Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can Someone Help Fix My Computer Please?


  • This topic is locked This topic is locked
24 replies to this topic

#1 cardinals5883

cardinals5883

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 22 June 2006 - 07:41 PM

Hello all! My computer is having major problems and I don't know the first thing about identifying them and getting rid of them. I am pretty sure the "surfsidekick" spyware thing was one of them and probably still is. I followed the instructions on this site to get rid of it and am not sure how succesful I was. Anyways, I know there is still plenty wrong with my computer- pop ups, links that don't work, IE randomly shutting down, etc. Here is a copy of my HiJackThis log. Any help would be greatly appreciated! Thank you in advance!

BC AdBot (Login to Remove)

 


#2 cardinals5883

cardinals5883
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 22 June 2006 - 07:43 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:37:54 PM, on 6/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\R3JlZyBCb2JiaXR0\command.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\rcss.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mptft.exe
C:\WINDOWS\system32\ssec.exe
C:\WINDOWS\system32\tfthot.exe
C:\WINDOWS\system32\ssn6tuu.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nr1rnqm8.exe
C:\DOCUME~1\LOCALS~1\APPLIC~1\ICROSO~1.NET\HKDSK~1.EXE
C:\DOCUME~1\Brian\LOCALS~1\Temp\!update.exe
C:\WINDOWS\system32\RACLE~1\taskmgr.exe
C:\Program Files\Hi Jack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jkvle.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,tfdppnf.exe
O2 - BHO: Yvakt Class - {AE0ECC2F-0C33-494C-8B22-B57A7763027F} - C:\WINDOWS\system32\x3cqp0.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [Vlvo] C:\DOCUME~1\LOCALS~1\APPLIC~1\ICROSO~1.NET\HKDSK~1.EXE
O4 - HKCU\..\Run: [Test] "C:\WINDOWS\system32\RACLE~1\taskmgr.exe" -vt ndrv
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winfixer.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zango/ie/b...0d34af26c7c6dd9
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\system32\x3cqp0.dll
O20 - AppInit_DLLs: services.dll msiexec.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\dnj0011me.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\WGVADVE.DLL (file missing)
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\umnpui.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\R3JlZyBCb2JiaXR0\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Remote Procedure Call Service (RPCS) - Unknown owner - C:\WINDOWS\rcss.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe" "WMP54GS.exe (file missing)

#3 cardinals5883

cardinals5883
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 22 June 2006 - 08:11 PM

One more thing, I have SpySweeper and it has detected several StartUp programs that keep coming back when I click Remove. They are: SurfSide3, New.net StartUp, ftexc, Hhl7efpJ, Test, Vlvo, and newname. Finally, the last two time I have attempted to run a sweep, my computer has crashed. Sure seems like there are alot of bad things going on, quick help would be greatly appreciated!

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:38 PM

Posted 23 June 2006 - 06:36 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
You've got a few things going on in your log, but we can get you fixed up.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Also post a new hijackthis log after running combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 cardinals5883

cardinals5883
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 24 June 2006 - 05:39 PM

Hey thanks for the help and sorry it took me so long to reply. I downloaded and ran all of the programs in the "Preparation Post" and also did the combofix thing. Here are my new logs:

Hi Jack This

Logfile of HijackThis v1.99.1
Scan saved at 5:35:50 PM, on 6/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\rcss.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mptft.exe
C:\WINDOWS\system32\ssec.exe
C:\WINDOWS\system32\tfthot.exe
C:\WINDOWS\system32\ssn6tuu.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nr1rnqm8.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\DOCUME~1\LOCALS~1\APPLIC~1\ICROSO~1.NET\HKDSK~1.EXE
C:\WINDOWS\system32\RACLE~1\taskmgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Hi Jack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R3 - Default URLSearchHook is missing
O2 - BHO: Yvakt Class - {AE0ECC2F-0C33-494C-8B22-B57A7763027F} - C:\WINDOWS\system32\x3cqp0.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Vlvo] C:\DOCUME~1\LOCALS~1\APPLIC~1\ICROSO~1.NET\HKDSK~1.EXE
O4 - HKCU\..\Run: [Test] "C:\WINDOWS\system32\RACLE~1\taskmgr.exe" -vt ndrv
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\system32\x3cqp0.dll
O20 - AppInit_DLLs: services.dll msiexec.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Procedure Call Service (RPCS) - Unknown owner - C:\WINDOWS\rcss.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe" "WMP54GS.exe (file missing)

