Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Dianose


  • Please log in to reply
24 replies to this topic

#1 BlackHayate

BlackHayate

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 20 June 2006 - 11:51 PM

Hi, I'm new to this forum. And I got some problem with my laptop. It doesn't seem to be able to access internet. I described my detailed problems here first: http://www.bleepingcomputer.com/forums/t/56042/cannot-browse-internet/

After I run AdAware and Spybot, I cannot seem to be able to delete this virus called Smitfraud-C.
And after I did everything that I could, nothing seem to go the way that I wanted. So, This is my HiJackThis Log after I run Spybot and AdAware:

Logfile of HijackThis v1.99.1
Scan saved at 11:30:48 PM, on 6/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\WINDOWS\system32\ef10b081.exe
C:\WINDOWS\system32\178a904c.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\Siam\Desktop\HijackThis.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/en-us/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.0.3
O2 - BHO: XBTP05231 - {031F120A-BBAF-45d8-B306-375F2A6B9398} - C:\PROGRA~1\ALCOHO~1\ALCOHO~2\a120_tb.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\jkkhfdb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Alcohol Soft - Alcohol 120% Toolbar - {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DLPSP] "c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [ef10b081.exe] C:\WINDOWS\system32\ef10b081.exe
O4 - HKLM\..\Run: [178a904c.exe] C:\WINDOWS\system32\178a904c.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized
O4 - HKCU\..\Run: [ef10b081.exe] C:\Documents and Settings\Siam\Local Settings\Application Data\ef10b081.exe
O4 - HKCU\..\Run: [178a904c.exe] C:\Documents and Settings\Siam\Local Settings\Application Data\178a904c.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: ping.dll C:\WINDOWS\system32\ping.dll
O20 - Winlogon Notify: jkkhfdb - C:\WINDOWS\SYSTEM32\jkkhfdb.dll
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


I appologize for my language because I don't know English that well. I hope I followed the HiJackThis tutorial right... :thumbsup:
Thank You for your time.

BC AdBot (Login to Remove)

 


#2 BlackHayate

BlackHayate
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 21 June 2006 - 08:51 AM

Is there anybody that can help me? I need my laptop to setup wireless soon.

#3 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 21 June 2006 - 09:26 AM

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). We’ll get them next step.
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

=======================
Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/s...&rc=4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 AM

Posted 21 June 2006 - 09:27 AM

Hello,

You are dealing with several nasty infections.

I notice that you do not seem to be running Antivirus software and a Firewall. This is somewhat suicidal in today's digital world.
That's why I want you to install them first!!

AVG, Avira OR Avast are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system!
Several together can give problems and decrease the reliability of it seriously!
Zonealarm, Agnitum Outpost Free OR Kerio are FREE firewalls.

Understanding and using firewalls

Please perform my next steps in exactly the same order...

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin in it.


If OIN not listed, download and run this uninstaller.

Reboot when done! Really important!

Then,

* Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".
Click the button: All Files (!important!)
Now it should flash green.

Now copy the next bold part:

C:\WINDOWS\system32\ef10b081.exe
C:\WINDOWS\system32\178a904c.exe
C:\Documents and Settings\Siam\Local Settings\Application Data\ef10b081.exe
C:\Documents and Settings\Siam\Local Settings\Application Data\178a904c.exe
C:\WINDOWS\system32\ping.dll


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer should reboot now.

After reboot,


* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\jkkhfdb.dll
O4 - HKLM\..\Run: [ef10b081.exe] C:\WINDOWS\system32\ef10b081.exe
O4 - HKLM\..\Run: [178a904c.exe] C:\WINDOWS\system32\178a904c.exe
O4 - HKCU\..\Run: [ef10b081.exe] C:\Documents and Settings\Siam\Local Settings\Application Data\ef10b081.exe
O4 - HKCU\..\Run: [178a904c.exe] C:\Documents and Settings\Siam\Local Settings\Application Data\178a904c.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O20 - AppInit_DLLs: ping.dll C:\WINDOWS\system32\ping.dll
O20 - Winlogon Notify: jkkhfdb - C:\WINDOWS\SYSTEM32\jkkhfdb.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • In case it says that nothing was been found, Right click the list box (white box) in the main VundoFix window.
  • Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.
  • In the Window: copy and paste next in the first field: C:\WINDOWS\System32\jkkhfdb.dll
  • Copy and paste next in the second field: C:\WINDOWS\System32\bdfhkkj.*
  • Click the “Add Files” button.
  • Click the "Close Window" button.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 AM

Posted 21 June 2006 - 09:29 AM

To fix the smitfraud C problem Spybot gives you all the time, perform next:

* Download DelDomains.inf and save it to your desktop.
Rightclick on it and choose 'install'.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 BlackHayate

BlackHayate
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 22 June 2006 - 02:16 AM

