Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Infestation - Can't Remove


  • This topic is locked This topic is locked
12 replies to this topic

#1 gummipanda

gummipanda

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 23 June 2006 - 02:07 PM

My cousin sent me a zip archive holding an .src file. As soon as i opened it, I realized that my anti virus program, Kaspersky Anti-virus was acting up and kept posting warnings that a virus was detected. However, it could never remove it. After doing several sweeps with spysweeper, spybot, and ad-aware, i realized that the malware was recurring and kept popping up soon after i restarted the computer. This has been frustrating. I trusted my cousin, but I guess I can't be too sure after this. I ask for the HJT staff's assistance in helping me restore my computer to a more stable state. Thank you.

------

HiJackThis Log file

Logfile of HijackThis v1.99.1
Scan saved at 12:02:19 PM, on 6/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Administrator.RETESTRAK\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,klpagae.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\lv0609dse.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Procedure Call Service (RPCS) - Unknown owner - C:\WINDOWS\rcss.exe (file missing)
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

-------

SpySweeper log

********
9:41 PM: | Start of Session, Thursday, June 22, 2006 |
9:41 PM: Spy Sweeper started
9:41 PM: Sweep initiated using definitions version 705
9:41 PM: Starting Memory Sweep
9:42 PM: Found Adware: clkoptimizer
9:42 PM: Detected running threat: C:\WINDOWS\system32\pnqsmdp.dll (ID = 268933)
9:43 PM: Memory Sweep Complete, Elapsed Time: 00:02:09
9:43 PM: Starting Registry Sweep
9:43 PM: Found Adware: enbrowser
9:43 PM: HKLM\software\system\sysold\ (ID = 926808)
9:43 PM: Found Adware: command
9:43 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
9:43 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
9:43 PM: Found Adware: linkmaker
9:43 PM: HKCR\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180460)
9:43 PM: HKCR\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180464)
9:43 PM: HKCR\fseytdc.yvakt\ (3 subtraces) (ID = 1180468)
9:43 PM: HKCR\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180472)
9:43 PM: HKLM\software\classes\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180510)
9:43 PM: HKLM\software\classes\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180514)
9:43 PM: HKLM\software\classes\fseytdc.yvakt\ (3 subtraces) (ID = 1180518)
9:43 PM: HKLM\software\classes\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180522)
9:43 PM: Found Adware: bookedspace
9:43 PM: HKCR\appid\cfg32s.dll\ (1 subtraces) (ID = 1347879)
9:43 PM: HKCR\appid\{27a1ca0d-78ce-4e23-8a89-2c95c15954b3}\ (1 subtraces) (ID = 1347881)
9:43 PM: HKLM\software\classes\appid\cfg32s.dll\ (1 subtraces) (ID = 1347930)
9:43 PM: HKLM\software\classes\appid\{27a1ca0d-78ce-4e23-8a89-2c95c15954b3}\ (1 subtraces) (ID = 1347932)
9:43 PM: Found Adware: forethought
9:43 PM: HKLM\software\microsoft\windows\currentversion\uninstall\treewood\ (2 subtraces) (ID = 1352578)
9:43 PM: Found Adware: dollarrevenue
9:43 PM: HKLM\software\ksr39sj5\ (3 subtraces) (ID = 1390021)
9:43 PM: HKLM\software\microsoft\windows\currentversion\uninstall\s7kqhe\ (2 subtraces) (ID = 1390037)
9:43 PM: Registry Sweep Complete, Elapsed Time:00:00:07
9:43 PM: Starting Cookie Sweep
9:43 PM: Found Spy Cookie: tacoda cookie
9:43 PM: administrator@tacoda[1].txt (ID = 6444)
9:43 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:43 PM: Starting File Sweep
9:43 PM: c:\windows\zabstract (5 subtraces) (ID = -2147449272)
9:43 PM: apiwu.exe (ID = 268934)
9:44 PM: Found Adware: visfx
9:44 PM: a0350265.exe (ID = 301241)
9:45 PM: a0350574.dll (ID = 268933)
9:45 PM: Found Adware: mrfindalot hijacker