Combofix

tart Time= Sat 06/24/2006 17:26:22.78
Running from: C:\PROGRA~1\HIJACK~1\COMBOFIX.EXE

(((((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\internet settings\user agent\post platform]
"sv1"=""

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions\approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}"="Compressed (zipped) Folder"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References"
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References"
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}"="OpenOffice.org Column Handler"
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}"="OpenOffice.org Infotip Handler"
"{63542C48-9552-494A-84F7-73AA6A7C99C1}"="OpenOffice.org Property Sheet Handler"
"{3B092F0C-7696-40E3-A80F-68D74DA84210}"="OpenOffice.org Thumbnail Viewer"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{EC11B93F-443A-487D-AE75-C03EAFA1700D}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{EC11B93F-443A-487D-AE75-C03EAFA1700D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{EC11B93F-443A-487D-AE75-C03EAFA1700D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{EC11B93F-443A-487D-AE75-C03EAFA1700D}\InprocServer32]
@="C:\\WINDOWS\\system32\\wpnetmgr.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\SYSTEM32\ddserver.dll
C:\WINDOWS\SYSTEM32\fbtlib.dll
C:\WINDOWS\SYSTEM32\hr4005hme.dll
C:\WINDOWS\SYSTEM32\j42q0ef5eh2.dll
C:\WINDOWS\SYSTEM32\lvpu0979e.dll
C:\WINDOWS\SYSTEM32\pFp.dll
C:\WINDOWS\SYSTEM32\q2rq0c95ef.dll
C:\WINDOWS\SYSTEM32\q886lils18q6.dll


Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))

17:27:42.85

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\safhfh.exe
C:\WINDOWS\system32\safhfh.exe
C:\WINDOWS\system32\jkvle.exe
C:\WINDOWS\SYSTEM32\TFDPPNF.EXE


* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\yhfhvpp.dll
C:\WINDOWS\system32\yhfhvpp.dll
C:\WINDOWS\system32\xxtkq.dat
C:\WINDOWS\system32\tfdppnf.exe
C:\WINDOWS\system32\safhfh.exe
C:\WINDOWS\system32\safhfh.exe
C:\WINDOWS\system32\safhfh.exe
C:\WINDOWS\system32\jkvle.exe
C:\WINDOWS\rvmov.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\liril.exe


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-21 16:12:26 127,488 "C:\WINDOWS\system32\safhfh.exe"
2006-06-21 16:11:46 45,056 "C:\WINDOWS\system32\tfthot.exe"
2006-06-21 16:12:30 28,672 "C:\WINDOWS\system32\jkvle.exe"
2006-06-15 18:39:06 131,072 "C:\WINDOWS\system32\mptft.exe"
2006-06-21 16:14:00 48,167 "C:\WINDOWS\system32\VSL05.exe"
2006-06-21 16:12:14 32,256 "C:\WINDOWS\system32\dmonwv.dll"
2006-05-10 00:25:22 55,808 "C:\WINDOWS\system32\extmgr.dll"
2006-06-22 20:05:32 234,987 "C:\WINDOWS\system32\fbtlib.dll"
2006-05-10 00:25:22 96,256 "C:\WINDOWS\system32\inseng.dll"
2006-05-19 10:06:04 3,055,104 "C:\WINDOWS\system32\mshtml.dll"
2006-05-10 00:25:22 532,480 "C:\WINDOWS\system32\mstime.dll"
2006-05-10 00:25:22 615,424 "C:\WINDOWS\system32\urlmon.dll"
2006-06-21 16:11:52 208,896 "C:\WINDOWS\system32\x3cqp0.dll"
2006-06-21 16:11:52 28,672 "C:\WINDOWS\system32\gbe90qs.exe"
2006-06-15 15:26:44 1,142,784 "C:\WINDOWS\system32\ssn6tuu.exe"
2006-06-22 06:57:00 23,552 "C:\WINDOWS\system32\tfdppnf.exe"
2006-05-10 00:25:20 151,040 "C:\WINDOWS\system32\cdfview.dll"
2006-05-10 00:25:22 357,888 "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-10 00:25:22 205,312 "C:\WINDOWS\system32\dxtrans.dll"
2006-05-10 00:25:22 251,904 "C:\WINDOWS\system32\iepeers.dll"
2006-06-01 13:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 13:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
2006-05-18 00:24:26 450,560 "C:\WINDOWS\system32\jscript.dll"
2006-05-10 00:25:22 15,872 "C:\WINDOWS\system32\jsproxy.dll"
2006-06-22 08:58:44 81,920 "C:\WINDOWS\system32\msiexec.dll"
2006-05-10 00:25:22 39,424 "C:\WINDOWS\system32\pngfilt.dll"
2006-05-14 03:44:08 181,248 "C:\WINDOWS\system32\rasmans.dll"
2006-05-29 10:32:10 1,496,576 "C:\WINDOWS\system32\shdocvw.dll"
2006-05-10 00:25:22 474,112 "C:\WINDOWS\system32\shlwapi.dll"
2006-05-10 00:25:22 663,552 "C:\WINDOWS\system32\wininet.dll"
2006-06-21 16:12:30 51,712 "C:\WINDOWS\system32\yhfhvpp.dll"
2006-05-10 00:25:20 1,054,208 "C:\WINDOWS\system32\danim.dll"
2006-06-24 16:43:56 127,488 "C:\WINDOWS\system32\xxtkq.dat"
2006-06-24 17:24:20 300 "C:\WINDOWS\rvmov.dll"
2006-06-22 16:43:36 53 "C:\WINDOWS\ncbecb.dat"
2006-06-22 06:57:00 127,488 "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\liril.exe"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06/24/2006 04:43 PM 127,488 xxtkq.dat.vir
06/22/2006 06:56 AM 127,488 liril.exe.vir
06/21/2006 04:12 PM 127,488 safhfh.exe.vir
06/21/2006 04:12 PM 51,712 yhfhvpp.dll.vir
06/21/2006 04:12 PM 32,256 dmonwv.dll.vir
06/21/2006 04:12 PM 28,672 jkvle.exe.vir
06/22/2006 06:56 AM 23,552 tfdppnf.exe.vir
06/22/2006 04:43 PM 53 ncbecb.dat.vir


DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-21 16:11:52 28,672 "C:\WINDOWS\system32\gbe90qs.exe"
2006-06-15 15:26:44 1,142,784 "C:\WINDOWS\system32\ssn6tuu.exe"
2006-06-21 16:11:46 45,056 "C:\WINDOWS\system32\tfthot.exe"
2006-06-15 18:39:06 131,072 "C:\WINDOWS\system32\mptft.exe"
2006-06-21 16:14:00 48,167 "C:\WINDOWS\system32\VSL05.exe"
2006-05-10 00:25:20 151,040 "C:\WINDOWS\system32\cdfview.dll"
2006-05-10 00:25:22 357,888 "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-10 00:25:22 205,312 "C:\WINDOWS\system32\dxtrans.dll"
2006-05-10 00:25:22 251,904 "C:\WINDOWS\system32\iepeers.dll"
2006-06-01 13:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 13:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
2006-05-18 00:24:26 450,560 "C:\WINDOWS\system32\jscript.dll"
2006-05-10 00:25:22 15,872 "C:\WINDOWS\system32\jsproxy.dll"
2006-06-22 08:58:44 81,920 "C:\WINDOWS\system32\msiexec.dll"
2006-05-10 00:25:22 39,424 "C:\WINDOWS\system32\pngfilt.dll"
2006-05-14 03:44:08 181,248 "C:\WINDOWS\system32\rasmans.dll"
2006-05-29 10:32:10 1,496,576 "C:\WINDOWS\system32\shdocvw.dll"
2006-05-10 00:25:22 474,112 "C:\WINDOWS\system32\shlwapi.dll"
2006-05-10 00:25:22 663,552 "C:\WINDOWS\system32\wininet.dll"
2006-05-10 00:25:22 55,808 "C:\WINDOWS\system32\extmgr.dll"
2006-05-10 00:25:22 96,256 "C:\WINDOWS\system32\inseng.dll"
2006-05-19 10:06:04 3,055,104 "C:\WINDOWS\system32\mshtml.dll"
2006-05-10 00:25:22 532,480 "C:\WINDOWS\system32\mstime.dll"
2006-05-10 00:25:22 615,424 "C:\WINDOWS\system32\urlmon.dll"
2006-06-21 16:11:52 208,896 "C:\WINDOWS\system32\x3cqp0.dll"
2006-05-10 00:25:20 1,054,208 "C:\WINDOWS\system32\danim.dll"
2006-06-24 17:24:20 300 "C:\WINDOWS\rvmov.dll"


((((((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\dfndra.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0BYFCZBU\drsmartload46a[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0BYFCZBU\drsmartload[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4K07BF1N\drsmartload849a[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U0Q2J897\drsmartload45a[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U0Q2J897\dfndra[1].exe
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Program Files\network monitor
C:\Program Files\Common Files\misc001
C:\Program Files\Common Files\simtest
C:\Program Files\Common Files\svchostsys
C:\Documents and Settings\LocalService\Application Data\NetMon