This is a reply for MFDnSC

Here is the report for SmitfraudFix:
SmitFraudFix v2.62

Scan done at 10:51:54.73, Wed 06/21/2006
Run from C:\Documents and Settings\Siam\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

ปปปปปปปปปปปปปปปปปปปปปปปป C:\


ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS


ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS\system


ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS\Web


ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS\system32


ปปปปปปปปปปปปปปปปปปปปปปปป C:\WINDOWS\system32\LogFiles


ปปปปปปปปปปปปปปปปปปปปปปปป C:\Documents and Settings\Siam\Application Data


ปปปปปปปปปปปปปปปปปปปปปปปป Start Menu


ปปปปปปปปปปปปปปปปปปปปปปปป C:\DOCUME~1\Siam\FAVORI~1


ปปปปปปปปปปปปปปปปปปปปปปปป Desktop


ปปปปปปปปปปปปปปปปปปปปปปปป C:\Program Files


ปปปปปปปปปปปปปปปปปปปปปปปป Corrupted keys


ปปปปปปปปปปปปปปปปปปปปปปปป Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


ปปปปปปปปปปปปปปปปปปปปปปปป Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

ปปปปปปปปปปปปปปปปปปปปปปปป Scanning wininet.dll infection


ปปปปปปปปปปปปปปปปปปปปปปปป End


Here is the report for SpySweeper:

********
10:59 AM: | Start of Session, Wednesday, June 21, 2006 |
10:59 AM: Spy Sweeper started
10:59 AM: Sweep initiated using definitions version 556
10:59 AM: Starting Memory Sweep
11:04 AM: Memory Sweep Complete, Elapsed Time: 00:05:24
11:04 AM: Starting Registry Sweep
11:04 AM: Found Adware: cws_ns3
11:04 AM: HKCR\clsid\{2b284248-d0fe-c340-0d87-abd55dd24bfa}\ (6 subtraces) (ID = 117747)
11:04 AM: HKCR\clsid\{2bfab072-a3f3-0a97-6990-3673392b7dfc}\ (6 subtraces) (ID = 117750)
11:04 AM: HKCR\clsid\{1486290a-90c1-388f-adc8-6bfaa6b057e8}\ (4 subtraces) (ID = 118667)
11:04 AM: HKCR\clsid\{e36a99d7-088f-a5e8-1ba4-87116d938d49}\ (6 subtraces) (ID = 119237)
11:04 AM: HKCR\clsid\{e65a202a-2d31-566f-2fc5-0e6a5ad3e4d4}\localserver32\ (1 subtraces) (ID = 119246)
11:04 AM: HKLM\software\classes\clsid\{2b284248-d0fe-c340-0d87-abd55dd24bfa}\ (6 subtraces) (ID = 119623)
11:04 AM: HKLM\software\classes\clsid\{2bfab072-a3f3-0a97-6990-3673392b7dfc}\ (6 subtraces) (ID = 119626)
11:04 AM: HKLM\software\classes\clsid\{1486290a-90c1-388f-adc8-6bfaa6b057e8}\ (4 subtraces) (ID = 120512)
11:04 AM: HKLM\software\classes\clsid\{e36a99d7-088f-a5e8-1ba4-87116d938d49}\ (6 subtraces) (ID = 121071)
11:04 AM: HKLM\software\classes\clsid\{e65a202a-2d31-566f-2fc5-0e6a5ad3e4d4}\localserver32\ (1 subtraces) (ID = 121080)
11:04 AM: Found Adware: cws_tiny0
11:04 AM: HKCR\clsid\{0ecebd98-802f-9b4d-7308-c983a18edbec}\ (4 subtraces) (ID = 123811)
11:04 AM: HKLM\software\classes\clsid\{0ecebd98-802f-9b4d-7308-c983a18edbec}\ (4 subtraces) (ID = 124047)
11:05 AM: Found Trojan Horse: trojan_downloader_tibser
11:05 AM: HKCR\clsid\{d29fdf9c-92f0-18bd-01ed-22a5dbb07081}\ (9 subtraces) (ID = 145087)
11:05 AM: HKLM\software\classes\clsid\{d29fdf9c-92f0-18bd-01ed-22a5dbb07081}\ (9 subtraces) (ID = 145104)
11:05 AM: Found Adware: psguard
11:05 AM: HKCR\clsid\{045a8282-70b5-43f7-8bfe-c6d558e2960f}\ (5 subtraces) (ID = 657219)
11:05 AM: HKCR\clsid\{0a87d8c7-6113-4495-bd8e-a13bbe76e5fd}\ (5 subtraces) (ID = 657225)
11:05 AM: HKCR\clsid\{2b49daab-b35e-4a9d-a2ea-57e484d8faaf}\ (5 subtraces) (ID = 657231)
11:05 AM: HKCR\clsid\{2f65fa6f-6b85-47ce-a34a-9c0a9267ce9a}\ (15 subtraces) (ID = 657237)
11:05 AM: HKCR\clsid\{30520534-582b-4717-b68c-2a02e45f4a2c}\ (5 subtraces) (ID = 657253)
11:05 AM: HKCR\clsid\{3288e2ce-00a8-40f3-b8de-07d967cd11cf}\ (5 subtraces) (ID = 657259)
11:05 AM: HKCR\clsid\{3dc0833c-364a-4b7f-a663-5fe0d563a1d5}\ (5 subtraces) (ID = 657265)
11:05 AM: HKCR\clsid\{41a02f48-69d0-4a89-ba2d-92fae96aee59}\ (15 subtraces) (ID = 657271)
11:05 AM: HKCR\clsid\{43cec8b3-576c-4437-8cd1-c49b5e485a32}\ (5 subtraces) (ID = 657287)
11:05 AM: HKCR\clsid\{4458a7e2-b56e-4046-8785-a40150f03edb}\ (5 subtraces) (ID = 657293)
11:05 AM: HKCR\clsid\{49e0cc18-98f7-4403-8110-08f731a0cd51}\ (5 subtraces) (ID = 657299)
11:05 AM: HKCR\clsid\{4c05c0e8-68e4-4c34-9721-070227441ae8}\ (15 subtraces) (ID = 657305)
11:05 AM: HKCR\clsid\{6dbd7f86-82ba-453d-81cf-af49e144082f}\ (5 subtraces) (ID = 657321)
11:05 AM: HKCR\clsid\{93191df7-f23f-4074-91cd-39ff107cfa6b}\ (5 subtraces) (ID = 657327)
11:05 AM: HKCR\clsid\{9d9497b7-38e5-47ab-b75b-e97f164a3848}\ (15 subtraces) (ID = 657333)
11:05 AM: HKCR\clsid\{a04e7947-6800-40a2-a717-505716d20f57}\ (6 subtraces) (ID = 657349)
11:05 AM: HKCR\clsid\{ad6880b6-aa87-4404-9015-367975d43647}\ (15 subtraces) (ID = 657356)
11:05 AM: HKCR\clsid\{b3fa8f72-4637-4412-a361-b78fb7bfdc3b}\ (5 subtraces) (ID = 657372)
11:05 AM: HKCR\clsid\{c32be913-b637-4f51-8247-8f5b57127620}\ (15 subtraces) (ID = 657378)
11:05 AM: HKCR\clsid\{d645ea00-cf93-463a-b111-11f22dccbb3c}\ (15 subtraces) (ID = 657394)
11:05 AM: HKCR\clsid\{d6532056-db71-4127-b404-07bdcd2ba4fe}\ (15 subtraces) (ID = 657410)
11:05 AM: HKCR\clsid\{f6c815b9-da7a-4907-b980-cc2024e6c7fa}\ (5 subtraces) (ID = 657426)
11:05 AM: HKCR\clsid\{ffe54f5b-2ee3-4f84-82f7-690ee6be4392}\ (5 subtraces) (ID = 657432)
