562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129075867921
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


I do have another problem however. What is this 2797a06.exe that is running on my computer. I really appreciate everything you have done so far, and if you could go on and help me get rid of this one I would be very grateful. I have googled and yahood this 2797a06 and not one response had come up. I can not figure out what it does or if it contributes to any popups (for the whole 10 minutes my computers been fixed). Can you help me get rid of it because I can only guess it is something that should not be there if no expert or program or website has ever mentioned this program before...

EDIT: I just recieved a popup for a program that looked professional that pops up even over watching a movie. I forget the exact name but it contains the words "integrity scan" in the title.

Thank you once again.

Edited by DP349, 31 May 2006 - 05:47 PM.


#7 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:17 PM

Posted 31 May 2006 - 07:52 PM

Hello again,

Smitfraud infection is removed. Now let's deal with the next problem. You had a backdoor trojan called Tilebot AK. You can read more about it here: http://www.sophos.com/virusinfo/analyses/w32tilebotak.html . It doesn't seem to be active at the moment (file is missing), but we don't know what kind of a damage it caused. You'll need to get the patches for the operating system vulnerabilities exploited by W32/Tilebot-AK by visiting Microsoft and updating it as soon as the system is clean. There is a chance that your computer may have been compromised. More information on Remote Access Trojans can be found here

If you used this computer for online banking & purchases; I would advise you to contact these companies and let them know that your computer may have been comprimised and you may have been a victim of identity theft.

If you didn't/don't use this computer for any financial transactions...that area is OK.

These trojans leave a backdoor open on the system that can allow others total & complete access to your computer. (Remote access trojan)
However, if you always had a firewall, if you were/are using a router with Hardware firewall, chances are that they were unable to connect.

=========================================

Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste this filepath:

C:\WINDOWS\system32\2797a06.exe

Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html

=========================================

Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes:

C:\WINDOWS\system32\2797a06.exe

Exit the Task Manager when finished.

=========================================

Click Here and download Killbox and save it to your desktop but don't run it yet.

=========================================
  • Close all open Explorer windows and browsers/email, etc
  • Run HijackThis
  • Click on the Scan button and when complete
  • Put a check beside all of the items listed below
  • Click on the "Fix Checked" button
  • When completed, close the application.
R3 - Default URLSearchHook is missing
O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100.tmp (file missing)
O4 - HKLM\..\Run: [2797a06.exe] C:\WINDOWS\system32\2797a06.exe
O4 - HKCU\..\Run: [2797a06.exe] C:\Documents and Settings\David Pawlik\Local Settings\Application Data\2797a06.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)


=========================================

Please copy/paste the following text inside the quote box below to a blank Notepad (not wordpad) file. Make sure the filetype is set to "All Files" and save it as Removeservice.bat. to your desktop.

@echo off
sc stop lsass
sc delete lsass


Double-click on Removeservice.bat. A window will pop up and close. This is normal.

==========================================

Please restart your computer in Safe Mode

==========================================

Double-click on Killbox.exe to run it.
Click on Tools>Delete Temp Files
Check Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file.

C:\WINDOWS\system32\2797a06.exe
C:\Documents and Settings\David Pawlik\Local Settings\Application Data\2797a06.exe
C:\WINDOWS\lsass.exe


It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.

Reboot your computer in Normal Mode.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

=============================================

You are running an old vulnerable version of Java.
  • Go to Start " Control Panel " Add/Remove Programs.
  • Search for all previous installed versions of Java. (J2SE Runtime Environment.... ) and delete them.
  • It/they should have this icon next to it/them: Posted Image
  • Then download and install the newest version. 1.5.07 from here.
=============================================

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      [list]
    • Extended (If available otherwise Standard)
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan select My Computer
[*]The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
[*]Now click on the Save as Text button:

Please posts back a fresh HijackThis log and the Kaspersky scan results along with the Jotti results.

#8 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:17 PM

Posted 06 June 2006 - 07:39 AM

Due to lack of response, this thread will now be closed. If you need this topic reopened, please PM me or a moderator with the address of the thread.and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users