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-06-24 17:24:20 300 ( A.... ) "C:\WINDOWS\rvmov.dll"
2006-06-22 23:42:58 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-06-22 23:06:52 24576 ( A.... ) "C:\WINDOWS\system32ssec.exe"
2006-06-22 22:54:18 24576 ( A.... ) "C:\WINDOWS\system32\ssec.exe"
2006-06-22 22:04:14 ( .D... ) "C:\Documents and Settings\Brian\Application Data\Lavasoft"
2006-06-22 22:04:02 ( .D... ) "C:\Program Files\Lavasoft"
2006-06-22 19:28:38 11776 ( A.... ) "C:\bootsection.exe"
2006-06-22 16:40:42 11776 ( A.... ) "C:\bootsect.exe"
2006-06-22 16:16:04 ( .D... ) "C:\Program Files\Hi Jack This"
2006-06-22 15:48:22 16384 ( A.... ) "C:\bootlaunch.exe"
2006-06-22 08:58:46 2 ( A.... ) "C:\WINDOWS\system32\wnsintsu.exe"
2006-06-22 08:58:44 81920 ( A.... ) "C:\WINDOWS\system32\msiexec.dll"
2006-06-22 08:58:44 ( .D... ) "C:\Documents and Settings\Brian\Application Data\?icrosoft.NET"
2006-06-22 00:18:18 ( .D... ) "C:\Program Files\Common Files\partypoker"
2006-06-21 18:16:34 81920 ( A.... ) "C:\WINDOWS\system32\services.dll"
2006-06-21 18:16:10 32177 ( ..SH. ) "C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe"
2006-06-21 16:35:46 ( .D... ) "C:\Program Files\ipwins"
2006-06-21 16:32:56 ( .D... ) "C:\Program Files\PartyPoker"
2006-06-21 16:19:54 ( .D... ) "C:\Program Files\TClock"
2006-06-21 16:18:16 1392640 ( A.... ) "C:\WINDOWS\cfg32a.exe"
2006-06-21 16:17:54 183296 ( A.S.. ) "C:\WINDOWS\NDNuninstall7_22.exe"
2006-06-21 16:14:36 ( .D... ) "C:\Program Files\Windows"
2006-06-21 16:14:32 ( .D... ) "C:\Program Files\Common Files\kmff"
2006-06-21 16:14:06 20480 ( A.... ) "C:\stub_sca3.exe"
2006-06-21 16:14:00 48167 ( A.... ) "C:\WINDOWS\system32\VSL05.exe"
2006-06-21 16:13:58 111104 ( A.... ) "C:\numbsoft.exe"
2006-06-21 16:13:38 2677 ( A.... ) "C:\ac2_0003.exe"
2006-06-21 16:13:14 389632 ( A.... ) "C:\webnexmk.exe"
2006-06-21 16:11:56 ( ADS.. ) "C:\Program Files\NewDotNet"
2006-06-21 16:11:52 266240 ( A.... ) "C:\NNSCAA638.EXE"
2006-06-21 16:11:52 208896 ( A.... ) "C:\WINDOWS\system32\x3cqp0.dll"
2006-06-21 16:11:52 28672 ( A.... ) "C:\WINDOWS\system32\gbe90qs.exe"
2006-06-21 16:11:50 45056 ( A.... ) "C:\WINDOWS\system32tfthot.exe"
2006-06-21 16:11:50 28672 ( A.... ) "C:\WINDOWS\system32ftuninst.exe"
2006-06-21 16:11:46 45056 ( A.... ) "C:\WINDOWS\system32\tfthot.exe"
2006-06-21 16:11:46 28672 ( A.... ) "C:\WINDOWS\system32\ftuninst.exe"
2006-06-21 16:09:26 159876 ( A.... ) "C:\WINDOWS\system32\mwintqez.exe"
2006-06-21 16:09:20 466944 ( A.... ) "C:\visfx500.exe"
2006-06-21 16:09:08 45056 ( A.... ) "C:\wd7gi8n.exe"
2006-06-21 16:07:32 11776 ( A.... ) "C:\bootcom.exe"
2006-06-20 17:32:50 64512 ( ..SHR ) "C:\WINDOWS\rcss.exe"
2006-06-19 11:44:36 ( .D... ) "C:\Program Files\Audacity"
2006-06-15 18:39:06 131072 ( A.... ) "C:\WINDOWS\system32\mptft.exe"
2006-06-15 15:26:44 1142784 ( A.... ) "C:\WINDOWS\system32\ssn6tuu.exe"
2006-06-15 15:26:40 24576 ( A.... ) "C:\WINDOWS\system32\nr1rnqm8.exe"
2006-06-08 20:19:50 5967776 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-06-07 12:55:52 3753 ( A.... ) "C:\Program Files\html2.htm"
2006-06-07 12:55:52 3626 ( A.... ) "C:\Program Files\html1.htm"
2006-06-01 13:47:08 163840 ( A.... ) "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 13:47:08 27648 ( A.... ) "C:\WINDOWS\system32\jgpl400.dll"
2006-05-30 18:19:18 2088960 ( A.... ) "C:\WINDOWS\cfg32.exe"