11:05 AM: HKLM\software\classes\clsid\{045a8282-70b5-43f7-8bfe-c6d558e2960f}\ (5 subtraces) (ID = 657476)
11:05 AM: HKLM\software\classes\clsid\{0a87d8c7-6113-4495-bd8e-a13bbe76e5fd}\ (5 subtraces) (ID = 657482)
11:05 AM: HKLM\software\classes\clsid\{2f65fa6f-6b85-47ce-a34a-9c0a9267ce9a}\ (15 subtraces) (ID = 657494)
11:05 AM: HKLM\software\classes\clsid\{30520534-582b-4717-b68c-2a02e45f4a2c}\ (5 subtraces) (ID = 657510)
11:05 AM: HKLM\software\classes\clsid\{3288e2ce-00a8-40f3-b8de-07d967cd11cf}\ (5 subtraces) (ID = 657516)
11:05 AM: HKLM\software\classes\clsid\{3dc0833c-364a-4b7f-a663-5fe0d563a1d5}\ (5 subtraces) (ID = 657522)
11:05 AM: HKLM\software\classes\clsid\{41a02f48-69d0-4a89-ba2d-92fae96aee59}\ (15 subtraces) (ID = 657528)
11:05 AM: HKLM\software\classes\clsid\{43cec8b3-576c-4437-8cd1-c49b5e485a32}\ (5 subtraces) (ID = 657544)
11:05 AM: HKLM\software\classes\clsid\{4458a7e2-b56e-4046-8785-a40150f03edb}\ (5 subtraces) (ID = 657550)
11:05 AM: HKLM\software\classes\clsid\{49e0cc18-98f7-4403-8110-08f731a0cd51}\ (5 subtraces) (ID = 657556)
11:05 AM: HKLM\software\classes\clsid\{4c05c0e8-68e4-4c34-9721-070227441ae8}\ (15 subtraces) (ID = 657562)
11:05 AM: HKLM\software\classes\clsid\{6dbd7f86-82ba-453d-81cf-af49e144082f}\ (5 subtraces) (ID = 657578)
11:05 AM: HKLM\software\classes\clsid\{93191df7-f23f-4074-91cd-39ff107cfa6b}\ (5 subtraces) (ID = 657584)
11:05 AM: HKLM\software\classes\clsid\{9d9497b7-38e5-47ab-b75b-e97f164a3848}\ (15 subtraces) (ID = 657590)
11:05 AM: HKLM\software\classes\clsid\{a04e7947-6800-40a2-a717-505716d20f57}\ (6 subtraces) (ID = 657606)
11:05 AM: HKLM\software\classes\clsid\{ad6880b6-aa87-4404-9015-367975d43647}\ (15 subtraces) (ID = 657613)
11:05 AM: HKLM\software\classes\clsid\{b3fa8f72-4637-4412-a361-b78fb7bfdc3b}\ (5 subtraces) (ID = 657629)
11:05 AM: HKLM\software\classes\clsid\{c32be913-b637-4f51-8247-8f5b57127620}\ (15 subtraces) (ID = 657635)
11:05 AM: HKLM\software\classes\clsid\{d645ea00-cf93-463a-b111-11f22dccbb3c}\ (15 subtraces) (ID = 657651)
11:05 AM: HKLM\software\classes\clsid\{d6532056-db71-4127-b404-07bdcd2ba4fe}\ (15 subtraces) (ID = 657667)
11:05 AM: HKLM\software\classes\clsid\{f6c815b9-da7a-4907-b980-cc2024e6c7fa}\ (5 subtraces) (ID = 657683)
11:05 AM: HKLM\software\classes\clsid\{ffe54f5b-2ee3-4f84-82f7-690ee6be4392}\ (5 subtraces) (ID = 657689)
11:05 AM: Registry Sweep Complete, Elapsed Time:00:00:48
11:05 AM: Starting Cookie Sweep
11:05 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:05 AM: Starting File Sweep
11:14 AM: Found Adware: cws-aboutblank
11:14 AM: iaxfq.txt:vvumty (ID = 54882)
11:16 AM: setupapi.log:isglok (ID = 54882)
11:18 AM: kb896423.log:nnjphb (ID = 54882)
11:24 AM: netfxocm.log:gfoazu (ID = 54882)
11:25 AM: kb887472.log:gmwjqs (ID = 54882)
11:25 AM: Found Adware: zenosearchassistant
11:25 AM: a0077623.cfg (ID = 91140)
11:25 AM: Found Adware: java byteverify
11:25 AM: classload.jar-5b2a33e6-1237b07e.zip (ID = 64823)
11:25 AM: jar.jar-3f1991e2-76586271.zip (ID = 64818)
11:25 AM: jar.jar-2ad522e1-4d7e092f.zip (ID = 64818)
11:25 AM: jar.jar-1ba13978-6b3383b6.zip (ID = 64818)
11:28 AM: jar.jar-2fe5a879-156f5f12.zip (ID = 64818)
11:34 AM: File Sweep Complete, Elapsed Time: 00:28:51
11:34 AM: Full Sweep has completed. Elapsed time 00:35:17
11:34 AM: Traces Found: 529
3:36 PM: Removal process initiated
3:37 PM: Quarantining All Traces: cws_ns3
3:37 PM: Quarantining All Traces: cws-aboutblank
3:37 PM: Quarantining All Traces: trojan_downloader_tibser
3:37 PM: Quarantining All Traces: cws_tiny0
3:37 PM: Quarantining All Traces: java byteverify
3:37 PM: Quarantining All Traces: psguard
3:37 PM: Quarantining All Traces: zenosearchassistant
3:38 PM: Removal process completed. Elapsed time 00:01:51
********
10:54 AM: | Start of Session, Wednesday, June 21, 2006 |
10:54 AM: Spy Sweeper started