9:45 PM: tfthot.exe (ID = 315430)
9:45 PM: a0350272.exe (ID = 245111)
9:45 PM: Found Adware: zenosearchassistant
9:45 PM: a0350468.exe (ID = 293)
9:46 PM: cfg32.exe (ID = 301841)
9:46 PM: a0351057.dll (ID = 268933)
9:46 PM: Found Adware: surfsidekick
9:46 PM: a0350680.dll (ID = 304383)
9:46 PM: a0350276.exe (ID = 245110)
9:46 PM: Found Trojan Horse: trojan-downloader-ac2
9:46 PM: a0350427.dll (ID = 276222)
9:46 PM: ftuninst.exe (ID = 315429)
9:46 PM: a0350429.dll (ID = 276222)
9:47 PM: a0351610.dll (ID = 268933)
9:47 PM: pnqsmdp.dll (ID = 268933)
9:47 PM: Found Adware: look2me
9:47 PM: a0351183.dll (ID = 159)
9:47 PM: a0350105.exe (ID = 273770)
9:47 PM: a0350270.exe (ID = 244277)
9:47 PM: a0350279.exe (ID = 268798)
9:47 PM: a0351495.dll (ID = 304383)
9:48 PM: Found Adware: fullcontext
9:48 PM: srvpgsnqch.exe (ID = 303274)
9:48 PM: en00l1dm1.dll (ID = 159)
9:48 PM: Warning: Failed to read file "c:\system volume information\_restore{84b5a239-fdd0-4ba8-affa-94dca03d6b2f}\rp195\a0349099.exe". The operation completed successfully
9:48 PM: system32tfthot.exe (ID = 315430)
9:48 PM: a0350649.dll (ID = 302237)
9:48 PM: a0349866.dll (ID = 302237)
9:48 PM: a0350299.exe (ID = 304385)
9:49 PM: a0350008.dll (ID = 304383)
9:50 PM: a0350575.dll (ID = 159)
9:50 PM: a0351806.exe (ID = 268934)
9:51 PM: a0351805.exe (ID = 268932)
9:52 PM: a0351096.dll (ID = 302237)
9:52 PM: a0349370.exe (ID = 271215)
9:52 PM: Found Trojan Horse: trojan-dropper-agenthl
9:52 PM: pre.exe (ID = 300247)
9:53 PM: a0349864.exe (ID = 315430)
9:53 PM: temp.frfb00 (ID = 159)
9:53 PM: temp.freeba (ID = 159)
9:54 PM: system32ftuninst.exe (ID = 315429)
9:54 PM: gbe90qs.exe (ID = 315432)
9:54 PM: repairs303169590.dll (ID = 302237)
9:54 PM: zicorn003.exe (ID = 301896)
9:55 PM: a0351274.dll (ID = 302237)
9:55 PM: vsl05.exe (ID = 299775)
9:56 PM: a0350384.exe (ID = 301341)
9:56 PM: nzraidwizardko.dll (ID = 159)
9:59 PM: a0351861.dll (ID = 302237)
10:01 PM: visfx500.exe (ID = 244295)
10:02 PM: jgrsvu.exe (ID = 268995)
10:02 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || jxvjus (ID = 0)
10:02 PM: HKU\S-1-5-21-1606980848-2000478354-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run || fuclw (ID = 0)
10:03 PM: zigid003.exe (ID = 300281)
10:03 PM: un52.tmp (ID = 304385)
10:03 PM: a0349369.exe (ID = 244278)
10:03 PM: pf78.exe (ID = 244430)
10:04 PM: wd7gi8n.exe (ID = 305263)
10:05 PM: uninstall.exe (ID = 301842)
10:05 PM: a0351170.exe (ID = 268995)
10:08 PM: a0351494.exe (ID = 304385)
10:10 PM: lv0609dse.dll (ID = 159)
10:10 PM: webnexmk.exe (ID = 299757)
10:12 PM: sskupdater3.exe (ID = 303011)
10:12 PM: vsl.dl_ (ID = 301391)
10:12 PM: stub_sca3.exe (ID = 294169)
10:13 PM: a0350461.vbs (ID = 231442)
10:14 PM: a0351485.exe (ID = 268995)
10:14 PM: guard.tmp (ID = 159)
10:14 PM: jiub5f27y.hhy (ID = 276229)
10:14 PM: a0349368.exe (ID = 244278)
10:15 PM: tagasaurus.exe (ID = 244271)
10:15 PM: a0349786.exe (ID = 268995)
10:18 PM: a0349479.exe (ID = 268995)
10:19 PM: temp.fr5ca8 (ID = 159)
10:19 PM: a0350106.exe (ID = 303223)
10:19 PM: a0351800.exe (ID = 268995)
10:20 PM: nuoglnt.dll (ID = 159)
10:23 PM: a0351802.exe (ID = 268995)
10:23 PM: a0351612.dll (ID = 159)
10:23 PM: cfg32a.exe (ID = 301864)
10:23 PM: dmonwv.dll (ID = 268799)
10:24 PM: a0350550.dll (ID = 159)
10:25 PM: cndtc.exe (ID = 268995)
10:26 PM: a0351496.dll (ID = 304384)
10:27 PM: f375475937.exe (ID = 268995)
10:27 PM: ac2_0004.exe (ID = 273770)
10:27 PM: Found Adware: zquest
10:27 PM: a0349101.exe (ID = 302027)
10:28 PM: a0351172.exe (ID = 303011)
10:29 PM: i33d.tmp (ID = 253411)
10:30 PM: a0351061.dll (ID = 159)
10:32 PM: temp.fr5850 (ID = 159)
10:32 PM: enn2l15o1.dll (ID = 159)
10:34 PM: njraidsvno.dll (ID = 159)
10:35 PM: a0350089.exe (ID = 315439)
10:36 PM: Warning: Failed to open file "c:\documents and settings\all users.windows\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.i0000:kavichs". Access is denied