2006-05-30 18:09:20 24576 ( A.... ) "C:\WINDOWS\Uninstall.exe"
2006-05-29 10:32:10 1496576 ( A.... ) "C:\WINDOWS\system32\shdocvw.dll"
2006-05-19 10:06:04 3055104 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2006-05-18 15:58:40 ( .D... ) "C:\Program Files\Zango Programs"
2006-05-18 00:24:26 450560 ( A.... ) "C:\WINDOWS\system32\jscript.dll"
2006-05-14 03:44:08 181248 ( A.... ) "C:\WINDOWS\system32\rasmans.dll"
2006-05-11 03:37:26 90112 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"
2006-05-10 00:25:22 663552 ( A.... ) "C:\WINDOWS\system32\wininet.dll"
2006-05-10 00:25:22 615424 ( A.... ) "C:\WINDOWS\system32\urlmon.dll"
2006-05-10 00:25:22 532480 ( A.... ) "C:\WINDOWS\system32\mstime.dll"
2006-05-10 00:25:22 474112 ( A.... ) "C:\WINDOWS\system32\shlwapi.dll"
2006-05-10 00:25:22 448512 ( A.... ) "C:\WINDOWS\system32\mshtmled.dll"
2006-05-10 00:25:22 357888 ( A.... ) "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-10 00:25:22 251904 ( A.... ) "C:\WINDOWS\system32\iepeers.dll"
2006-05-10 00:25:22 205312 ( A.... ) "C:\WINDOWS\system32\dxtrans.dll"
2006-05-10 00:25:22 146432 ( A.... ) "C:\WINDOWS\system32\msrating.dll"
2006-05-10 00:25:22 96256 ( A.... ) "C:\WINDOWS\system32\inseng.dll"
2006-05-10 00:25:22 55808 ( A.... ) "C:\WINDOWS\system32\extmgr.dll"
2006-05-10 00:25:22 39424 ( A.... ) "C:\WINDOWS\system32\pngfilt.dll"
2006-05-10 00:25:22 15872 ( A.... ) "C:\WINDOWS\system32\jsproxy.dll"
2006-05-10 00:25:20 1054208 ( A.... ) "C:\WINDOWS\system32\danim.dll"
2006-05-10 00:25:20 1022976 ( A.... ) "C:\WINDOWS\system32\browseui.dll"
2006-05-10 00:25:20 151040 ( A.... ) "C:\WINDOWS\system32\cdfview.dll"
2006-04-29 06:07:48 5533696 ( A.... ) "C:\WINDOWS\system32\wmp.dll"
2005-12-18 16:15:10 34412848 ( A.... ) "C:\Program Files\iTunesSetup.exe"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ftexc"="C:\\WINDOWS\\system32\\mptft.exe"
"Hhl7RfpJ"="\"C:\\WINDOWS\\system32\\ssn6tuu.exe\""
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /0"
"Vlvo"="C:\\DOCUME~1\\LOCALS~1\\APPLIC~1\\ICROSO~1.NET\\HKDSK~1.EXE"
"Test"="\"C:\\WINDOWS\\system32\\RACLE~1\\taskmgr.exe\" -vt ndrv"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Test"="\"C:\\WINDOWS\\ECURIT~1\\wuauclt.exe\" -vt yazr"
"ooqag"="C:\\WINDOWS\\system32\\safhfh.exe reg_run"
"kmff"="C:\\PROGRA~1\\COMMON~1\\kmff\\kmffm.exe"
"sys_up1"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"
"TClock.exe"="C:\\Program Files\\TClock\\tclock_install.exe"
"Rygtml"="C:\\Documents and Settings\\LocalService\\Application Data\\?icrosoft.NET\\?hkdsk.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"WinUpdate.exe"="C:\\Program Files\\Windows\\WinUpdate.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Test"="\"C:\\WINDOWS\\ECURIT~1\\wuauclt.exe\" -vt yazr"
"ooqag"="C:\\WINDOWS\\system32\\safhfh.exe reg_run"
"kmff"="C:\\PROGRA~1\\COMMON~1\\kmff\\kmffm.exe"
"sys_up1"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"
"TClock.exe"="C:\\Program Files\\TClock\\tclock_install.exe"
"Rygtml"="C:\\Documents and Settings\\LocalService\\Application Data\\?icrosoft.NET\\?hkdsk.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
"WinUpdate.exe"="C:\\Program Files\\Windows\\WinUpdate.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Brian.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Sat 06/24/2006 17:30:45.96
ComboFix ver 06.06.24 - This logfile is located at C:\ComboFix.txt

