Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Spyware Quake


  • Please log in to reply
5 replies to this topic

#1 Geoffvp

Geoffvp

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 06 June 2006 - 07:55 PM

Hey guys,

So I got the spyware quake Trojan/Worm/whatever. I followed the instructions to remove it to the letter, but the little icon in my taskbar with the handicapped sign that flashes "critical errors" will not leave, and I can't figure out the process/file it's associated with. Was hoping you guys could help me.

Here are the logs: Let's start with Hijack-this.
1) When I ran Hijack This, I received this error several times upon initiating the scan, for different procedures.
---------------------------------------------
An unexpected error has occurred at procedure: modMain_CheckOther1Item()
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
---------------------------------------------

Not sure what this means...maybe a problem with my RPC service? Anyways, the scan still managed to perform itself.

2) Here is the actual hijack this log.

-----------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 8:42:13 PM, on 6/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\fast.dll C:\WINDOWS\system32\arpa.dll
O20 - Winlogon Notify: winpsa32 - C:\WINDOWS\SYSTEM32\winpsa32.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
----------------------------------------------------------------------------------------
The last 2 files (file missing) were reccomended to be deleted to fix this problem, by another site. I suppose that was a mistake, huh? Either way, the files are gone but the taskbar icon remains.
As you can tell, my main browser is Firefox. The IE start page was obviously affected but I didn't even notice.


3) The test.txt log produced by roguescanfix.

---------------------------------------------------------------------------------------------------
Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{c3786a8d-6426-4c29-a23f-f36e47b31e0c}"="hillman"


sharedtaskkey: c3786a8d-6426-4c29-a23f-f36e47b31e0c
---------------------------------------------------
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{c3786a8d-6426-4c29-a23f-f36e47b31e0c}]

[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{c3786a8d-6426-4c29-a23f-f36e47b31e0c}\InProcServer32]
@="C:\\WINDOWS\\system32\\ucbrrt.dll"
----------------------------------------------------------------------------------------

Needless to say, I followed all the instructions in the "preparation to post" guide, including a Panda Online Scan, Adaware Scan, Spybot S&D Scan, AVG Scan, etc. Nothing helped. I also followed the guide to remove the Spyware Quake app, and indeed I no longer have the program on my computer or any of the files indicated in the guide, but something remains.

Let me know if you need additional information, I appreciate your help.
Regards,
Geoff

BC AdBot (Login to Remove)

 


#2 Geoffvp

Geoffvp
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 06 June 2006 - 08:00 PM

From looking at some other posts, seems like you could use a few more reports.

Lets start by adding the Smitfiles.txt Report!
----------------------------------------------------------------------------------------------------------

smitRem log file
version 2.9

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: Tue 06/06/2006
The current time is: 20:27:33.89

Running from
C:\Documents and Settings\Geoffvp\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{c3786a8d-6426-4c29-a23f-f36e47b31e0c}"="hillman"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 800 'explorer.exe'
Killing PID 800 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{c3786a8d-6426-4c29-a23f-f36e47b31e0c}"="hillman"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :thumbsup:
-----------------------------------------------------------------------------------------------------------

#3 Geoffvp

Geoffvp
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 06 June 2006 - 08:31 PM

Next up, the Ewido log. Ran it in safe mode. It deleted 109 Cookies and some stuff from new.net, but he spyware quake taskbar icon remains.

----------------------------------------------------------------------------
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:20:17 PM, 6/6/2006
+ Report-Checksum: A657DD30

+ Scan result:

:mozilla.14:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Ad-flow : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.166:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.169:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.176:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.177:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.178:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.255:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup
:mozilla.309:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.310:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.334:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.356:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.361:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.362:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.363:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.364:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.376:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.377:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.378:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.379:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.380:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.410:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.411:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.412:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.413:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.433:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup
:mozilla.434:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.435:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.436:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.437:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.438:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.439:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.440:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.441:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.442:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.448:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.449:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.450:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.470:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.471:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.472:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Trafic : Cleaned with backup
:mozilla.474:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.526:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.527:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.528:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.535:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.536:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.537:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.538:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup
:mozilla.570:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.628:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.633:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.634:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.635:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.643:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.644:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.645:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.658:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned with backup
:mozilla.687:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.718:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.763:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup
:mozilla.764:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup
:mozilla.765:C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup
C:\Documents and Settings\Geoffvp\Cookies\geoffvp@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup


::Report End

#4 Geoffvp

Geoffvp
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 06 June 2006 - 09:06 PM

And Finally, the Panda Scan Report.