10:36 PM: Warning: Failed to open file "c:\documents and settings\all users.windows\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.i0001:kavichs". Access is denied
10:36 PM: Warning: Failed to open file "c:\documents and settings\all users.windows\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.i0100:kavichs". Access is denied
10:36 PM: Warning: Failed to open file "c:\documents and settings\all users.windows\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.i0101:kavichs". Access is denied
10:36 PM: Warning: Failed to open file "c:\documents and settings\all users.windows\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.i0200:kavichs". Access is denied
10:36 PM: Warning: Failed to open file "c:\documents and settings\all users.windows\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.i0201:kavichs". Access is denied
10:36 PM: Warning: Failed to open file "c:\documents and settings\all users.windows\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.reph:kavichs". Access is denied
10:36 PM: Warning: Failed to open file "c:\documents and settings\all users.windows\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.repi:kavichs". Access is denied
10:36 PM: Warning: Failed to open file "c:\documents and settings\all users.windows\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.rept:kavichs". Access is denied
10:37 PM: Warning: Failed to open file "c:\system volume information\_restore{84b5a239-fdd0-4ba8-affa-94dca03d6b2f}\rp197\restorepointsize:kavichs". Access is denied
10:37 PM: Warning: Failed to open file "c:\documents and settings\administrator.retestrak\application data\mozilla\firefox\profiles\js0bfl0p.default\forecastfox\profiles.xml:kavichs". Access is denied
10:37 PM: Warning: Failed to open file "c:\documents and settings\administrator.retestrak\application data\mozilla\firefox\profiles\js0bfl0p.default\prefs.js:kavichs". Access is denied
10:37 PM: a0350471.cfg (ID = 91140)
10:37 PM: oapxtrhxwaio.vbs (ID = 185675)
10:37 PM: File Sweep Complete, Elapsed Time: 00:54:00
10:37 PM: Full Sweep has completed. Elapsed time 00:56:26
10:37 PM: Traces Found: 168
10:50 PM: Removal process initiated
10:50 PM: Quarantining All Traces: clkoptimizer
10:51 PM: clkoptimizer is in use. It will be removed on reboot.
10:51 PM: apiwu.exe is in use. It will be removed on reboot.
10:51 PM: pnqsmdp.dll is in use. It will be removed on reboot.
10:51 PM: jgrsvu.exe is in use. It will be removed on reboot.
10:51 PM: cndtc.exe is in use. It will be removed on reboot.
10:51 PM: C:\WINDOWS\system32\pnqsmdp.dll is in use. It will be removed on reboot.
10:51 PM: Quarantining All Traces: fullcontext
10:51 PM: Quarantining All Traces: trojan-downloader-ac2
10:51 PM: Quarantining All Traces: visfx
10:51 PM: Quarantining All Traces: bookedspace
10:51 PM: Quarantining All Traces: dollarrevenue
10:51 PM: Quarantining All Traces: enbrowser
10:51 PM: Quarantining All Traces: forethought
10:51 PM: Quarantining All Traces: linkmaker
10:51 PM: Quarantining All Traces: trojan-dropper-agenthl
10:51 PM: Quarantining All Traces: zquest
10:51 PM: Quarantining All Traces: command
10:51 PM: Quarantining All Traces: mrfindalot hijacker
10:51 PM: Quarantining All Traces: tacoda cookie
10:51 PM: Quarantining All Traces: zenosearchassistant
10:51 PM: Quarantining All Traces: surfsidekick
10:51 PM: Quarantining All Traces: look2me
10:52 PM: look2me is in use. It will be removed on reboot.
10:52 PM: Removal process completed. Elapsed time 00:01:45
********
9:40 PM: | Start of Session, Thursday, June 22, 2006 |
9:40 PM: Spy Sweeper started
9:40 PM: Sweep initiated using definitions version 705
9:40 PM: Starting Memory Sweep
9:41 PM: Sweep Canceled
9:41 PM: Memory Sweep Complete, Elapsed Time: 00:00:41
9:41 PM: Traces Found: 0
9:41 PM: | End of Session, Thursday, June 22, 2006 |
********
9:29 PM: | Start of Session, Thursday, June 22, 2006 |
