Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ul Window Seek Help


  • Please log in to reply
3 replies to this topic

#1 iceman21

iceman21

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 15 June 2006 - 01:43 PM

I cannot get rid of this registry worm, or whatever it may be. I have this hijack log and hope that some one can help me, thank you.

Logfile of HijackThis v1.99.1
Scan saved at 2:38:06 PM, on 6/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\51d615fe.exe
C:\Program Files\Common Files\A?pPatch\?ti2evxx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\TEMP\win47.tmp.exe
C:\WINDOWS\ICROSO~1\winword.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Registry Mechanic\regmech.exe
C:\Documents and Settings\Justin Timko\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\opnmmkj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [51d615fe.exe] C:\WINDOWS\system32\51d615fe.exe
O4 - HKLM\..\RunOnce: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /RM /FS /X
O4 - HKCU\..\Run: [51d615fe.exe] C:\Documents and Settings\Justin Timko\Local Settings\Application Data\51d615fe.exe
O4 - HKCU\..\Run: [Scbu] "C:\WINDOWS\ICROSO~1\winword.exe" -vt yazr
O4 - HKCU\..\Run: [Gcllln] C:\Program Files\Common Files\A?pPatch\?ti2evxx.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1142995511000
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\spool32.dll C:\WINDOWS\system32\winlogon.dll
O20 - Winlogon Notify: opnmmkj - C:\WINDOWS\SYSTEM32\opnmmkj.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 June 2006 - 04:58 AM

Hi iceman21 and Welcome to the Bleeping Computer!

Could you also post back an uninstall list for me please,
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file.
  • When you press Save button a notepad will open with the contents of that file.
  • Simply copy and paste the contents of that notepad into this topic please.
Please run this Online Scan
http://www.ewido.net/en/onlinescan/

Once the scan is complete--> Click Save Report and Save it to your desktop for easy access.

After saving the report--> Let ewido remove all it found.


Post back with a fresh HijackThis log--> the uninstall log and the report from Ewido.

#3 iceman21

iceman21
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 17 June 2006 - 09:04 AM

Here is the ewido log but for some reason whenever i try to save a log from hijack this, the program just shuts down. This never occurred before, could it be related to the spyware i have?

__________________________________________________
ewido anti-malware online scanner
http://www.ewido.net
__________________________________________________


Name: TrackingCookie.Reliablestats
Path: C:\Documents and Settings\Justin Timko\Cookies\justin timko@stats1.reliablestats[1].txt
Risk: Medium

Name: Adware.PurityScan
Path: [724] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [784] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [796] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [956] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [1080] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [1140] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [1240] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [1340] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [1696] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [1968] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [564] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [592] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [760] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [924] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [1180] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [1236] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [1320] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [1368] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [1404] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [1484] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [1572] C:\WINDOWS\system32\spool32.dll
Risk: Medium

Name: Adware.PurityScan
Path: [1632] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [1748] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [1732] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [1828] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [2024] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [436] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [2144] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [2844] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [3088] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [3584] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Adware.PurityScan
Path: [3708] C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: TrackingCookie.Tribalfusion
Path: :mozilla.13:C:\Documents and Settings\Justin Timko\Application Data\Mozilla\Firefox\Profiles\kuq1yj5e.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Tribalfusion
Path: :mozilla.14:C:\Documents and Settings\Justin Timko\Application Data\Mozilla\Firefox\Profiles\kuq1yj5e.default\cookies.txt
Risk: Medium

Name: Downloader.Obfuscated.a
Path: C:\Documents and Settings\Justin Timko\Local Settings\Application Data\51d615fe.exe
Risk: High

Name: Downloader.Small
Path: C:\Documents and Settings\Justin Timko\Local Settings\Application Data\Mozilla\Firefox\Profiles\kuq1yj5e.default\Cache\71F545FEd01
Risk: High

Name: Downloader.PurityScan.cq
Path: C:\Program Files\Common Files\Y1123OA.exe
Risk: High

Name: Adware.MediaTicket
Path: C:\Program Files\Cowabanga\Cowabanga.exe
Risk: Medium

Name: Downloader.PurityScan.co
Path: C:\Program Files\ΑрpPatch\chkdsk.exe
Risk: High

Name: Adware.ClickSpring
Path: C:\Program Files\ΑрpPatch\ΑрpPatch\!update-3945.0000
Risk: Medium

Name: Adware.MediaTickets
Path: C:\WINDOWS\mtuninst.exe
Risk: Medium

Name: Trojan.Small
Path: C:\WINDOWS\system32\1024
Risk: High

Name: Trojan.Small
Path: C:\WINDOWS\system32\1024\ld19F6.tmp
Risk: High

Name: Trojan.Small
Path: C:\WINDOWS\system32\1024\ld2188.tmp
Risk: High

Name: Trojan.Small
Path: C:\WINDOWS\system32\1024\ld32BE.tmp
Risk: High

Name: Trojan.Small
Path: C:\WINDOWS\system32\1024\ld3389.tmp
Risk: High

Name: Trojan.Small
Path: C:\WINDOWS\system32\1024\ld3B1B.tmp
Risk: High

Name: Trojan.Small
Path: C:\WINDOWS\system32\1024\ld65AC.tmp
Risk: High

Name: Trojan.Small
Path: C:\WINDOWS\system32\1024\ld899D.tmp
Risk: High

Name: Trojan.Small
Path: C:\WINDOWS\system32\1024\ldD10E.tmp
Risk: High

Name: Downloader.Obfuscated.a
Path: C:\WINDOWS\system32\51d615fe.exe
Risk: High

Name: Downloader.PurityScan.co
Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2VQRO50V\!update-3895[1].0000
Risk: High

Name: Adware.ClickSpring
Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QXERIL6V\!update-3945[1].0000
Risk: Medium

Name: Adware.Virtumonde
Path: C:\WINDOWS\system32\ddcdayv.dll
Risk: Medium

Name: Adware.Virtumonde
Path: C:\WINDOWS\system32\hggfghf.dll
Risk: Medium

Name: Adware.Virtumonde
Path: C:\WINDOWS\system32\opnmmkj.dll
Risk: Medium

Name: Adware.PurityScan
Path: C:\WINDOWS\system32\spool32.dll
Risk: Medium

Name: Trojan.Agent.vg
Path: C:\WINDOWS\system32\winhoo32.dll
Risk: High

Name: Adware.PurityScan
Path: C:\WINDOWS\system32\winlogon.dll
Risk: Medium

Name: Trojan.Dialer.oy
Path: C:\WINDOWS\Temp\win40.tmp.exe
Risk: High

Name: Trojan.Dialer.oy
Path: C:\WINDOWS\Temp\win44.tmp.exe
Risk: High

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 June 2006 - 10:18 AM

So,you werent able to retrieve the Uninstall log?

Look in Add\Remove Programs and see if there are any entries including these letters

OIN


See if you can attach the Ewido report to the next post.


Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Edited by Cretemonster, 17 June 2006 - 10:19 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users