And here is the report for HiJackThis:
Logfile of HijackThis v1.99.1
Scan saved at 3:54:32 PM, on 6/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\WINDOWS\system32\ef10b081.exe
C:\WINDOWS\system32\178a904c.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Siam\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/en-us/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.0.3
O2 - BHO: XBTP05231 - {031F120A-BBAF-45d8-B306-375F2A6B9398} - C:\PROGRA~1\ALCOHO~1\ALCOHO~2\a120_tb.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\jkkhfdb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Alcohol Soft - Alcohol 120% Toolbar - {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DLPSP] "c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [ef10b081.exe] C:\WINDOWS\system32\ef10b081.exe
O4 - HKLM\..\Run: [178a904c.exe] C:\WINDOWS\system32\178a904c.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized
O4 - HKCU\..\Run: [ef10b081.exe] C:\Documents and Settings\Siam\Local Settings\Application Data\ef10b081.exe
O4 - HKCU\..\Run: [178a904c.exe] C:\Documents and Settings\Siam\Local Settings\Application Data\178a904c.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: ping.dll C:\WINDOWS\system32\ping.dll
O20 - Winlogon Notify: jkkhfdb - C:\WINDOWS\SYSTEM32\jkkhfdb.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

I hope these problems will be over soon...

#7 BlackHayate

BlackHayate
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 22 June 2006 - 02:23 AM

This is the reply for miekiemoes

When I use HiJackThis to delete the files that you told me, I got an error from one of them. And here is the error I got:

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: ping.dll C:\WINDOWS\system32\ping.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.


THis the the VundoFix report:


VundoFix V4.2.84

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.6

Scan started at 4:44:06 PM 6/21/2006

Listing files found while scanning....

C:\WINDOWS\system32\jkkhfdb.dll

Attempting to delete C:\WINDOWS\system32\jkkhfdb.dll
C:\WINDOWS\system32\jkkhfdb.dll Could not be deleted.

Performing Repairs to the registry.
Done!

And Here is the new HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:00:37 PM, on 6/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Siam\Desktop\HijackThis.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/en-us/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.0.3
O2 - BHO: XBTP05231 - {031F120A-BBAF-45d8-B306-375F2A6B9398} - C:\PROGRA~1\ALCOHO~1\ALCOHO~2\a120_tb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Alcohol Soft - Alcohol 120% Toolbar - {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DLPSP] "c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Hope this will be finish soon. When I tried to Add this file: C:\WINDOWS\System32\bdfhkkj.* to the VundoFix, it did not added to it.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 AM

Posted 22 June 2006 - 06:10 AM

Oops, I didn't see that MFDnSC also replied to you post.

Yes, it is normal when you check and fix an O20 - appinit_dlls entry in hijackthis, that you get an error. It fails in creating a backup, but after all, the key is deleted anyway.

Looks like Vundofix succeeded in deleting the key in the registry, but not the file. But that one could be deleted now manually since it's not hooked anymore.

Check and fix next entry in hijackthis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

Then delete next file if still present:

C:\WINDOWS\system32\jkkhfdb.dll

Let me know in your next reply how things are running now. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 BlackHayate

BlackHayate
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 22 June 2006 - 07:58 PM

My Internet is still unusable like before. I don't think its because of viruses but I think there might have been some files missing, but I do not know for sure. :thumbsup: On another thing, It seem the internet does load some of pages that have really small amount of links, pictures, and text (only pages with only text can be view most of the time).

And another thing, since my xbox 360 hooked to the same router so I can access my music from my computers, and it is working fine. soo I hope that might help a little. I still think there might be some files missing, and I hope I don't have to reinstall it because I don't have the WINDOW XP Pro. SP2 because it pre-installed :flowers:

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 AM

Posted 23 June 2006 - 02:10 AM

Already tried firefox and look if you have the same problem with it?

Your internet is unusable, can you give a more detailed explanation? As I understand from your post, the pages only load for the half?
Already tried in safe mode?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 BlackHayate

BlackHayate
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 23 June 2006 - 04:09 AM

I did tried firefox and its still the same. Safe Mode too.

How should I explain....? Well, before its started happening like this, I downloaded some files (KeyGen) and it infected me with viruses (I know its virus because I experienced almost the same thing before) but this time its almost like 5 different ones at the same time. Damn, now I remember, I used Spyware Doctor to fix/delete viruses. When it fininished scanning, it showed about 300 infected files. so I checked all then fix/delete it. After that, I still have some virus left, and my internet started not working.

When it tried to load, it only go half way (nothing in the page showed though). But some sites that have only text and may be one or 2 pic and links can be access easy enough. I can't go check my internet connection status, when i tried clicking on it, it didn't showed up. I just hope that I don't have to reinstall the whole windows because of these.

And after you helped me, it seem to be a bit better but not so great. The only thing I noticed is that when I start up my laptop, it became very very slow. But after you helped it became faster, but still not back to normal speed though. I hope these information help enough...

EDIT: and one more thing, I can still use Instant Messaging with no problem. So if i conclude this myself, I would say that if anything that have mid-large file, I can't load it or use it.

Edited by BlackHayate, 23 June 2006 - 04:14 AM.


#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 AM

Posted 23 June 2006 - 04:25 AM

Well, the problems you are having don't suprise me at all though - malware damages A LOT and not always everything can be repaired like this.
It looks like there is most probably still something present there, so we have to make sure all malware is eliminated before we can *try to fix the other problems.

Ok, let's start with additional tools...

First of all, * Download: Hoster
Unzip hoster to an own folder, eg C:\Hoster
Start Hoster.exe, click 'Restore Original Hosts' and click OK.

Then, * Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

Most probably it will say that 'nothing' was found and only produce a log. That log is important, so post the contents of C:\combofix.txt in your next reply.