9:29 PM: Spy Sweeper started
9:29 PM: Sweep initiated using definitions version 705
9:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:33 PM: Sweep Canceled
9:33 PM: Traces Found: 0
9:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:38 PM: Processing Startup Alerts
9:38 PM: Removed Startup entry: SurfSideKick 3
9:38 PM: Removed Startup entry: SurfSideKick 3
9:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:39 PM: Updating spyware definitions
9:39 PM: Your definitions are up to date.
9:39 PM: Updating spyware definitions
9:39 PM: Your definitions are up to date.
9:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:40 PM: | End of Session, Thursday, June 22, 2006 |
********
7:31 PM: | Start of Session, Thursday, June 22, 2006 |
7:31 PM: Spy Sweeper started
7:31 PM: Sweep initiated using definitions version 705
7:31 PM: Found Adware: surfsidekick
7:31 PM: HKCR\clsid\{02ee5b04-f144-47bb-83fb-a60bd91b74a9}\inprocserver32\ (2 subtraces) (ID = 1055337)
7:31 PM: SskBho.dll (ID = 1055337)
7:31 PM: Starting Memory Sweep
7:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:32 PM: Found Adware: clkoptimizer
7:32 PM: Detected running threat: C:\WINDOWS\system32\pnqsmdp.dll (ID = 268933)
7:32 PM: Detected running threat: C:\WINDOWS\system32\jgrsvu.exe (ID = 268995)
7:32 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || jxvjus (ID = 0)
7:32 PM: HKU\S-1-5-21-1606980848-2000478354-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run || fuclw (ID = 0)
7:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:37 PM: Detected running threat: C:\WINDOWS\system32\apiwu.exe (ID = 268934)
7:38 PM: Detected running threat: C:\WINDOWS\system32\apiwu.exe (ID = 268934)
7:38 PM: Detected running threat: C:\WINDOWS\system32\apiwu.exe (ID = 268934)
7:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:38 PM: Memory Sweep Complete, Elapsed Time: 00:07:12
7:38 PM: Starting Registry Sweep
7:38 PM: HKCR\clsid\{02ee5b04-f144-47bb-83fb-a60bd91b74a9}\ (3 subtraces) (ID = 143389)
7:38 PM: HKLM\software\classes\clsid\{02ee5b04-f144-47bb-83fb-a60bd91b74a9}\ (3 subtraces) (ID = 143392)
7:38 PM: HKLM\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143400)
7:38 PM: Found Adware: enbrowser
7:38 PM: HKLM\software\system\sysold\ (ID = 926808)
7:38 PM: Found Adware: command
7:38 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
7:38 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
7:38 PM: Found Adware: linkmaker
7:38 PM: HKCR\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180460)
7:38 PM: HKCR\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180464)
7:38 PM: HKCR\fseytdc.yvakt\ (3 subtraces) (ID = 1180468)
7:38 PM: HKCR\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180472)
7:38 PM: HKLM\software\classes\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180510)
7:38 PM: HKLM\software\classes\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180514)
7:38 PM: HKLM\software\classes\fseytdc.yvakt\ (3 subtraces) (ID = 1180518)
7:38 PM: HKLM\software\classes\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180522)
7:38 PM: Found Adware: bookedspace
7:38 PM: HKCR\appid\cfg32s.dll\ (1 subtraces) (ID = 1347879)
7:38 PM: HKCR\appid\{27a1ca0d-78ce-4e23-8a89-2c95c15954b3}\ (1 subtraces) (ID = 1347881)
7:38 PM: HKLM\software\classes\appid\cfg32s.dll\ (1 subtraces) (ID = 1347930)
7:38 PM: HKLM\software\classes\appid\{27a1ca0d-78ce-4e23-8a89-2c95c15954b3}\ (1 subtraces) (ID = 1347932)
7:38 PM: Found Adware: forethought
7:38 PM: HKLM\software\microsoft\windows\currentversion\uninstall\treewood\ (2 subtraces) (ID = 1352578)
7:38 PM: Found Adware: dollarrevenue
7:38 PM: HKLM\software\ksr39sj5\ (3 subtraces) (ID = 1390021)
7:38 PM: HKLM\software\microsoft\windows\currentversion\uninstall\s7kqhe\ (2 subtraces) (ID = 1390037)
7:38 PM: HKU\S-1-5-21-1606980848-2000478354-839522115-500\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