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:38 PM

Posted 25 June 2006 - 09:01 AM

That's good! Combofix took care of a lot of malware for us, but we still have much to do.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R3 - Default URLSearchHook is missing
O2 - BHO: Yvakt Class - {AE0ECC2F-0C33-494C-8B22-B57A7763027F} - C:\WINDOWS\system32\x3cqp0.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [Vlvo] C:\DOCUME~1\LOCALS~1\APPLIC~1\ICROSO~1.NET\HKDSK~1.EXE
O4 - HKCU\..\Run: [Test] "C:\WINDOWS\system32\RACLE~1\taskmgr.exe" -vt ndrv
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\system32\x3cqp0.dll
O20 - AppInit_DLLs: services.dll msiexec.dll



===========


Please click Start -> Control Panel -> Add/Remove Programs and uninstall this program. It may be listed as New.Net, NewDotNet, or New.Net Domains.


===========


Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido scan report along with a new hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 cardinals5883

cardinals5883
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 25 June 2006 - 01:50 PM

Okay, I did everything you asked me to in your last post. I could not find the New.net program that you asked me to remove. As far as I can tell, I am still getting unwanted pop ups and other problems. The ewido program fround over 100 bad files and fixed most of them. Here are my new logs:

Logfile of HijackThis v1.99.1
Scan saved at 1:46:05 PM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hi Jack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\system32\x3cqp0.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\t48ulel91hq.dll
O20 - Winlogon Notify: SharedDlls - C:\WINDOWS\system32\sieio.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Procedure Call Service (RPCS) - Unknown owner - C:\WINDOWS\rcss.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe" "WMP54GS.exe (file missing)

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:38:08 PM 6/25/2006

+ Scan result:



HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EA0D26BD-9029-431A-86E0-83152D67828A} -> Adware.180Solutions : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EA0D26BD-9029-431A-86E0-83152D67828A} -> Adware.180Solutions : Cleaned with backup (quarantined).
HKU\S-1-5-21-1645522239-1993962763-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EA0D26BD-9029-431A-86E0-83152D67828A} -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LDB67NIV\stub_sca3[1].exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U0Q2J897\cfg32[1].exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\cfg32.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\cfg32a.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\stub_sca3.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Adware.BookedSpace : Error during cleaning.
HKLM\SOFTWARE\Classes\BookedSpace.Extension.5 -> Adware.BookedSpace : Error during cleaning.
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID -> Adware.BookedSpace : Error during cleaning.
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CurVer -> Adware.BookedSpace : Error during cleaning.
C:\WINDOWS\ѕecurity\wuauclt.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0BYFCZBU\Installer[1].exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dguiext.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\h6l2lg3o16.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\warebundle.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\warebundle.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
[780] C:\WINDOWS\system32\WzhRm.dll -> Adware.Look2Me : Error during cleaning.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LDB67NIV\NNSCAA638[1].EXE -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\NewDotNet -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\NewDotNet\newdotnet7_22.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
[668] C:\Program Files\NewDotNet\newdotnet7_22.dll -> Adware.NewDotNet : Error during cleaning.
HKLM\SOFTWARE\Classes\KBBar.KBBarBand -> Adware.PowerStrip : Error during cleaning.
HKLM\SOFTWARE\Classes\KBBar.KBBarBand.1 -> Adware.PowerStrip : Error during cleaning.
HKLM\SOFTWARE\Classes\KBBar.KBBarBand\CLSID -> Adware.PowerStrip : Error during cleaning.
HKLM\SOFTWARE\Classes\KBBar.KBBarBand\CurVer -> Adware.PowerStrip : Error during cleaning.
C:\Documents and Settings\Brian\Application Data\Μicrosoft.NET\υserinit.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Application Data\Мicrosoft.NET\сhkdsk.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\msiexec.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\services.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tfthot.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\WINDOWS\system32tfthot.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0BYFCZBU\gkyukar[1].cab/ssn6tuu.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gbe90qs.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ssn6tuu.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\x3cqp0.dll -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mwintqez.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\rcss.exe -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0BYFCZBU\drsmartload46a[1].exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\drsmartload46j.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\QooBox\dmonwv.dll.vir -> Downloader.Agent.agw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U0Q2J897\wd7gi8n[1].exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\wd7gi8n.exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Local Settings\Temp\!update.exe -> Downloader.PurityScan.co : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Internet Files\Content.IE5\AMGOT9AY\!update-3895[1].0000 -> Downloader.PurityScan.co : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Οracle\taskmgr.exe -> Downloader.PurityScan.cs : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0BYFCZBU\installerwnus[1].exe -> Downloader.Qoologic.at : Cleaned with backup (quarantined).
C:\QooBox\jkvle.exe.vir -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\liril.exe.vir -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\safhfh.exe.vir -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\tfdppnf.exe.vir -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\xxtkq.dat.vir -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\yhfhvpp.dll.vir -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\Program Files\Common Files\svchostsys\svchostsys.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\Program Files\Common Files\svchostsys\svchostupdate.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LDB67NIV\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\WINDOWS\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\ac2_0003.exe -> Downloader.Small.cpu : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U0Q2J897\bootsector[1].zip -> Downloader.VB.afe : Cleaned with backup (quarantined).
C:\bootsect.exe -> Downloader.VB.afe : Cleaned with backup (quarantined).
C:\bootsection.exe -> Downloader.VB.afe : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4K07BF1N\drsmartload45a[1].exe -> Downloader.VB.afn : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LDB67NIV\drsmartload849a[1].exe -> Downloader.VB.afn : Cleaned with backup (quarantined).
C:\drsmartload45j.exe -> Downloader.VB.afn : Cleaned with backup (quarantined).
C:\drsmartload849j.exe -> Downloader.VB.afn : Cleaned with backup (quarantined).
C:\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4K07BF1N\numbsoft[1].exe -> Dropper.Agent.hl : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4K07BF1N\webnexmk[1].exe -> Dropper.Agent.hl : Cleaned with backup (quarantined).
C:\numbsoft.exe -> Dropper.Agent.hl : Cleaned with backup (quarantined).
C:\webnexmk.exe -> Dropper.Agent.hl : Cleaned with backup (quarantined).
C:\Program Files\Snowball Wars\SnowballWars.exe -> Dropper.VB.mz : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0BYFCZBU\gkyukar[1].cab/mptft.exe -> Hijacker.StartPage.ajj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mptft.exe -> Hijacker.StartPage.ajj : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4K07BF1N\nwnm_1[1].exe -> Hijacker.VB.fc : Cleaned with backup (quarantined).
C:\nwnm_1.exe -> Hijacker.VB.fc : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4K07BF1N\dfndra_1[1].exe -> Hijacker.VB.nh : Cleaned with backup (quarantined).
C:\dfndra_1.exe -> Hijacker.VB.nh : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Local Settings\Temp\Cookies\brian@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@www.belstat[1].txt -> TrackingCookie.Belstat : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@install.bestoffersnetworks[2].txt -> TrackingCookie.Bestoffersnetworks : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Local Settings\Temp\Cookies\brian@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@e-2dj6wfkyqgd5mco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@e-2dj6wjl4kiczsco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@e-2dj6wjliuhcjebp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@e-2dj6wjnyohdzkhp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@linksynergy[2].txt -> TrackingCookie.Linksynergy : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Local Settings\Temp\Cookies\brian@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Cookies\brian@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Local Settings\Temp\Cookies\brian@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ssec.exe -> Trojan.Runner.h : Cleaned with backup (quarantined).
C:\WINDOWS\system32ssec.exe -> Trojan.Runner.h : Cleaned with backup (quarantined).
C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jara.jar-4330315f-520ef59d.zip/web.exe -> Trojan.Small.ev : Cleaned with backup (quarantined).
C:\Program Files\Common Files\simtest\sysstall.exe -> Trojan.Zapchast.bl : Cleaned with backup (quarantined).