Are you able to run online scanners? If so, I would like you to perform next online scan:

Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer"
8. When the scan is complete choose to save the results as "Save as Text"
9. Post the Kaspersky scan results in your next reply as well.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 BlackHayate

BlackHayate
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 23 June 2006 - 04:49 AM

The Kaspersky Webscan did not work, I can access the page but got an error, and I didn't get a download message when I clicked 'accept'. But here is the log for combofix:

Start Time= Fri 06/23/2006 4:38:28.93
Running from: C:\DOCUME~1\SIAM\DESKTOP\COMBOFIX.EXE

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-06-23 03:40:26 ( .D... ) "C:\Documents and Settings\Siam\Application Data\Mozilla"
2006-06-23 03:40:22 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-06-21 17:02:58 ( .D... ) "C:\Program Files\Zone Labs"
2006-06-21 16:58:36 ( .D... ) "C:\Documents and Settings\Siam\Application Data\AVG7"
2006-06-21 16:57:40 ( .D... ) "C:\Program Files\Grisoft"
2006-06-21 10:53:36 ( .D... ) "C:\Program Files\Webroot"
2006-06-19 01:03:10 ( .D... ) "C:\Documents and Settings\Siam\Application Data\PC Tools"
2006-06-18 22:41:22 0 ( A.... ) "C:\WINDOWS\ms060252-797952006.exe"
2006-06-18 17:54:58 394872 ( A.... ) "C:\WINDOWS\system32\vsdatant.sys"
2006-06-18 17:54:58 394872 ( A.... ) "C:\WINDOWS\system32\vsdatant.sys"
2006-06-18 17:54:26 83960 ( A.... ) "C:\WINDOWS\system32\zlcomm.dll"
2006-06-18 17:54:26 71672 ( A.... ) "C:\WINDOWS\system32\zlcommdb.dll"
2006-06-18 17:54:24 100344 ( A.... ) "C:\WINDOWS\system32\vsxml.dll"
2006-06-18 17:54:24 59384 ( A.... ) "C:\WINDOWS\system32\vswmi.dll"
2006-06-18 17:54:22 440312 ( A.... ) "C:\WINDOWS\system32\vsutil.dll"
2006-06-18 17:54:22 71672 ( A.... ) "C:\WINDOWS\system32\vsregexp.dll"
2006-06-18 17:54:20 268280 ( A.... ) "C:\WINDOWS\system32\vspubapi.dll"
2006-06-18 17:54:20 157688 ( A.... ) "C:\WINDOWS\system32\vsinit.dll"
2006-06-18 17:54:20 104440 ( A.... ) "C:\WINDOWS\system32\vsmonapi.dll"
2006-06-18 17:54:18 83960 ( A.... ) "C:\WINDOWS\system32\vsdata.dll"
2006-06-18 17:54:08 796584 ( A.... ) "C:\WINDOWS\system32\libeay32_0.9.6l.dll"
2006-06-18 05:34:34 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-06-18 05:34:14 45056 ( A.... ) "C:\WINDOWS\system32tfthot.exe"
2006-06-18 05:34:14 28672 ( A.... ) "C:\WINDOWS\system32ftuninst.exe"
2006-06-18 05:34:12 50688 ( A.S.. ) "C:\WINDOWS\NDNuninstall6_38.exe"
2006-06-18 05:34:08 28672 ( A.... ) "C:\WINDOWS\system32\gbe90qs.exe"
2006-06-18 05:33:54 45056 ( A.... ) "C:\WINDOWS\system32\tfthot.exe"
2006-06-18 05:33:54 28672 ( A.... ) "C:\WINDOWS\system32\ftuninst.exe"
2006-06-18 05:33:32 ( .D... ) "C:\Program Files\Common Files\mfqq"
2006-06-18 05:32:14 159833 ( A.... ) "C:\WINDOWS\system32\qwinpqez.exe"
2006-06-18 05:29:48 ( .D... ) "C:\Program Files\??stem"
2006-06-17 17:49:20 65536 ( A.... ) "C:\WINDOWS\IFinst27.exe"
2006-06-15 15:26:44 1142784 ( A.... ) "C:\WINDOWS\system32\ssn6tuu.exe"
2006-06-15 15:26:40 24576 ( A.... ) "C:\WINDOWS\system32\nr1rnqm8.exe"
2006-06-13 23:27:44 34308 ( A.... ) "C:\WINDOWS\system32\BASSMOD.dll"
2006-06-08 20:19:50 5967776 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-06-07 00:37:24 ( .D... ) "C:\Program Files\MsnMusic"
2006-06-01 13:47:08 163840 ( A.... ) "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 13:47:08 27648 ( A.... ) "C:\WINDOWS\system32\jgpl400.dll"
2006-05-29 10:30:34 1494016 ( A.... ) "C:\WINDOWS\system32\shdocvw.dll"
2006-05-28 18:30:32 ( .D... ) "C:\Program Files\Windows Media Connect 2"
2006-05-19 10:08:32 3052544 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2006-05-18 00:24:26 450560 ( A.... ) "C:\WINDOWS\system32\jscript.dll"
2006-05-14 03:44:08 181248 ( A.... ) "C:\WINDOWS\system32\rasmans.dll"
2006-05-11 03:23:24 24576 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"
2006-05-10 21:24:18 ( .D... ) "C:\Program Files\All Video to VCD SVCD DVD Creator & Burner"
2006-05-10 00:23:04 658432 ( A.... ) "C:\WINDOWS\system32\wininet.dll"
2006-05-10 00:23:02 613888 ( A.... ) "C:\WINDOWS\system32\urlmon.dll"
2006-05-10 00:23:02 532480 ( A.... ) "C:\WINDOWS\system32\mstime.dll"