7:38 PM: Registry Sweep Complete, Elapsed Time:00:00:11
7:39 PM: Starting Cookie Sweep
7:39 PM: Found Spy Cookie: tacoda cookie
7:39 PM: administrator@tacoda[1].txt (ID = 6444)
7:39 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
7:39 PM: Starting File Sweep
7:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:39 PM: c:\program files\surfsidekick 3 (3 subtraces) (ID = -2147444265)
7:39 PM: c:\windows\zabstract (5 subtraces) (ID = -2147449272)
7:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:40 PM: apiwu.exe (ID = 268934)
7:40 PM: klpagae.exe (ID = 268932)
7:40 PM: Found Adware: mrfindalot hijacker
7:40 PM: tfthot.exe (ID = 315430)
7:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:41 PM: cfg32.exe (ID = 301841)
7:41 PM: ftuninst.exe (ID = 315429)
7:41 PM: oegvh.dat (ID = 268995)
7:41 PM: pnqsmdp.dll (ID = 268933)
7:41 PM: sskbho.dll (ID = 304383)
7:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:42 PM: ssk.exe (ID = 304385)
7:42 PM: Found Adware: fullcontext
7:42 PM: srvpgsnqch.exe (ID = 303274)
7:42 PM: Found Adware: look2me
7:42 PM: en00l1dm1.dll (ID = 159)
7:42 PM: system32tfthot.exe (ID = 315430)
7:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:46 PM: Found Trojan Horse: trojan-dropper-agenthl
7:46 PM: pre.exe (ID = 300247)
7:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:47 PM: temp.frfb00 (ID = 159)
7:47 PM: temp.freeba (ID = 159)
7:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:48 PM: system32ftuninst.exe (ID = 315429)
7:48 PM: gbe90qs.exe (ID = 315432)
7:48 PM: repairs303169590.dll (ID = 302237)
7:48 PM: Found Adware: zenosearchassistant
7:48 PM: zicorn003.exe (ID = 301896)
7:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:49 PM: vsl05.exe (ID = 299775)
7:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:54 PM: sskknwrd.dll (ID = 77733)
7:56 PM: Found Adware: visfx
7:56 PM: visfx500.exe (ID = 244295)
7:57 PM: jgrsvu.exe (ID = 268995)
7:57 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || jxvjus (ID = 0)
7:57 PM: HKU\S-1-5-21-1606980848-2000478354-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run || fuclw (ID = 0)
7:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:58 PM: zigid003.exe (ID = 300281)
7:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:58 PM: un52.tmp (ID = 304385)
7:59 PM: pf78.exe (ID = 244430)
7:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:59 PM: wd7gi8n.exe (ID = 305263)
8:01 PM: uninstall.exe (ID = 301842)
8:06 PM: webnexmk.exe (ID = 299757)
8:07 PM: sskupdater3.exe (ID = 303011)
8:07 PM: vsl.dl_ (ID = 301391)
8:07 PM: stub_sca3.exe (ID = 294169)
8:08 PM: jiub5f27y.hhy (ID = 276229)
8:08 PM: tagasaurus.exe (ID = 244271)
8:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:11 PM: temp.fr5ca8 (ID = 159)
8:11 PM: nuoglnt.dll (ID = 159)
8:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:14 PM: p2p6lc7s1f.dll (ID = 159)
8:14 PM: cfg32a.exe (ID = 301864)
8:14 PM: dmonwv.dll (ID = 268799)
8:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:15 PM: cndtc.exe (ID = 268995)
8:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:15 PM: sskcore.dll (ID = 304384)
8:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:16 PM: f375475937.exe (ID = 268995)
8:16 PM: Found Trojan Horse: trojan-downloader-ac2
8:16 PM: ac2_0004.exe (ID = 273770)
8:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:16 PM: i33d.tmp (ID = 253411)
8:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:17 PM: temp.fr5850 (ID = 159)
8:17 PM: enn2l15o1.dll (ID = 159)
8:18 PM: njraidsvno.dll (ID = 159)
8:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:19 PM: ActiveX Shield: found: Adware: surfsidekick, version 1.0.0.0 -- Installation denied
8:19 PM: Warning: Failed to open file "c:\documents and settings\administrator.retestrak\application data\aim\zmhujgct\keokeneko\urlcache\urlcache.dat:kavichs". Access is denied