------------------------------------------------------------

Incident Status Location

Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt[.adopt.hbmediapro.com/]

Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt[.adultfriendfinder.com/]

Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt[.apmebf.com/]

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt[.atwola.com/]

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt[.belnk.com/]

Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt[.cdfreaks.com/]

Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt[.club.cdfreaks.com/]

Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt[.fortunecity.com/]

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt[.go.com/]

Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt[.maxserving.com/]

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt[.realmedia.com/]

Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt[.target.com/]

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt[.xiti.com/]

Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt[hc2.humanclick.com/]

Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Geoffvp\Application Data\Mozilla\Firefox\Profiles\kujf5fu7.default\cookies.txt[hc2.humanclick.com/hc/38237851]

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Geoffvp\Desktop\Spyware problems\smitRem\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Geoffvp\Desktop\Spyware problems\smitRem.exe[smitRem/Process.exe]

Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\Mozilla Firefox\smitRem\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\Roguescanfix\Process.exe

Adware:Adware/Searchcontrol Not disinfected C:\RECYCLER\S-1-5-21-299502267-1364589140-839522115-1003\Dc103.exe
Adware:Adware/PurityScan Not disinfected C:\RECYCLER\S-1-5-21-299502267-1364589140-839522115-1003\Dc111.exe
Adware:Adware/PurityScan Not disinfected C:\RECYCLER\S-1-5-21-299502267-1364589140-839522115-1003\Dc115.exe
Adware:Adware/MediaTickets Not disinfected C:\RECYCLER\S-1-5-21-299502267-1364589140-839522115-1003\Dc118.exe
Adware:Adware/Adsmart Not disinfected C:\RECYCLER\S-1-5-21-299502267-1364589140-839522115-1003\Dc7.exe
Adware:Adware/PurityScan Not disinfected C:\RECYCLER\S-1-5-21-299502267-1364589140-839522115-1003\Dc8.exe
Adware:Adware/SecurityError Not disinfected C:\RECYCLER\S-1-5-21-299502267-1364589140-839522115-1003\Dc97.frAF62
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\arpa.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\fast.dll
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\winpsa32.dll


So there were a bunch of cookies in a cookie.txt file, that got deleted. A bunch of stuff in the recycling bin, also fully erased. Finally, 3 files in system 32, all deleted.

Still got that damn icon!

Lets put in another hijack-this! log after this whole process.

-----------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:03:24 PM, on 6/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\fast.dll C:\WINDOWS\system32\arpa.dll
O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing
----------------------------------------------------------------------

Please HELP ME!

Thanks,
Geoff

#5 Geoffvp

Geoffvp
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 07 June 2006 - 12:13 AM

Ok, so I fixed it! My impatience led me to skip ahead and try some of the steps reccomended in another thread on this issue.

The clincher was ultimately the F-Secure Online Scanner. According to it, my problem was a virus (which my AVG didn't detect, by the way).
I would STRONGLY reccomend that using the F-Secure Scanner be added to the official "Guide" to fix this as it worked where none of the other programs did to fix the issue completely.

Here was my report from F-Secure:

------------------------------------------------------------------------------
Scanning Report Tuesday, June 06, 2006 23:25:43 - 01:00:43 Computer name: CANDY Scanning type: Scan target for viruses, rootkits, spyware Target: C:\ ------------------------------------------------------------------------ Result: 3 malware found
Tracking Cookie (spyware) * System (Disinfected) Trojan-Downloader.Win32.Small.cvw (virus) * C:\WINDOWS\TEMP\WIN8.TMP.EXE (Renamed)
Not-virus:Hoax.Win32.Renos.dj (virus) * C:\WINDOWS\SYSTEM32\__DELETE_ON_REBOOT__UCBRRT.DLL (Submitted) ------------------------------------------------------------------------ Statistics Scanned: * Files: 18549 * System: 3606 * Not scanned: 3 Actions: * Disinfected: 1 * Renamed: 1 * Deleted: 0 * None: 1 * Submitted: 1 Files not scanned: * C:\PAGEFILE.SYS * C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT * C:\WINDOWS\PREFETCH\LAYOUT.INI
-------------------------------------------------------------------

My personal suspicion that the file at cause here was teh UCBRRT.DLL mentioned above. A new variant?

Anyways, I hope my posts in response to myself prove helpful to someone down the line with this thing. I've generally been fairly unfazed by spwyare as i've rarely had difficulty removing it, but this one...WOW. Though it seems like it was problematic due to a problem with my AV protection, should look into ensuring that's patched up.

Anyways, good night and good luck Malware troubleshooters!

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:09 AM

Posted 07 June 2006 - 02:31 PM

Glad you were able to workit all out. Your log still looks a bit messy though and yes it was the UCBRRT.DLL file. It is a "newer variant"..not exactly sure how old but within the past few days. Its already listed in the manual removal guide.

You may want to post a new log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users