2006-05-10 00:23:02 474112 ( A.... ) "C:\WINDOWS\system32\shlwapi.dll"
2006-05-10 00:23:02 448512 ( A.... ) "C:\WINDOWS\system32\mshtmled.dll"
2006-05-10 00:23:02 146432 ( A.... ) "C:\WINDOWS\system32\msrating.dll"
2006-05-10 00:23:02 39424 ( A.... ) "C:\WINDOWS\system32\pngfilt.dll"
2006-05-10 00:23:00 1054208 ( A.... ) "C:\WINDOWS\system32\danim.dll"
2006-05-10 00:23:00 1022976 ( A.... ) "C:\WINDOWS\system32\browseui.dll"
2006-05-10 00:23:00 357888 ( A.... ) "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-10 00:23:00 251392 ( A.... ) "C:\WINDOWS\system32\iepeers.dll"
2006-05-10 00:23:00 205312 ( A.... ) "C:\WINDOWS\system32\dxtrans.dll"
2006-05-10 00:23:00 151040 ( A.... ) "C:\WINDOWS\system32\cdfview.dll"
2006-05-10 00:23:00 96256 ( A.... ) "C:\WINDOWS\system32\inseng.dll"
2006-05-10 00:23:00 55808 ( A.... ) "C:\WINDOWS\system32\extmgr.dll"
2006-05-10 00:23:00 16384 ( A.... ) "C:\WINDOWS\system32\jsproxy.dll"
2006-05-08 17:49:18 ( .D... ) "C:\Program Files\KONAMI"
2006-05-02 16:23:10 ( .D... ) "C:\Program Files\WinAVI MP4 Converter"
2006-05-02 15:45:30 ( .D... ) "C:\Documents and Settings\Siam\Application Data\Sony Ericsson"
2006-05-02 07:19:50 ( .D... ) "C:\Documents and Settings\Siam\Application Data\Teleca"
2006-05-02 07:18:34 ( .D... ) "C:\Program Files\Common Files\Teleca Shared"
2006-05-02 07:18:18 ( .D... ) "C:\Program Files\Sony Ericsson"
2006-05-01 16:39:36 ( .D... ) "C:\Program Files\Disc2Phone"
2006-04-29 06:07:48 5533696 ( A.... ) "C:\WINDOWS\system32\wmp.dll"
2006-04-27 17:49:30 288417 ( A.... ) "C:\WINDOWS\system32\SrchSTS.exe"
2006-04-19 15:09:20 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx0c.dll"
2006-04-19 15:09:20 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx07.dll"
2006-04-19 15:09:20 761856 ( A.... ) "C:\WINDOWS\system32\divx_xx11.dll"
2006-04-19 15:09:20 619156 ( A.... ) "C:\WINDOWS\system32\DivX.dll"
2006-04-18 17:34:58 421888 ( A.... ) "C:\WINDOWS\system32\pxdrv.dll"
2006-04-18 17:34:58 372736 ( A.... ) "C:\WINDOWS\system32\px.dll"
2006-04-18 17:34:58 172032 ( A.... ) "C:\WINDOWS\system32\pxmas.dll"
2006-04-18 17:34:58 109568 ( ..... ) "C:\WINDOWS\system32\pxinsi64.exe"
2006-04-18 17:34:58 61440 ( ..... ) "C:\WINDOWS\system32\pxhpinst.exe"
2006-04-18 17:34:58 56320 ( ..... ) "C:\WINDOWS\system32\pxinsa64.exe"
2006-04-18 17:34:56 339968 ( A.... ) "C:\WINDOWS\system32\pxwave.dll"
2006-04-18 17:34:56 28672 ( A.... ) "C:\WINDOWS\system32\vxblock.dll"
2006-04-18 17:31:14 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"
2006-04-18 17:31:14 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"
2006-04-18 17:30:58 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll"
2006-04-18 17:30:30 53248 ( A.... ) "C:\WINDOWS\system32\dpuGUI10.dll"
2006-04-18 17:30:28 593920 ( A.... ) "C:\WINDOWS\system32\dpuGUI11.dll"
2006-04-18 17:30:28 344064 ( A.... ) "C:\WINDOWS\system32\dpus11.dll"
2006-04-18 17:30:28 294912 ( A.... ) "C:\WINDOWS\system32\dpu11.dll"
2006-04-18 17:30:28 294912 ( A.... ) "C:\WINDOWS\system32\dpu10.dll"
2006-04-18 17:30:28 200704 ( A.... ) "C:\WINDOWS\system32\dtu100.dll"
2006-04-18 17:30:28 90112 ( A.... ) "C:\WINDOWS\system32\dpl100.dll"
2006-04-18 17:30:28 57344 ( A.... ) "C:\WINDOWS\system32\dpv11.dll"
2006-04-18 17:30:24 245408 ( A.... ) "C:\WINDOWS\system32\unicows.dll"
2006-04-18 17:30:14 536576 ( A.... ) "C:\WINDOWS\system32\DivXsm.exe"
2006-04-10 13:37:12 118784 ( A.... ) "C:\WINDOWS\system32\DivXCodecUpdateChecker.exe"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"MMTray"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"Ulead Quick-Drop"="\"C:\\Program Files\\Ulead Systems\\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\\Ulead Quick-Drop 1.0\\Quick-Drop.exe\" WINDOWCALL"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"DLPSP"="\"c:\\program files\\dell printers\\Additional Color Laser Software\\Status Monitor\\DLPSP.EXE\""
"Windows Media Connect 2"="\"C:\\Program Files\\Windows Media Connect 2\\WMCCFG.exe\" /StartQuiet"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
@=""
"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /Minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,8e,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=""