8:19 PM: Warning: Failed to open file "c:\windows\prefetch\firefox.exe-28641590.pf:kavichs". Access is denied
8:20 PM: Warning: Failed to open file "c:\documents and settings\administrator.retestrak\application data\aim\zmhujgct\keokeneko\userinfo.bag:kavichs". Access is denied
8:20 PM: Warning: Failed to open file "c:\documents and settings\administrator.retestrak\application data\aim\zmhujgct\keokeneko\urlcache\aim2.tmp:kavichs". Access is denied
8:20 PM: oapxtrhxwaio.vbs (ID = 185675)
8:20 PM: Found System Monitor: potentially rootkit-masked files
8:20 PM: xshanna, the she-devil 006 [2005] (bittertek-dcp).md5 (ID = 0)
8:20 PM: shanna, the she-devil 007 p03 [2005] (bittertek-dcp).jpg (ID = 0)
8:20 PM: shanna, the she-devil 006 p21 [2005] (bittertek-dcp).jpg (ID = 0)
8:20 PM: shanna, the she-devil 006 p06 [2005] (bittertek-dcp).jpg (ID = 0)
8:20 PM: shanna, the she-devil 007 p14-15 [2005] (bittertek-dcp).jpg (ID = 0)
8:20 PM: applications.utilities.earthlink totalaccess.earthlink totalaccess.app.contents.sharedsupport.totalaccess setup.app.contents.plugins.setup.bundle.contents.resources.english.lproj.agreement.rtfd.earthlinksetup.ico (ID = 0)
8:20 PM: shanna, the she-devil 007 p07 [2005] (bittertek-dcp).jpg (ID = 0)
8:20 PM: shanna, the she-devil 006 p01 [2005] (bittertek-dcp).jpg (ID = 0)
8:20 PM: shanna, the she-devil 007 p06 [2005] (bittertek-dcp).jpg (ID = 0)
8:20 PM: shanna, the she-devil 007 p04-05 [2005] (bittertek-dcp).jpg (ID = 0)
8:20 PM: shanna, the she-devil 007 p19 [2005] (bittertek-dcp).jpg (ID = 0)
8:20 PM: shanna, the she-devil 007 p16-17 [2005] (bittertek-dcp).jpg (ID = 0)
8:20 PM: shanna, the she-devil 006 p23 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 006 p14 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 007 p01 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 007 p10 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 006 cover [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 006 p09 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 007 p22 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 007 p08 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 007 p13 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 006 p15 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 006 p17 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 006 tag [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 007 p11 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 007 tag [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 006 p07 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 006 p20 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 006 p22 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 007 p21 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 006 p08 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 006 p16 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 007 cover [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 006 p19 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 007 p09 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 007 p02 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 006 p11 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 007 p12 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 007 p18 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 007 p20 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 006 p05 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 006 p04 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 006 p12 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 006 p02-03 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 006 p13 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 006 p10 [2005] (bittertek-dcp).jpg (ID = 0)
8:21 PM: shanna, the she-devil 006 p18 [2005] (bittertek-dcp).jpg (ID = 0)
8:23 PM: The Spy Communicat