::Report end

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:38 PM

Posted 25 June 2006 - 03:36 PM

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 cardinals5883

cardinals5883
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 25 June 2006 - 03:57 PM

Okay, I downloaded and ran the Look2Me Destroyer. Here are my new logs:

Logfile of HijackThis v1.99.1
Scan saved at 3:54:10 PM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hi Jack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\system32\x3cqp0.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Procedure Call Service (RPCS) - Unknown owner - C:\WINDOWS\rcss.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe" "WMP54GS.exe (file missing)


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 6/25/2006 3:44:07 PM

Infected! C:\WINDOWS\system32\t48ulel91hq.dll
Infected! C:\WINDOWS\system32\sieio.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0010234.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0010239.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0010242.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0010274.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0010472.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0011475.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0012475.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0012501.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012515.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012516.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012598.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012599.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012600.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012601.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012602.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012603.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012604.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012605.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013643.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013644.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013645.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013675.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013676.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013694.dll
Infected! C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013701.dll
Infected! C:\WINDOWS\system32\dnnq0155e.dll
Infected! C:\WINDOWS\system32\nutshell.dll
Infected! C:\WINDOWS\system32\t48ulel91hq.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\t48ulel91hq.dll
C:\WINDOWS\system32\t48ulel91hq.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0010234.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0010234.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0010239.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0010239.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0010242.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0010242.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0010274.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0010274.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0010472.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0010472.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0011475.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0011475.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0012475.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0012475.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0012501.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP206\A0012501.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012515.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012515.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012516.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012516.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012598.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012598.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012599.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012599.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012600.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012600.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012601.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012601.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012602.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012602.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012603.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012603.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012604.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012604.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012605.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0012605.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013643.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013643.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013644.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013644.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013645.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013645.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013675.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013675.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013676.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013676.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013694.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013694.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013701.dll
C:\System Volume Information\_restore{4DFDED7C-4D8B-42C9-B493-ED179713CD10}\RP207\A0013701.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dnnq0155e.dll
C:\WINDOWS\system32\dnnq0155e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\nutshell.dll
C:\WINDOWS\system32\nutshell.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\t48ulel91hq.dll
C:\WINDOWS\system32\t48ulel91hq.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D4CE1FF1-4D51-484C-843D-14C11EA80BF8}"
HKCR\Clsid\{D4CE1FF1-4D51-484C-843D-14C11EA80BF8}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CE94F96E-CF48-44A7-9994-83F1A4FB7367}"
HKCR\Clsid\{CE94F96E-CF48-44A7-9994-83F1A4FB7367}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7E020D87-21C8-41C7-8729-B0C2AA2806AA}"
HKCR\Clsid\{7E020D87-21C8-41C7-8729-B0C2AA2806AA}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:38 PM

Posted 25 June 2006 - 07:33 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\system32\x3cqp0.dll



Reboot and post a new hijackthis log.
Let me know of any problems that you are still having.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 cardinals5883

cardinals5883
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 25 June 2006 - 08:56 PM

I removed the items you mentioned and here is my new log. There are no major symptoms or problems jumping out at me. The pop ups have stopped and it seems as if everything is working well. If there is any more steps that you need me to take, let me know. Otherwise THANK YOU VERY MUCH for your help. I was worried at first that there was much more wrong with my computer.

ogfile of HijackThis v1.99.1
Scan saved at 8:52:32 PM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hi Jack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Procedure Call Service (RPCS) - Unknown owner - C:\WINDOWS\rcss.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe" "WMP54GS.exe (file missing)

Edited by cardinals5883, 25 June 2006 - 08:57 PM.


#12 cardinals5883

cardinals5883
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 25 June 2006 - 10:40 PM

Ok one annoying little problem that hasn't gone away is these links that randomly seem to show up on web pages. Certain words will be in a green font, usually double underlined, and link to unrelated pages. When I move the cursor over one of these links, a box comes up saying "IntelliTXT" and some little advertisement for that particular word. Any idea what is going on with this?

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:38 PM

Posted 26 June 2006 - 08:44 PM

IntelliTXT runs off the website itself, and not your computer so there's not much you can do about that other than not visit the websites that use it. It's certainly nothing to worry about on your end.

Your log is clean! :thumbsup:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:flowers: :huh:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 cardinals5883

cardinals5883
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 26 June 2006 - 10:00 PM

Thank you very much for your help Sam, I really appreciate it!

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:38 PM

Posted 27 June 2006 - 07:11 PM

Glad I could help out! :thumbsup:

As your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users