Contents of the 'Scheduled Tasks' folder

Completion time: Fri 06/23/2006 4:40:09.92
ComboFix ver 06.06.23.2 - This logfile is located at C:\ComboFix.txt

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 AM

Posted 23 June 2006 - 05:43 AM

Hi,

Delete next files and folders:

C:\WINDOWS\ms060252-797952006.exe
C:\WINDOWS\system32tfthot.exe
C:\WINDOWS\system32ftuninst.exe
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\system32\gbe90qs.exe
C:\WINDOWS\system32\tfthot.exe
C:\WINDOWS\system32\ftuninst.exe
C:\Program Files\Common Files\mfqq <== folder
C:\WINDOWS\system32\qwinpqez.exe
C:\Program Files\??stem <== this folder, will look like system. Make sure you don't delete this one anywhere else! If you rightclick that folder and choose properties, it will be dated: 2006-06-18 05:29:48
C:\WINDOWS\IFinst27.exe
C:\WINDOWS\system32\ssn6tuu.exe
C:\WINDOWS\system32\nr1rnqm8.exe

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CLASSES_ROOT\Fseytdc.Ariaqudok]

[-HKEY_CLASSES_ROOT\Fseytdc.Ariaqudok.1]

[-HKEY_CLASSES_ROOT\Fseytdc.Yvakt]

[-HKEY_CLASSES_ROOT\Fseytdc.Yvakt.1]

[-HKEY_CLASSES_ROOT\CLSID\{5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915}]

[-HKEY_CLASSES_ROOT\CLSID\{624A3CDB-8C0A-4902-8480-191582C8498E}]

[-HKEY_CLASSES_ROOT\Interface\{47F2B86D-82A1-44F5-A78B-136AC5496094}]

[-HKEY_CLASSES_ROOT\TypeLib\{90AFF1EF-C901-4991-8D61-5BEEA455E090}]


Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

I can access the page but got an error,
and I didn't get a download message when I clicked 'accept' -


Can you tell me what error that is?
Also, it's not really a download message you get, but an activeX

I noticed you also downloaded and installed Zonealarm, can you disable Zonealarm and check if the internet works better? Because I've seen so many users downloading/installing zonealarm and not configuring it properly, they choose in the settings the maximum protection and choose in the Privacy options the maximum protection as well > result, pages won't load properly, images get blocked, ActiveX gets blocked etc etc.
And if I read your posts, when loading the internet, not all images are displayed as well. And you have the same in Firefox. So this is not an Internet Explorer issue, but a third Party scanner.
So open Zonealarm and set every setting to default - normal, or even low, as a check.
Also, choose the privacy option in Zonealarm and set it to lowest. Then reboot. That's the only way to find out, because I guess it's your zonealarm interfering here.

Also, rightclick your Spysweeper icon in the system tray and choose exit.

In case there's no change, I want you to start your system in Safe mode WITH networking support and check if you are still having the same problem.

You say that your laptop was very slow - after you fixed some things, it became faster, but still not the same as when your system was not infected.
Well, before, you didn't have any firewall and Antivirus installed either. So it is totally normal that your system is slower than before, because these programs are running in the background, monitoring everything to prevent malware being installed. This is normal - but you really need those scanners! Otherwise you'll get infected again in no time.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 AM

Posted 29 June 2006 - 05:19 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users