Edited by gummipanda, 23 June 2006 - 02:11 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:50 PM

Posted 24 June 2006 - 07:29 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 gummipanda

gummipanda
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 24 June 2006 - 09:46 AM

Thanks Sam, your reply was very helpful :D

----
HiJackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 7:48:33 AM, on 6/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Rainlendar\Rainlendar.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator.RETESTRAK\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,klpagae.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Procedure Call Service (RPCS) - Unknown owner - C:\WINDOWS\rcss.exe (file missing)
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

----




Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 6/24/2006 7:30:03 AM

Infected! C:\System Volume Information\_restore{84B5A239-FDD0-4BA8-AFFA-94DCA03D6B2F}\RP197\A0358647.dll
Infected! C:\System Volume Information\_restore{84B5A239-FDD0-4BA8-AFFA-94DCA03D6B2F}\RP197\A0358648.dll
Infected! C:\System Volume Information\_restore{84B5A239-FDD0-4BA8-AFFA-94DCA03D6B2F}\RP197\A0358655.dll
Infected! C:\System Volume Information\_restore{84B5A239-FDD0-4BA8-AFFA-94DCA03D6B2F}\RP197\A0358656.dll
Infected! C:\System Volume Information\_restore{84B5A239-FDD0-4BA8-AFFA-94DCA03D6B2F}\RP197\A0358657.dll

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{84B5A239-FDD0-4BA8-AFFA-94DCA03D6B2F}\RP197\A0358647.dll
C:\System Volume Information\_restore{84B5A239-FDD0-4BA8-AFFA-94DCA03D6B2F}\RP197\A0358647.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{84B5A239-FDD0-4BA8-AFFA-94DCA03D6B2F}\RP197\A0358648.dll
C:\System Volume Information\_restore{84B5A239-FDD0-4BA8-AFFA-94DCA03D6B2F}\RP197\A0358648.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{84B5A239-FDD0-4BA8-AFFA-94DCA03D6B2F}\RP197\A0358655.dll
C:\System Volume Information\_restore{84B5A239-FDD0-4BA8-AFFA-94DCA03D6B2F}\RP197\A0358655.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{84B5A239-FDD0-4BA8-AFFA-94DCA03D6B2F}\RP197\A0358656.dll
C:\System Volume Information\_restore{84B5A239-FDD0-4BA8-AFFA-94DCA03D6B2F}\RP197\A0358656.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{84B5A239-FDD0-4BA8-AFFA-94DCA03D6B2F}\RP197\A0358657.dll
C:\System Volume Information\_restore{84B5A239-FDD0-4BA8-AFFA-94DCA03D6B2F}\RP197\A0358657.dll Deleted successfully!

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

--

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:50 PM

Posted 25 June 2006 - 08:40 AM

I see something else in your log that concerns me.

Download FindQool, extract the files and place the FindQool folder in the root, usually thats C:\
http://downloads.subratam.org/Lon/FindQool.zip
It must be c:\FindQool now to work
Open that folder and run Qlocate.bat
Please post the log that opens up in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 gummipanda

gummipanda
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 25 June 2006 - 10:01 AM

Wow I never knew there was something else in there @___@. Thanks

---




Sun 06/25/2006
Running from: C:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.

Known file names

MD5 Check....

Files found with locate com.
C:\WINDOWS\IBXYM.DLL
Re-check using dir /a:-d
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
...

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PowerISO]
@="{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"


...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
HKCU
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe
userinit REG_SZ C:\WINDOWS\system32\userinit.exe,klpagae.exe
...
SWReg utility
Written by Bobbi Flekman 2005
Findqool edited 17/05/2006

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:50 PM

Posted 25 June 2006 - 10:10 AM

I'd like to double check on a couple files that show up.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
    • C:\WINDOWS\IBXYM.DLL
  • Disable your firewall if you are using one.
  • Click on the submit button
  • Reenable your firewall as soon as you get results.
  • Please post the results in your next reply.
Also submit this file. It may no longer be present.

C:\WINDOWS\system32\klpagae.exe
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 gummipanda

gummipanda
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 25 June 2006 - 10:47 AM

Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


---
This is from the second file

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

I don't have it in my directory either.

I've realized that my anti-virus program won't open. I'll check again after restart

Edited by gummipanda, 25 June 2006 - 10:54 AM.


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:50 PM

Posted 25 June 2006 - 10:53 AM

That's a good sign.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,klpagae.exe



Reboot and post a new hijackthis log.
Let me know of any problems that you are still having.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 gummipanda

gummipanda
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 25 June 2006 - 11:03 AM

The "F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,klpagae.exe" line was missing

--

Logfile of HijackThis v1.99.1
Scan saved at 9:04:28 AM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Rainlendar\Rainlendar.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator.RETESTRAK\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\INSTAL~1\{036AA~1\setup.exe -rebootC:\PROGRA~1\INSTAL~1\{036AA~1\reboot.ini -l0x9
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\RunOnce: [iTouch] C:\Program Files\Logitech\iTouch\iTouch.exe /RegServer
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Procedure Call Service (RPCS) - Unknown owner - C:\WINDOWS\rcss.exe (file missing)
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

---

As an update, the spysweeper shield detected traces of traffmoney.biz but blocked it. I'm not sure if it's still there though. My gmail inbox cannot be viewed, but that is probably caused by something else.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:50 PM

Posted 25 June 2006 - 03:54 PM

There's just one more issue that we need to fix.

Remove a malicious service
  • Click Start -> Run -> (type) services.msc
  • Scroll down and find the service called Remote Procedure Call Service
    • When you find it, double-click on it to open up Properties.
    • Click the Stop button(if available)
    • Change the Startup Type to Disabled.
    • Now hit Apply and then Ok.
  • Run Hijackthis and click on Open the Misc Tools section -> Delete an NT Service
  • Copy and paste this into the text box and click OK.

    RPCS

  • Close Hijackthis and any other open windows
  • Reboot and post a new hijackthis log.
Let me know of any problems that you are still having.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 gummipanda

gummipanda
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 25 June 2006 - 05:07 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:07:55 PM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Rainlendar\Rainlendar.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Documents and Settings\Administrator.RETESTRAK\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

don't think there are any other serious problems. Thanks alot Sam. I appreciate your work and your public service to the online community. You've done alot for my computer and most likely for many others. If I had a credit card, I'd make a monetary donation but I'm just a poor student soon entering college. Keep up the great work. You have my 100% support :D.

By the way, I made you a little something for helping me out XD haha.

http://img.photobucket.com/albums/v256/keokeneko/sam.jpg

Thanks!

Edited by gummipanda, 25 June 2006 - 05:36 PM.


#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:50 PM

Posted 26 June 2006 - 08:27 PM

I'm glad I could help out! :thumbsup:

Your log is clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:flowers: :huh:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:50 PM

Posted 29 June 2006 - 04:36 PM

As your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users